GDPR: Data Privacy Notice

Covid-19 Response NHS Digital

The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).

Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.

To support the healthcare response to COVID-19, NHS Digital has been directed by the Secretary of State for Health and Social Care (the Secretary of State) and NHS England under the COVID-19 Directions to:

  • establish information systems to collect and analyse data in connection with COVID-19; and
  • develop and operate IT systems to deliver services in connection with COVID-19  

Please Click Here to read the complete notice from NHS Digital on how they propose to use peoples data.

What is a Privacy Notice?

The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018 and replaces the Data Protection Directive 95/46/EC. The GDPR applies to all EU member states, its aim to harmonise data privacy laws across Europe. The Park Surgery must be able to demonstrate compliance at all times.

Understanding the requirements of the GDPR will ensure that personal data of both staff and patients is protected accordingly. As a result, we are publishing a new Privacy Notice to make it easier for you to find out how we use and protect your information. We will not be changing the way we use your personal information, but this notice will provide you with additional details such as:

  • Your increased rights in relation to the information we hold about you
  • How we keep your personal information secure
  • The types of personal information we collect about you and how we collect and use it
  • The legal grounds for how we use your information

For further information on how we use information for:

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical Audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is provided

Can be found on our website at, or ask at reception for our Privacy Notice booklet, we also display Privacy Notices in the waiting room and on our display screen.  We will:

Inform patients how their data will be used and for what purpose.

Allow patients to opt out of sharing their data, should they so wish.


Data Controller: The Park Surgery, our registration number for the ICO (Information Commissioners Office) is Z7327426


Data Protection Officer: Richard Newell – ICO ZA332620 – Please contact via the Practice


What information do we collect about you?

All personal data must be processed fairly and lawfully, NHS records maybe electronic, on paper or a mixture of both. And we use a combination of working practices and technology to ensure that your information is kept secure and confidential. We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care: Personal data’ meaning: any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number; and Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, Community Care provider, mental health care provider, walk-in centre, social services). These records maybe electronic, paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

How do we use your information?

To ensure that you receive the best possible care, your records will be used to facilitate the care you receive. Information held about you may be used to protect the health of the public and to help us manage the NHS. Information may also be used for clinical Audit to monitor the quality of the service provided. In addition, your information will be used to identify whether you are at risk of a future unplanned hospital Admission and/or require support to effectively manage a long-term condition. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Consent & Objections

The GDPR sets a high standard for consent. However, consent is only one potential lawful basis for processing information. Therefore, your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

What will happen if I withhold my consent or raise an objection?

You have the right to write to withdraw your consent at any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

Risk stratification

Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned Admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long-term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to Community Care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.  More information on Risk stratification can be found on our website, or, in the practice Privacy Notice booklet.

Invoice validation

If you have received treatment within the NHS, the local Commissioning Support Unit may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential. This information is only used to validate invoices in accordance with the current Section 251 Agreement and will not be shared for any further Commissioning purposes.



Your right to withdraw consent for us to share your personal information.  The national data opt-out is a new service that allows people to opt out of their confidential patient information being used for research and planning.  It was introduced on 25 May 2018, providing a facility for individuals to opt-out from the use of their data for research and planning purposes.  The national data opt-out replaces the previous “type “opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care.  Any patient that had a type 2 opt-out has had it automatically converted to a national data opt-out from 25 May 2018 and has received a letter giving them more information and a leaflet explaining the new national data opt-out.  If a patient wants to change their choice, they can use the new service to do this.  You can find out more from the practice or by clicking here Patients who have a type 1 opt-out.  Some patients will have a type 1 opt-out registered with their GP practice, which prevents their confidential patient information leaving the practice for research and planning purposes.  These existing type 1 opt-outs will cotinine to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian on their removal.  The practice will continue to record patient choices and apply type 1 op-outs.

Accessing your records

The Data Protection Act 2018 and General Data Protection Regulation allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.   If you would like access to your GP record, please ask reception for an access to medical records request form. You have other certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

  • Contact the practice’s data controller via email at:   GP practices are data controllers for the data they hold about their patients.
  • Ask to speak to the Managing Partner, Sally Walker, or, Business Development & Compliance Manager, Claire Deegan.



In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Business Development & Compliance Manager at the surgery. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website  Tel: 0303 123 1113 or 01625 545 745 if you wish to use a national rate number. Alternatively you can write to them at: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Translate »