Your Health Information and How We Use It

Patient Data Management

We collect, hold and process data about our patients for the purpose of providing you with safe and effective healthcare.

We are responsible for keeping your sensitive and personal data up to date, accurate and secure.

We use secure NHS England (NHSE) Information Technology (IT) networks and systems that are password protected to manage patient data.

We use encrypted and password protected for all email communications.

Patient medical records are kept digitally on a secure clinical IT system. Older paper records are either kept in a locked cupboard on site or at an NHS approved archive facility offsite.

All of our staff are fully trained on Information Governance (IG) procedures and mandatory training is completed on an annual basis. IG training is included in our induction programme for all new starters and all staff sign a confidentiality agreement.

We only share relevant and necessary information with other health professionals and here are some examples of how we do this:

  • Summary Care Record via a secure web portal allowing other healthcare professionals. For example ambulance staff or Accident and Emergency (A&E) clinicians to access  key health information to enable them to provide safe and effective immediate care. Please inform a receptionist if you would like more information or would prefer to ‘opt out’. You can also decide to ‘opt in’ to share more detailed data.
  • Local Care Record via a secure electronic data transfer system. This allows GPs and hospitals to have immediate access to necessary and relevant health data. For example GPs can view requested test results or x-rays without waiting for the hospital to send them to the practice. Please inform a receptionist if you would like more information or would prefer to ‘opt out’ of this service.
  • Remote consultations at the Extended Primary Care Service via our secure clinical IT system. This allows clinical staff at the Extended Primary Care Service based at Spa Medical to view your medical records when you have an appointment with them. You will be asked give your consent for them to do this before your appointment starts.
  • Referrals via encrypted email or via our secure eReferrals IT system. When you agree to a clinician making a referral you are giving us your consent to do this.
  • National immunisation and screening programmes collect data via secure NHS IT systems to help the NHS and Department of Health plan for population based health and prevention programmes.
  • ACR Project for patients with diabetes (and / or other conditions): The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with to enable them to contact you and send you a test kit.  This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from we will continue to manage your care within the Practice. are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at:

Please be aware that there are some circumstances that we are legally required to break confidentiality without your consent in order to prevent death or serious harm or if there is a risk to the public. However, we will only do this if there is a legal basis and will disclose the minimum information required.

If we receive a request to share your data with other organisations we will act according to standard protocols. For instance, if a solicitor contacts us on your behalf, it is they that will need to have checked your ID and confirm to us that they are acting on your behalf with your knowledge and consent. Alternatively, if an insurance company requests information about you we would need to check with you directly to ensure you are aware of the request and happy for us to share your data.

Your information will only be shared in accordance with your rights under the European Union’s General Data Protection Regulation 2018 (GDPR), the UK Data Protection Act Law (under review 2018), the Common Law Duty of Confidentiality, the NHS Constitution and in keeping with the NHS Codes of Practices that guide the use of information.

For the last 10 years, patient data from GP surgeries has been collected (where a patient has not opted out) via a central general practice extraction service, this service is in the process of being replaced by an improved system called General Practice Data for Planning and Research (GPDGR) that is managed by NHS Digital. This practice is supporting vital health and care planning and research by sharing your data with NHS digital. For more information about this service and  advice on how to opt out if you don’t want your data shared see the GP Practice Privacy Notice for General Practice Data for Planning and Research.

To find out more about how the NHS uses your data for research and planning, and how to set your preferences for whether it can be used or not then please see Choose if data from your health records is shared for research and planning.

To find out more information about how the NHS manages and uses patient information then see the Our Healthier South East London (OHSEL) Privacy Notice.

Information Governance Lead

Tilly Wright

Caldicott Guardian

Dr Nancy Kuchemann

For more information please ask at reception for a time to meet with our Practice Manager, Tilly Wright.