Privacy Policy
Privacy Notice
This GP practice is registered with the Information Commissioner’s Office as a data controller and our registration number can be found by searching the ICO Register.
We aim to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you. This privacy notice sets out how we will use these records.
Information Which We Will Collect About You
We will collect information which identifies you and pertaining to your physical, mental health or condition, including your:
- Name, date of birth, contact information and next of kin
- Medication
- Gender and ethnicity
- Allergies
- Vaccinations
- Previous illnesses and current health including details of any diagnoses, consultations and investigations
- Notes made during consultations
- Correspondence between health professionals such as referrals and discharge letters
- Results of tests and their interpretation
- Videotapes, audiotapes and photographs
- Reports written for third parties such as solicitors and insurance companies
We will collect information directly from you, for example when you register with the practice and attend any appointments. We also receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
Purposes For Which Your Information Will Be Used
Consent
All health and social care providers have a legal duty to share under the Health and Social Care (Safety and Quality) Act 2015. This requires health and adult social care bodies to share information with others where this will facilitate care for an individual. It makes it clear that, unless you object, information can be lawfully shared for purposes likely to facilitate the provision of health services or adult social care and are in an individual’s best interests.
This practice routinely shares confidential personal data with other health and social care providers when they are involved in your care or treatment. Sharing information in this way is considered to facilitate care for individuals and we rely on implied consent.
We will ask for your explicit consent before we use information which identifies you for purposes that do not directly contribute to, or support the delivery of your care.
We will respect your decisions to restrict disclosure or use of information, unless in the case of exceptional circumstances.
Direct Care
All the health care professionals who provide you with medical care will maintain a record of your health and any treatment provided. We use relevant information about you, including information about your health, to support the delivery of your care and treatment.
Some components of direct care may be delivered by non-registered and non-regulated health and social care staff, for example a system administrator scanning a report onto our electronic record keeping system.
If you provide us with your mobile phone number, we may use your mobile phone number to send you text messages in relation to appointment reminders, recalls and health campaigns. Please let the practice know if you do not wish to receive text messages from the practice.
Where you have provided us with your email address, with your consent we will use this to send you information relating to your health and the services we provide. If you do not wish to receive communications by email please let us know.
We are always looking to improve the accessibility and availability of our services. If you are seen by a healthcare professional as part of the Extended Access Service, we will share relevant information from your GP record with the healthcare professional who will be seeing you under the Extended Access Service.
We may offer you a remote consultation and use telephone recordings to support these consultations. You will be reminded where call or video recording is in place.
Where appropriate, we will share information about your health needs with the ambulance service and 111 Service. Information will only be shared with your consent or where sharing information is considered to be in your best interests. The information will be used to ensure clinicians have access to required information to help make the best decision about your care needs as a result of a call to 999 or 111.
We undertake medicines management reviews which involve reviewing relevant parts of the GP record and identifying potential changes which should be made to the medicine which has been prescribed to you.
If you require a referral, for example to a specialist or to secondary care, we will share relevant information about you with these organisations. We can do this electronically through our IT systems, secure email or by post.
Where required, we can arrange interpretation and translation services to ensure we meet your language and communication requirements. We use a third party to provide this service who are subject to contractual obligations of security and confidentiality.
The Summary Care Record (SCR) is an electronic record which contains information about the medicines you take, allergies you suffer from and any reactions to medicines you have had. It is held on a national database by NHS England. The SCR may be shared with other healthcare professionals and organisations involved with your care. These professionals and organisations may also be able to update the record in order to ensure you are provided with the best possible care.
Our lawful basis for processing your personal data for these purposes are:
- The processing is necessary for you to perform a task in the public interest or for official function
- The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
Vital Interests
There may be situations in which you are unable to provide your consent, for example you become seriously unwell requiring emergency treatment or have an accident requiring emergency treatment. In these situations, if you are unable to give your consent then we may use or share your information in order to protect your vital interests.
National Clinical Audits
We contribute to national clinical audits so that healthcare can be checked and reviewed.
Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.
The results of the checks or audits can show where organisations are doing well and where they need to improve.
The results of the checks or audits are used to recommend improvements to patient care.
The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure – and will be sent to NHS Digital.
We will only share your information for national clinical audits or checking purposes when the law allows.
We participate in the following national clinical audits:
- National Diabetes Audit
For more information about national clinical audits see the Healthcare Quality Improvements Partnership website or phone 020 7997 7370.
Our lawful basis for processing your personal data for these purposes are:
- The processing is necessary to perform a task in the public interest or for official function
- The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
National Screening Programmes
The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at www.gov.uk/population-screening-programmes or you can speak to the practice.
Our lawful basis for processing your personal data for these purposes are:
- The processing is necessary for you to perform a task in the public interest or for official function
- The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
Operational Support from Clinical Commissioning Groups (CCGs)
We receive certain specialist healthcare related services and administrative related support from the Surrey Heartlands CCGs. This assists us in providing the best possible care for our patients. We have robust data sharing arrangements in place with the CCGs.
Reporting
The Surrey Heartlands CCGs support our practice in reporting and service development activities to support the delivery of key NHS objectives around:
- Service redesign
- Measuring performance and outcomes
- Reducing health inequalities
- Achieving efficiency savings
- Improving patient safety.
National Registries
National Registries have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user. The National Cancer Registration and Analysis Service is an example of this.
Complaints, Data Subject Rights Requests and Other Similar Requests
If you wish to exercise your rights under data protection law, we will process the information to be able to consider the request and provide an appropriate response. If you have instructed an individual or organisation to act on your behalf, we will respond to them providing we have your explicit consent.
In the unlikely event that the practice is subject to legal action or a complaint, we will need to access relevant information in order to investigate and respond. We may also need to share information with our insurance company and solicitors to manage and defend any claims.
Our lawful basis for processing your personal data for these purposes are:
- The processing is necessary to perform a task in the public interest or for official function
- The processing is necessary for compliance with a legal obligation
- The processing is necessary for the establishment, exercise or defense of legal claims
- The processing is necessary reasons of substantial public interest
- The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
Recipients Of Your Information
Other Healthcare Organisations
We share information about your health with other organisations who are involved in providing you with health and social care. For example, if you require a referral to secondary care or a community provider, we will send a referral to them with information about you that is relevant to the referral. If you present at or engage with other health or social care services, we may share information with them in order to support your direct care, for example, 111 and ambulance service, A&E and out of hours, NHS trusts and registered and regulated professionals in care homes.
Friends, Families and carers
We will share relevant information about you with these individuals where you have provided your consent or where they are acting as your attorney, deputy or guardian.
We will retain certain information about these individuals such as their name and contact details so that we can share information about your care, in ways that you have agreed.
Local Authority Safeguarding Team
There may be legal situations in which we have to share your information in order to maintain the safety of the individuals concerned. This includes both adult and child safeguarding and in these situations identifiable information will be shared. There is often a legal requirement to share this information without obtaining consent first.
NHS Digital
NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients and allow our practice to receive payment for the services which we deliver.
This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
More information about NHS Digital and how it uses information can be found at: www.digital.nhs.uk/how-we-look-after-your-health-and-care-information/understanding-the-health-and-care-information-we-collect
www.digital.nhs.uk/gp-data-collections
Regulatory Bodies
We are legally required to support organisations with regulatory functions such as the CQC and the ICO. Where appropriate, we may share information about you with these organisations to evidence compliance or to report an adverse or unexpected incident.
Public Health
The law requires us to share data for national public health reasons, to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
We will report the relevant information to local health protection teams or Public Health England.
For more information about Public Health England and disease reporting see www.gov.uk/notifiable-diseases-and-causative-organisms-how-to-report.
Supporting Locally Commissioned Services
Local authorities and CCGs have responsibility for improving the health of the local population. In this regard, in order for the practice to receive payment for our services, we will share relevant information with these organisations using a statutory permission under Section 251 of the NHS Act 2006 or by sharing information that does not identify you.
Third Party Service Providers
In order to deliver the best possible service, the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure and that they do not use or share the information other than in accordance with our instructions.
Examples of functions that may be carried out by third parties include companies that provide:
- IT services and support, including our clinical systems
- Systems which manage patient facing services (e.g. our website)
- Data hosting service providers
- Systems which facilitate appointment bookings, electronic prescription services
- Document management service
- Interpretation services
Objecting to Sharing
You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive so please speak to the practice if you have any concerns about the ways in which your information is shared.
Sharing Without Your Consent
There are exceptions to the duty of confidence that may make the use or disclosure of confidential information without consent appropriate. These situations are rare but could include:
- Sharing your name, address and other demographic information with NHS Digital as this is necessary if you wish to be registered to receive NHS care
- Sharing required in the public interest or to protect the public in order to prevent and support detection, investigation and punishment of a serious crime or to prevent abuse/serious harm
- Legal disclosures for example where we have received a court order
- Where we are required to support organisations with regulatory functions such as the CQC or the ICO
National Data Opt-Out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
Sharing Partners
We have sharing agreements in place with some organisations where we believe this will facilitate care for our patients or where you have provided your explicit consent. This allows authorised individuals to directly access the electronic records which we hold about you and ensures that those involved in your care, treatment or research study can quickly, easily and securely access the information they need, when they need it.
Where we have sharing agreements in place with other organisations, this is detailed below.
GP Health Partners
Website: www.gphp.co.uk
Type of Sharing
Full GP Record can be viewed by professionals involved in a patient’s direct care.
Lawful Basis
Legal gateway:
- NHS Act 2006
- The Health and Social Care (Safety and Quality) Act 2015 ‘duty to share’
Privacy Law:
- GDPR Article 6 (1) (e) – The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- GDPR Article 9 (2) (h) – The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Confidentiality Law:
- Implied consent to share
ICP community ophthalmology
Type of Sharing
Full GP Record can be viewed by professionals involved in a patient’s direct care.
Lawful Basis
Legal gateway:
- NHS Act 2006
- The Health and Social Care (Safety and Quality) Act 2015 ‘duty to share’
Privacy Law:
- GDPR Article 6 (1) (e) – The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- GDPR Article 9 (2) (h) – The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Confidentiality Law:
- Implied consent to share
SDCCG – Surrey Downs Clinical Commissioning Group
Website: www.surreyheartlands.org
Type of Sharing
Anonymous information is shared to plan and design care services within the locality
Lawful Basis
Non identifiable data only.
Referral Management – SDCCG (Surrey Downs Clinical Commissioning Group)
Type of Sharing
We may need to share your information with the IFR team for the funding of treatment that is not normally covered in the standard contract.
Lawful Basis
The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this.
Summary Care Records
Type of Sharing
Limited personal identifiable data is shared with the Summary Care Record to help with emergency doctors and nurses help you when you contact them when the surgery is closed; or when you visit a healthcare organisation in another part of the country.
Lawful Basis
This is for your direct care and in an emergency – you can opt out of your record being shared.
The Care and Health Information Exchange (CHIE)
Website: www.careandhealthinformationexchange.org.uk
Type of Sharing
Is a local combined electronic health record. It brings together information in your health records from different parts of the NHS to assist with your direct care – you may opt out of having your information shared on this system.
Lawful Basis
This service is for your direct care.
Other GP practices within SDCCG (Surrey Downs Clinical Commissioning Group) in relation to the GP Extended Access Service (GPEA)
Type of Sharing
We will enable other GP’s and staff in other GP practices to have access to your medical record to allow you to receive acute medical care within that service.
Lawful Basis
This service is for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service and again once you are in the consultation.
CSH – Central Surrey Health
- Physio
- OPMH
- District nurses
- Community services
Website: www.cshsurrey.co.uk
Type of Sharing
SHFT will access your records when you have been referred to them for your further medical care. This enables the clinical team to have up to date information about your condition and status to allow you to receive acute medical care within that service.
Lawful Basis
This service is for your direct care and is implied consent; that is by accepting the referral you understand that the team involved will be granted access your record for your care.
Pharmacists from the SDCCG (Surrey Downs Clinical Commissioning Group) and GP Health Partners (Federation)
Type of Sharing
To provide monitoring and advice in line with the national directive for prescribing. Anonymous data is collected by the CCG and federations.
Lawful Basis
Direct care.
MASH – Multi Agency Safeguarding Board – Safeguarding Children and Safeguarding Adults
Website: www.marlowdoctors.co.uk/multi-agency-safeguarding-hub-mash
Type of Sharing
We share information with health and social care authorities for safeguarding issues.
Lawful Basis
Because of public Interest issues, e.g. to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use.
Risk Stratification – SDCCG – Surrey Downs Clinical Commissioning Group
Website: www.england.nhs.uk/risk-stratification
Type of Sharing
Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP practice record systems. GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
Lawful Basis
Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority.
NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions and to promote quality improvement in GP practices.
Quality monitoring, concerns and serious incidents
Type of Sharing
We need to ensure that the health services you receive are safe, effective and of excellent quality. Sometimes concerns are raised about the care provided or an incident has happened that we need to investigate. You may not have made a complaint to us directly but the health care professional looking after you may decide that we need to know in order to help make improvements.
Lawful Basis
The health care professional raising the concern or reporting the incident should make every attempt to talk to you about this and gain your consent to share information about you with us. Sometimes they can do this without telling us who you
Are. We have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.
SDCCG (Surrey Downs Clinical Commissioning Group) for Commissioning, planning, contract monitoring and evaluation
Type of Sharing
We share aggregated, anonymous, patient data about services we have provided.
Lawful Basis
Our legal basis for collecting and processing information for this purpose is statutory. We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you.
If patient level data was required for clarity and extensive evaluation of a service, consent will be gained for the surgery to share this information.
National Registries
Type of Sharing
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Surveys and asking for your feedback
Type of Sharing
Sometimes we may offer you the opportunity to take part in a survey that the practice is running. We will not generally ask you to give us any personal confidential information as part of any survey.
Lawful Basis
You are under no obligation to take part and where you do, we consider your participation as consent to hold and use the responses you give us.
Screening- National Campaigns (Cytology, Breast screening, Bowel Screening)
Type of Sharing
To support disease monitoring and health prevention for specific patients.
Lawful Basis
Your consent is sought either implicitly or explicitly. You are invited to be screened either by the practice or the screening provider directly. You can choose to consent or dissent at any point in the screening.
Other organisations who provide support services for us PCSE
Type of Sharing
The practice may use the services of additional organisations (other than those listed above), who will provide additional expertise to support the practice.
Lawful Basis
We have entered into contracts with other organisations to provide some services for us or on our behalf.
PCN
We are part of the Epsom PCN which is a network of GPs and health and care organisations established to provide integrated services to the local population.
Members of the network are:
- Ashley Centre Surgery, Windsor Court, Ashley Road, Epsom, KT18 5AQ
- Derby Medical Centre, 8 Derby Square, Epsom, KT19 8AG
- Fountain Practice, Chessington Road, Ewell, Epsom, KT17 1TG
- Spring Street Practice, Bourne Hall Health Centre, Ewell, Epsom, KT17 1TG
- Shadbolt Park Surgery, Shadbolt House, Salisbury Road, Worcester Park, KT4 7BX
- St Stephens House Surgery, 102 Woodfield Lane, Ashtead, KT21 2DP
- Stoneleigh Surgery, 20 Glenwood Road, Epsom, KT17 2LZ
By operating as a network, we are able to provide a more comprehensive set of services, provided by local clinicians and health and care providers. These services currently include:
- Services deliverable under the Primary Care Network Enhanced Service Contract
Where necessary and relevant to support your direct care, we will share your confidential patient information with members of our network to support safe, efficient and effective care and treatment.
We will use data which you cannot be identified from when we are undertaking the planning and commissioning of local health and care services. This ‘de-identified data’ is effectively anonymised in accordance with the Information Commissioner’s Office Code of Practice, a summary of which is available at: www.ico.org.uk/anonymisation_code_summary (PDF)
If you are not happy for your health data to be shared with the organisations detailed above if you access PCN services then you can object to this. To do so you should contact your registered Practice so they can discuss the potential impact this could have on your care and treatment.
If you do not wish for your de-identified data to be used for planning and commissioning of PCN services you are able to opt-out of this via the National Opt-Out: www.nhs.uk/your-nhs-data-matters
As a practice, we are participating in the COVID-19 vaccination program.
We have contracted GPHP who will be providing the local vaccination service to our patients.
As a result of this there may be a requirement for your information to be shared with them if you are eligible for the vaccine. This information will be shared to support your direct care. Those working at the local vaccination service will only normally have access to the information which they need to fulfil their roles.
When it is the right time for you to receive your vaccination, you will receive an invitation to come forward. This invitation may be via the phone, text or through a letter. The invitation may not be sent from your GP, it may be from GPHP who are providing local vaccination service or the NHS directly.
Retention
All records held by the practice will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially confidential information will be disposed of by approved and secure confidential waste procedures. We keep a record of retention schedules in line with the Records Management Code of Practice for Health and Social Care 2016.
Securing Your Information
We use various companies and sub-contractors to support our practice. These organisations are trusted partners and whom we authorise to use your information in line with our specific instructions.
We require these third parties to provide assurance that they meet the requirements of data protection law and we ensure written contracts are in place where access is provided to your personal data.
We use various technical and organisational controls to protect your information. We will only use information that identifies you where it is necessary and then only the minimum amount of information that is necessary to achieve the purpose will be collected and used.
Access to your information is restricted to individuals on a strict “need-to-know” basis i.e. only individuals supporting the provision of your healthcare can view your information.
Anyone we share your information with, and all practice staff, are legally, contractually and/or professionally bound to keep your information confidential and secure. We undertake regular auditing to check that information is being handled to the necessary standard.
Our staff receive regular training to ensure they understand how to comply with data protection and confidentiality requirements.
We use secure electronic systems to store your information and where we hold paper records, they will be protected from unauthorised access and confidentially destroyed where appropriate.
Your Rights
You have various rights available to you under data protection law. These are set out below:
- Your right of access: You have the right to ask us for copies of your personal information
- Your right to rectification: You have the right to ask us to rectify information you think is inaccurate or complete information which you think is incomplete
- Your right to be informed: you have the right to be told about the collection and use of your information
- Your right to restriction of processing: In certain circumstances, you have the right to ask us to restrict the processing of your information
- Your right to object to processing: In certain circumstances, you have the right to object to the processing of your personal data
Requests can be made verbally or in writing although we may ask you to complete a form in order that we can ensure that you have the correct information that you require. You will also need to confirm your identity.
Please be aware that in certain situations we are able to charge a reasonable fee for responding to your request. We will inform you where this applies.
If you have a query about your rights or wish to exercise a right, please contact
The practice manager: Jane White
Online Services
You can are able to access online services through this GP practice. This allows you to:
- Book, check or cancel appointments
- Order repeat prescriptions
- See parts of your health record
If you would like to access your GP record online, please contact the practice.
Change of Details
It is important that you tell the practice if any of your contact details such as your name or address have changed, especially if any of your other contacts details are incorrect. It is important that we are made aware of any changes immediately in order that no information is shared in error.
Please use our online Change of Personal Details form to keep us informed.
Data Protection Officer
We receive a Data Protection Officer support service from Dan Lo Russo and the ICB IG Team. You can contact our DPO via the practice.
Please mark all correspondence “Private and Confidential- For the Attention of the Data Protection Officer”.
Complaining to the ICO
You have the right to complain to the Information Commissioner’s Office, you can visit www.ico.org.uk or call their helpline on 0303 123 1113.
Reviews of and Changes to our Privacy Notice
We will keep our Privacy Notice under regular review. This notice was last reviewed in March 2023.