We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.
Practice Privacy Notice
At the Gardens Surgery we understand that your personal information is private and important. This notice explains, in clear and simple language, how we look after your information, why we use it, who we may share it with, and the choices available to you.
Introduction
We are required to keep records about your health and care so we can support you, provide safe treatment, and make sure you receive the right care when you need it.
Why we give you this notice
We are required by law to tell you how we use your information, but we also believe it is important that you feel informed and reassured. If anything in this notice is unclear, please contact our Data Protection Officer
Data Protection Officer (DPO)
John Eni-Uwubame
- Telephone: 020 8176 0366
- Email: Contact the DPO via email
who will be happy to help.
What information we collect
- Your name, date of birth, address, phone number and NHS number
- Details about your health, treatment, medicines, allergies and test results
- Letters and reports from hospitals, clinics and other health or care services involved in your care
- Information you or someone acting for you gives us
The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998). Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR (opens in a new tab).
For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (DPA2018) and Part 2 the UK GDPR).
How we use your information
We use your information to care for you, keep your records accurate and up to date, arrange appointments, review the quality of our services, and meet our responsibilities as an NHS GP practice.
Who we may share your information with
We treat your information with care and only share it when it is needed for your care, when the law requires us to, or when you have agreed to it.
- Hospitals, community services, pharmacies and other healthcare professionals involved in your care
- NHS organisations that help us run services safely and effectively
- Other organisations where we are required to share information by law, for example for safeguarding
If you receive care from other services, we may share relevant information so the people treating you have what they need to care for you safely, especially in an emergency.
More information on how we share your information with organisations who are directly involved in your care can be found here:
- The London Care Record - South East London ICS (opens in a new tab)
- NHS England - Shared care records (opens in a new tab)
Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information, see NHS E Summary Care Record (opens in a new tab) or alternatively speak to this organisation.
Registering for NHS care
All patients who receive NHS care are registered on a national database (NHS Spine). The Spine is held and maintained by NHS England, a national organisation which has legal responsibilities to collect NHS data.
More information can be found at NHS England - Spine (opens in a new tab)
Your choices and rights
You have important rights over your information. You can ask to see a copy of your records, ask us to correct anything that is wrong, and ask questions about how your information is used. In some situations, you can also object to information being shared. Please note that some sharing is required by law and cannot be stopped.
Research, planning and opt-outs
Sometimes health information is used to help plan services, improve care, check quality, or support research. When this happens, there are national rules to protect your information. You may be able to choose not to take part in some of these uses through the national data opt-out. If you would like help understanding your options, please ask us.
Safeguarding
In rare situations, we may need to share information to protect a child or adult at risk, or to prevent serious harm. If this happens, we will always follow the law and local safeguarding procedures carefully.
Use of technology and AI
We may use approved technology, including AI tools, to help our staff work efficiently and support safe, effective care. If we do, we will continue to protect your information and follow data protection law. Please speak to us if you would like to know more.
How long we keep your information
We keep records for as long as the law and NHS guidance require. This helps us make sure your care is safe, consistent, and based on the information needed to support you properly.
Contact us or make a complaint
If you have any questions about this notice or how we use your information, please contact Debra Surallie or Dr Beryl Atalar or our Data Protection Officer John Eni-Uwubame
We will do our best to answer your questions and address any concerns. If you are unhappy with how we have handled your information, please tell us first so we can try to put things right. You can also complain to the Information Commissioner's Office.
Purpose of the processing
To give direct health or social care to individual patients. An example is, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care. To check and review the quality of care. (This is called audit and clinical governance).
Medical research and to check the quality of care which is given to patients (this is called national clinical audit).
Lawful basis for processing
These purposes are supported under the following sections of the GDPR:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits):
- Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
For medical research: there are two possible Article 9 conditions.
- Article 9(2)(a) – ‘the data subject has given explicit consent…’
OR
- Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data
The data will be shared with:
- Healthcare professionals and staff in this surgery
- Local hospitals
- Out of hours services
- diagnostic and treatment centres
- Other GPs/doctors
- Primary Care Networks
- NHS Trusts/Foundation Trusts/Specialist Trusts
- NHS Commissioning Support Units
- NHS England (NHSE)
- Integrated Care Boards (ICBs)
- Multi-agency Safeguarding Hub (MASH)
- Or other organisations involved in the provision of direct care to individual patients.
For national clinical audits which check the quality of care the data will be shared with NHS England.
Rights to object and the national data opt-out
You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice. You are not able to object to your name, address and other demographic information being sent to NHS England. This is necessary if you wish to be registered to receive NHS care.
You are not able to object when information is legitimately shared for safeguarding reasons. In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The information will be shared with the local safeguarding service.
The national data opt-out model provides an easy way for you to opt-out of information that identifies you being used or shared for medical research purposes and quality checking or audit purposes. Please contact the practice if you wish to opt-out.
Learn more about the National Data Opt-Out (opens in a new tab)
Right to access and correct
You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our Access to Medical Records Policy.
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period
Records will be kept in line with the law and national guidance. Information on how long records are kept can be found in the Records Management Code of Practice (opens in a new tab).
Right to complain
In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
For further details, visit the ICO website and select “Make a complaint” (opens in a new tab) or telephone: 0303 123 1113.
Data we get from other organisations
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
Using your health data for planning and research
You can decide whether you wish to have your information extracted and there are two main options available to you.
Option 1:
Type 1 opt-out applies at organisational level and means that your medical record is not extracted from the organisation for any purpose other than for direct patient care. You can opt-out at any time. Opting out will mean that no further extractions will be taken from your medical record. For a Type 1 Opt-out, you need to contact the organisation by phone, email or post to let us know that you wish to opt-out.
Further information is available on the NHS website (opens in a new tab)
Option 2:
The National Data Opt-out (NDO-O) allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes. You can opt-out at any time.
NDO-O – you need to inform NHS England. Unfortunately, this cannot be done by this organisation for you. You can opt in or out at any time and complete this by any of the following methods:
- Online service – You will need to know your NHS number or your postcode as registered at this organisation via Make your choice about sharing data from your health records (opens in a new tab)
- Telephone service 0300 303 5678 which is open between 9am to 5pm, Monday to Friday
- NHS App – For use by patients aged 13 and over. The app can be downloaded from the App Store or Google Play
- “Print and post” - Photocopies of proof of the applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application. It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds. LS1 9TZ