Data Privacy Notice
Why we collect information about you
Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare and help us to protect your safety.
We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include basic details about you, such as your name and address. They will also contain more sensitive information about your health and also information such as outcomes of needs assessments.
Details we collect about you
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. from Hospitals, GP Surgeries, A&E, etc.). These records help to provide you with the best possible healthcare.
Records which this GP Practice will hold about you will include the following:
- Details about you, such as your name, address, family members and next of kin
- Gender, NHS number, date of birth and sexual orientation
- Any contact the surgery has had with you such as appointments, clinic visits, emergency appointments etc
- Health (medical) information including information relating to your sex life
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
- Biometric data
- Genetic information
How we keep your information confidential and safe
Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.
We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
Your right to withdraw consent for us to share your personal information (Opt-Out)
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out.
We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still be legally required to disclose your data.
There are two main types of opt-out:
Type 1 Opt-Out
If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your confidential personal information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Type 2 Opt-Out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’.
For further information about Type 2 Opt-Outs or to register your choice to opt out, please contact:
or NHS Digital Contact Centre at firstname.lastname@example.org referencing ‘Type 2 Opt-Outs – Data Requests’ in the subject line;
or call NHS Digital on (0300) 303 5678
Summary Care Record (SCRAI)
The NHS in England uses a national electronic record called the Summary Care Record with additional information (SCRAI) to support patient care. It contains key information from your GP record. Your SCRAI provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.
SCRAI’s are there to improve the safety and quality of your care by providing additional information including allergies, reactions, medications ( the reason for medication), vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information.
Please be aware that if you choose to opt-out of SCRAI, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email or phone. If you wish to opt-out of having an SCRAI please return a completed opt-out form to the practice.
Click here to see Your Summary Care Record Booklet
Click here to download the Opt Out Form
Access to your information
Subject Access Request (SAR)
Under Data Protection Legislation everybody has the right to see, or have a copy of, data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If you want to access your data you may request a Subject Access Request (SAR).
Under special circumstances, some information may be withheld.
In order to request this free of charge service:
- Your request must be made to the surgery - for information from the hospital you should contact them directly
- You will need to give adequate information (eg full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located
- Complete a request form available here or from reception and provide two forms of identification. We are required to respond to you within 30 days.
The practice utilises iGPR which is an algorithm based software to identify 3rd party data within patients SAR requests. The records are then checked by a GP before release.
If you wish to have a copy of the information we hold about you, please complete the SAR Request Form and return it to the practice in person with two forms of identification.
Local Enhanced Data Sharing (EDSM)
Your GP electronic patient record is held securely and confidentially on an electronic system called ‘SystmOne’ managed by the Lodge Surgery. If you require attention from a health professional such as an Emergency Department, Minor Injury Unit or Out Of Hours service, the professionals treating you are better able to give you safe and effective care if relevant information from your GP record is available to them. We have a practice policy to share in and share out all patients medical records within SystmOne with care organisations with whom you are registered and receiving care.
Under the GDPR and DPA 2018, all organisations that process personal data must have in place a legal basis to process this data and an additional legal basis to process special category data (including data concerning health).
We have been advised to use the following by our Data Protection Officer:
- Article 6 (1) (e) '...necessary for the performance of a task carried out in the public interest or in the exercise of official duty...' as an appropriate legal basis for personal data
- Article 9 (2) (h) '...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems...' as an appropriate legal basis for special category data.
We have established a safe no verify list of organisations within Wiltshire with whom we will share your information without requiring a code from the patient. All other healthcare organisations will need to seek permission from the patient to receive an SMS / email code from the patient before the surgery will allow them access to medical records.
Your permission will be asked before the information is accessed, other than in exceptional circumstances (eg emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).
Find out more about EDSM here
Secondary Use of Patient Identifiable Data
Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent for a number of specific purposes, which are set out in law. These purposes are explained below.
Information held about you may be used to help protect the health of the public and to help us manage the NHS by:
- Clinical Audit by CCG
- Clinical Research
- Improving Diabetes Care
- Individual Funding Request
- Risk Stratification
- Supporting Medicines Management
- Supporting Locally Commissioned Services
- Data Retention
- Medical Student Placements
Download our Data Privacy Notice for further information
Please click here to download Data Sharing Form