Data Protection Regulations

Your Information, Your Rights

Organisation Fair Processing and Privacy Notice

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).

This privacy notice reminds you of your rights in respect of the above legislation and explains how our organisation collects information and how that information may be used and shared.

This notice reflects how we use information for:

  • Who we are, how we use your information and our Data Protection Officer
  • What kinds of personal information about you do we process?
  • What are the legal grounds for our processing of your personal information (including when we share it with others)?
  • What should you do if your personal information changes?
  • For how long your personal information is retained by us?
  • What are your rights under data protection laws?

What information do we hold?

The employees and partners of our organisation use electronic and paper records to create and maintain an in-depth history of your medical care at your GP practice and elsewhere, to help ensure you receive the best possible healthcare to address your needs.

We comply with the General Data Protection Regulations (GDPR) in ensuring your personal information is as confidential and secure as possible and is processed fairly and lawfully. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

Records which this organisation holds about you may include the following information;

  • Details about you, such as your address, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, telephone conversations and letters.
  • Notes and reports about your physical (including sexual) and mental health
  • Details about your treatment and medications
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you
  • Reports from social services such as child protection reports or police reports if relevant to the care of you or your family
  • Private reports sent, at your request, to other organisations

How is the information collected?

Your information will be collected either electronically using secure NHS Mail or transferred over an NHS encrypted network connection. In addition physical information will be sent to your GP practice. This information will be processed and retained within your electronic patient record or within your physical medical records.

Why we collect this information

To ensure you receive the best possible care, your records are used to facilitate the treatment you receive. Information held about you may be used to protect the health of the public and to help us manage general healthcare. Information may also be used for clinical audits to monitor the quality of the service provided.

Your information will also be used to identify whether you have a chronic disease, are in an ‘at-risk’ group or have another condition that may necessitate contacting you for a review or an appointment via telephone, SMS messaging, letter or email.


Our organisation is committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 or GDPR (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. Every member of staff who works for the NHS has a legal obligation to keep information about you confidential. Access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access. Information is not held for longer than is necessary in accordance with the Records Management Code of Practice for Health and Social Care 2016.

All of our staff and contractors receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you, if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on and / or in accordance with the new information sharing principle i.e. “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

Medical student placements

Our organisation is involved in the training of medical students. As part of this programme medical students will work in practice and may be involved in your care. If staff would like a student to be present they will always ask for your permission before the start of the consultation. The treatment or care you receive will not be affected if you refuse to have a student present during your appointment.

It is usual for GPs to discuss patient case histories as part of their continuing medical education or for the purpose of training GPs and/or medical students. In these situations the identity of the patient concerned will not be revealed.

Sharing your data outside the organisation

Information held about you may be used to help protect the health of the public and to help the Department of Health manage the NHS. Some of this information will be extracted and held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

We currently only share information from your records on an individual basis either by letter, telephone, fax or electronically. Your consent will always be obtained to allow doctors, nurses and other health and social care services to see all the information held on your GP records.

The following are examples of the types of organisations that we are likely to share information with:

  • NHS and specialist hospitals, Trusts
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private and Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups and NHS England
  • Social Care Services and Local Authorities
  • Education Services
  • Police, Fire and Rescue Services


The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However consent is only one potential lawful basis for processing information. Therefore your GP practice may not need to

seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.

Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

You have the right to withdraw your consent, in writing, at any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

Risk Stratification Tools

Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and help reduce the patients’ risk of hospital admissions.

Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness.

National Data Extractions

The Health and Social Care Act 2012 allows NHS Digital to collate personal confidential data from organisations without seeking your specific consent. This is extracted in order to make increased use of information from medical records and either used just by the NHS with the intention of improving healthcare and the quality of care delivered to patients or may be sold to external companies such as universities or commercial organisations. Please see below if you do not want your data used in this way.

More information about how NHS Digital uses your data can be found at

What if I want to view my records?

You have a right under the Data Protection Act 1998 to access/view information your GP Practice holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. We are very keen for you to have access to help you manage your own health and maintain the quality of the records about your health. With some provisos, we are now able to give most adults access to their records on-line if they wish. If you would like access on-line, please ask your GP Practice Reception Team.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.


The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The practice is registered with the Information Commissioners Office (ICO) as a data controller under the Data Protection Act 1998. The registration number is Z6227360 and can be viewed online in the public register at


If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact your GP practice.

Should you have any concerns about how your information is managed by our organisation, please contact your GP Practice in the first instance. If you are still unhappy following a review by the GP Practice, you have a right to lodge a complaint with our supervisory authority, Information Commissioner’s Office (ICO):,,
telephone: 0303 123 1113 (local rate) or 01625 545 745

Data Protection Officer

The Practice Data Protection Officer is Sarah Bradshaw. Any queries in regard to Data Protection issues should be addressed to her at: –


Postal: c/o Hollybrook Medical Centre
Hollybrook Way
DE23 3TX


It is important to point out that we may amend this Privacy Notice from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Data Protection Officer.

View our GDPR Notice.