Data Protection, Privacy and Confidentiality


Your Health Information and How We Use It

Patient Data Management

We collect, hold and process data about our patients for the purpose of providing you with safe and effective healthcare.

We are responsible for keeping your sensitive and personal data up-to-date, accurate and secure.

We use secure NHSE IT networks and systems that are password protected to manage patient data.

We use encrypted and password protected NHS.net for all email communications.

Patient medical records are kept digitally on a secure clinical IT system. Older paper records are either kept in a locked cupboard on site or at an NHS approved archive facility offsite. 

All of our staff are fully trained on Information Governance (IG) procedures and mandatory training is completed on an annual basis. IG training is included in our induction programme for all new starters and all staff sign a confidentiality agreement.

We only share relevant and necessary information with other health professionals and here are some examples of how we do this:

  • Summary Care Record via a secure web portal allowing other healthcare professionals E.G. ambulance staff or A&E clinicians to access  key health information to enable them to provide safe and effective immediate care. Please inform a receptionist if you would like more information or would prefer to 'opt out'. You can also decide to 'opt in' to share more detailed data.
  • Local Care Record via a secure electronic data transfer system. This allows GP's and hospitals to have immediate access to necessary and relevant health data. For example GP's can view requested test results or x-rays without waiting for the hospital to send them to the practice. Please inform a receptionist if you would like more information or would prefer to 'opt out' of this service.
  • Remote consultations at the Extended Primary Care Service via our secure clinical IT system. This allows clinical staff at the Extended Primary Care Service based at Spa Medical to view your medical records when you have an appointment with them. You will be asked give your consent for them to do this before your appointment starts. 
  • Referrals via encrypted nhs.net email or via our secure eReferrals IT system. When you agree to a clinician making a referral you are giving us your consent to do this.
  • National immunisation and screening programmes collect data via secure NHS IT systems to help the NHS and Department of Health plan for population based health and prevention programmes.

Please be aware that there are some circumstances that we are legally required to break confidentiality without your consent in order to prevent death or serious harm or if there is a risk to the public. However, we will only do this if there is a legal basis and will disclose the minimum information required.

If we receive a request to share your data with other organisations we will act according to standard protocols. For instance, if a solicitor contacts us on your behalf, it is they that will need to have checked your ID and confirm to us that they are acting on your behalf with your knowledge and consent. Alternatively, if an insurance company requests information about you we would need to check with you directly to ensure you are aware of the request and happy for us to share your data. 

Your information will only be shared in accordance with your rights under the EU's General Data Protection Regulation 2018 (GDPR), the UK Data Protection Act Law (under review 2018), the Common Law Duty of Confidentiality, the NHS Constitution and in keeping with the NHS Codes of Practices that guide the use of information.

To find out more about how the NHS uses your data for research and planning, and how to set your preferences for whether it can be used or not then go to https://www.nhs.uk/your-nhs-data-matters/

Data Protection Officer & Information Governance Lead – Tilly Wright

Caldicott Guardian – Dr Nancy Kuchemann

For more information please ask at reception for a time to meet with our Practice Manager, Tilly Wright.

Access to Medical Records & Patient Confidentiality

Access to your Medical Records

You are entitled to access data that the practice holds on you.

You can make a request for a copy of your personal data at reception. You can make this request verbally and do not need to give written consent, however you would need to provide photo ID proof of who you are e.g. passport or driving licence. We will provide a copy within 28 days of your request. There is no fee for this.

Please note that we do not have to provide multiple copies of personal data or to respond to repeated requests for the same personal data.

You can also view your summary personal data if you have patient online access. Click here for further information

You can also view your full personal data at the practice. Please ask at reception to arrange an appointment to do this.

Non-NHS Forms, Reports & Letters

If a doctor writes a medical report for an outside agency such as an insurance company or solicitors, you are entitled to view the report before it is sent. Please note there is a time limit of 21 days for you to view any reports so please ask at reception for details.

You will need to provide your explicit consent for us to share your confidential data with any other organisation. This consent must be in written form.

When a doctor writes a letter about you, you are entitled to a copy; please discuss with the doctor or ask at reception for details.

Please note that we charge a fee for all non-nhs contracted work such as writing medical reports. Please ask at reception for details of the range of fees. We accept cash or cheques only and all fees must be paid in advance of the work being completed.

NHS Summary Care Records

As part of a mandatory, national programme GP Practices have to make a Summary Care Record (SCR) for every patient. The SCR allows other healthcare professionals such as ambulance staff or A&E staff to see key medical information about you to enable them to provide safe and effective care.

  • Current medications
  • Allergies and any bad reactions in the past to medications
  • Name, address and NHS number

Patients have the option to 'opt out' of the SCR. Please let a receptionist know if you would like to 'opt out'.

Patients also have the option to 'opt in' to sharing more detailed information on the SCR. The enriched detail listed below is to better help healthcare professionals provide safe and effective care, particularly for people who may be frail of living with multiple health conditions.

  • Significant medical history (past and present)
  • Reason for medication
  • Anticipatory care information such as managing long term conditions
  • Immunisations
  • End of life care information

Please see the links to further information below.

If you wish to opt out download and complete the opt out form and return to the practice or you can ask at reception.

Information Website

Further information can be found at the NHS Digital website.

Information Leaflets & Opt-Out Form

Transferring Your Electronic Health Record

Your GP practice holds copies of your patient health record electronically and in paper format. Both contain the healthcare information about you that your GP needs including your medical history, medications, allergies, immunisations and vaccinations.

If you have previously registered with a different GP in England, upon registering at this practice your electronic health record will, where possible, be transferred automatically from your previous practice through the use of an NHS system called GP2GP.

For further information please download this information leaflet.