This privacy notice explains why Poplar House Surgery collects information about you, how it is kept secure and how that information is used.

This notice will explain:

  • Why we collect your information, what is collected and how we use it
  • How we keep your information safe and secure
  • Why we share your information and who with
  • How to opt out of sharing your data
  • Your data rights under UK GDPR 2021
  • How long we can legally keep your information
  • The lawful basis for processing your personal and sensitive information
  • How to complain


The General Data Protection Regulation (GDPR) became law on 25 May 2018. This regulation protects the personal and sensitive data of a living individual. It is currently known as the UK GDPR 2021 after the United Kingdom withdrew from the European Union on 31 January 2020.

As your registered GP practice, we are the data controller for any personal and sensitive data we hold about you. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The GDPR 2016 and UK GDPR 2021
  • The Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • The Caldicott Principles

Why do we collect your information?

Healthcare professionals within the NHS and who provide you with care are required by law to maintain your medical records with details of any care or treatment you received. This information will be used to aide clinicians to make decisions, either individually or jointly, about your health and to make sure it is safe and effective.

Other reasons include:

  • Looking after the health of the public
  • Development of future services to better serve the practice population
  • We will share pseudonymised data, so the NHS has access to statistics to its performance and activity
  • To help us investigate patients’ concerns, complaints, or legal claims
  • Allow clinicians to review their service of care to ensure it is of the highest standards, and provide a basis of further training of care is not as expected
  • Patient medication reviews undertaken by a healthcare professional
  • Research Ethics Committee approved research (patient consent will be required)

What information do we collect?

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously or elsewhere (e.g. NHS hospital Trust, another GP surgery, Out of Hours service, Accident & Emergency Department, etc). These records help to provide you with the best possible healthcare.

Information we hold about you may include the following:

  • Your personal details, i.e. address, next of kin, contact details, details of those with proxy access, email address
  • Contact you have had with the surgery, i.e. appointments including what kind of appointment, who it was with and what happened during
  • Reports about your health, treatment and care
  • Results of investigations, i.e. laboratory test results, x-rays, scan results, etc
  • Relevant information from other health professionals, relatives or those who care for your, or information provided to the surgery by you (including information you provide via our surgery website).

How do we keep your information safe and secure?

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it.

We will not disclose your information to any third party without your permission unless there are exceptional circumstances, or where the law requires information to be passed on, for example:

  • We believe you are putting yourself at risk of serious harm
  • We believe you are putting a third party (adult or child) at risk of serious harm
  • We have been instructed to do so via court order made against the practice
  • Your information is essential for the investigation of a serious crime
  • You are subject to the Mental Health Act (1983)
  • UK Health Security Agency and Office for Health Improvement and Disparities needs to be notified of certain infectious diseases
  • Regulators use their legal powers to request your information as part of an investigation

Our practice policy is to respect the privacy of our patients, their families and our staff, and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees must sign a confidentiality agreement as part of their condition of employment. We also ensure that data processors who support us are legally and contractually bound to operate and prove security arrangements are in place where data which could or does identify a person are processed.

Third party processors include:

  • Companies which provide core IT services and support to the practice and its clinical systems
  • Systems which manage patient facing services (PFS) – NHS app, MyGP, the practice website, data hosting service providers, appointment booking systems, electronic prescription services, document management services, text messaging services etc

Clinical systems (EMIS Web)

We will email or text you regarding matters of medical care, such as appointment reminders and, if appropriate, test results, unless you have separately given the practice your explicit consent to do so. We maintain our duty of confidentiality to you and will only use or share information with others if they have a genuine need for it. We will not share your information to a third party without your permission, unless there are exceptional circumstances, i.e. life and death, or where the law requires us to share your information.


Why do we share your information, and who do we share it with?

Confidential patient data will be shared within the healthcare team at the practice, including nursing staff, administration staff (prescription, secretaries, reception, finance) and with other healthcare professionals to whom a patient is referred.


Data processors

The practice uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients.

Data is being shared securely with a data processor called System C for the purposes of protecting public health, providing healthcare services to the public, planning health care services and monitoring and managing Covid outbreaks. No data that identifies a person will be used for purposes other than direct care. If you have previously opted out of data sharing your data will not be used. The overarching purpose for data sharing is to support a set of Population Health analytics for population level planning and improvement of outcomes and also the targeting of direct care to vulnerable populations in need.

National screening programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage.

Where research involves accessing or disclosing identifiable patient information, we will only do so with your explicit consent and with approval from the Research Ethics Committee, or where we have been provided with special authority to do so with consent.

The Medicines Management Reviews service performs a review of prescribed medication to ensure patients receive the most appropriate up to date and cost-effective treatments. If you decide to object to this, please contact the Practice Manager; however, be aware that the result may be a delay in the timely provision of your direct care.

Risk stratification

The Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification. This is because it would take too long to carry out a manual review of all patients. The following information is used for risk stratification:

  • Age
  • Gender
  • NHS number
  • Diagnosis
  • Existing long-term condition(s)
  • Medication history
  • Patterns of hospital attendance
  • Number of admissions to A&E
  • Periods of access to community care
  • This information will be used to:
  • Decide if a patient is a greater risk of suffering from a particular condition
  • Prevent an emergency admission
  • Identify if a patient needs medical help to prevent a health condition from deteriorating
  • Review and amend the provision of current health and social care services.
  • Data sharing schemes
  • Several data sharing schemes are active locally, enabling healthcare professionals working outside of the surgery to view information from your GP record.

Summary Care Record

NHS England have also created a Summary Care Record which contains information about medication you are taking, allergies you suffer from and any bad reactions to medication that you have had in the past.

The shared record means patients do not have to repeat their medical history at every care setting.

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to stop your record from being shared or only allow access to parts of your record.

Your electronic health record contains lots of information about you. In most cases, particularly for patients with complex conditions and care arrangements, this means that you get the best care and means that the person involved in your care has all the information about you. The shared record means patients do not have to repeat their medical history at every care setting.


Mandatory disclosure of information

We are sometimes legally obliged to disclose information about patients to relevant authorities. In these circumstances the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

The organisation will also have a professional and contractual duty of confidentiality. Data will be anonymised if possible before disclosure if this would service the purpose for which the data is required.

Organisations which we are legally obliged to release patient data to include:

  • NHS Digital (e.g. the National Diabetes Audit)
  • Care Quality Commission
  • Driver and Vehicle Licensing Agency
  • General Medical Council
  • His Majesty’s Revenue & Customs
  • NHS Counter Fraud
  • Police
  • The Courts
  • UK Health Security Agency and Office for Health Improvement and Disparities
  • Local Authorities (Social Services)
  • The Health Service Ombudsman
  • Medical defence organisation – in the event of an actual or possible legal proceedings
  • Permissive disclosure of information

The practice can release information from your medical records to relevant organisations, only with your explicit consent. These include:

  • Your employer
  • Insurance companies
  • Solicitors
  • Local Authorities (the Council)
  • Police
  • Community services – district nurses, rehabilitation services, telehealth and OOH hospital services
  • Child health services which undertaken routine treatment or health screening
  • Urgent care organisations, minor injury units
  • Community hospitals
  • Palliative care hospitals
  • Care homes
  • Mental health Trusts
  • NHS hospitals
  • Social care organisations
  • NHS commissioning support units
  • Independent contractors, i.e. dentists, opticians, pharmacists
  • Private sector providers
  • Voluntary sector providers
  • Local ambulance Trust
  • Integrated Care Board
  • Education services
  • Fire and Rescue services

Don’t want to share your information?

You have the right to withdraw your consent at any time for any instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

Your practice has systems and processes in place to comply with the National Data Opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

To find out more or to register your choice to opt-out, please visit NHS: Your Data Matters

On the webpage you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply, i.e. where here is a legal requirement or where it is in the public interest to share (go to more exemptions on the NHS website for further information)
  • You can also find out more about how patient information is used on the Health Research Authority website (which covers health and care research) and on the Understanding Patient Data website (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.


Legal basis for processing your personal data

We need to know your personal, sensitive, and confidential data so that we can provide you with healthcare services as a General Practice. Under the new rules called General Data Protection Regulation (GDPR) there are different reason why we may process your data, however we mostly rely upon:

  • Article 6(1)(e): Official Authority; and
  • Article 9(2)(h): Provision of health

For much of our processing, in particular:

  • Maintaining your electronic GP record
  • Sharing information from, or allowing access to, your GP record, for healthcare professionals involved in providing you with direct medical care
  • Referrals for specific healthcare purposes
  • The NHS data sharing schemes
  • Our data processors
  • Organising your prescriptions, including sending them to your chosen pharmacist
  • Some permissive disclosures of information
  • We also rely upon:
  • Article 6(1)(d): Vital interests – to share information with another healthcare professional in a medical emergency
  • Article 6(1)(c): Legal obligation – Mandatory disclosure of information to NHS Digital and CQC, etc
  • Article 6(1)(a): Consent – Certain permissive disclosures of information, ie insurance companies
  • Article 9(2)(j): Research – for accredited research undertaken in the surgery, with your explicit consent.

Your data rights

The UK GDPR allows you to ask for any information the practice holds about you, including your medical records.  It also allows you to ask the practice to rectify any factually inaccurate information and object to how your information is shared with other organisations (opt-out).

Data being used or shared for purposes beyond individual direct care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.


Right of access

The practice holds both personal and sensitive data (health records) about you. If you need to review a copy of your historical medical records, you can contact the surgery to make a ‘Subject Access Request’.

If you receive a copy, there may be information that has been hidden. Under UK GDPR the practice is legally permitted to apply specific restrictions to the released information. The most common restrictions include:

  • Information about other people (known as ‘third party’ data) unless you provided the information, or they have consented to the release of their data held within your medical records
  • Information which may cause serious physical or mental harm to you or another living person. For some Subject Access Request cases, a GP will perform a ‘serious harms test’. If the GP has any cause to believe that specific information will cause you or someone else serious harm, it will not be released.

Right to rectification

You have the right to have any factual inaccuracies about you in your medical record corrected. Please contact the surgery with your request.


Right to object

If you do not wish to share your information with organisations who are not responsible for your direct care, you can opt-out of the sharing schemes.

For further information about opting out, please visit Your NHS Matters


Right to withdraw consent

Where the practice has obtained your consent to process your personal data for certain activities, (e.g. preparation for a subject access request for a third party), you have the right to withdraw your consent at any time.


Your access to your future health records

If you have online access to your medical records, you will be given access to view your future health records. This means you will have access to free texts, letters, and documents once they have been reviewed and filed by the GP. Please note that this will not affect proxy access.

If you move practice, access to your medical records will commence from the date you register with the new practice, for which you will also need to reapply to obtain.

There will be limited legitimate reasons why access to prospective medical records will not be given or will be reduced and they are based on safeguarding. If the release of information is likely to cause serious harm to the physical or mental health to you or another individual, the GP could refuse or reduce access to prospective records; third party information may also not be disclosed if deemed necessary. On occasion, it may be necessary for a patient to be reviewed before access is granted, if access can be given without a risk of serious harm.


What should you do if your personal information changes?

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect for this to be amended. You have a responsibility to inform us as soon as possible of any changes so our records are accurate and up to date for you.

Change of Contact Details form


How long will we store your data?

The NHS Records Management Code of Practice 2021 identifies will replace the 2016 version. specific retention periods which are listed in Appendix II: Retention Schedule.

See Records Management Code of Practice 2021 for a copy of the 2021 NHS retention period policy


How can you complain?

If you have any concerns about how your data is managed, please contact the Management Team at the Practice in the first instance. This can be done in writing to the Practice address.

For independent advice about data protection, privacy, and data sharing issues, you can contact The Information Commissioner


Further information

If you have any concerns about how your data is shared or would like to know more about your rights in respect of your personal data held by the practice, please contact the Data Protection Officer at the practice address.


Data protection officer

Any queries about data protection issues should be addressed to the practice address.

  • Version: 1
  • Published: 09/05/2023   
  • Review date: 09/05/2024