Privacy Notice
This GP Practice is registered with the Information Commissioner’s Office as a Data Controller and our registration number can be found by searching the Register of fee payers page on the ICO website.
We aim to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you. This Privacy Notice sets out how we will use these records.
Information which we will collect about you
- Name, date of birth, contact information and next of kin
- Medication
- Gender and ethnicity
- Allergies
- Vaccinations
- Previous illnesses and current health including details of any diagnoses, consultations and investigations
- Notes made during consultations
- Correspondence between health professionals such as referrals and discharge letters
- Results of tests and their interpretation
- Videotapes, audiotapes and photographs
- Reports written for third parties such as solicitors and insurance companies
We will collect information directly from you, for example when you register with the practice and attend any appointments. We also receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
How we use your information (legal basis summary)
- Article 6(1)(e) – Public task
- Article 9(2)(h) – Health or social care
Legal Claims / Complaints
- Article 6(1)(c) – Legal obligation
- Article 6(1)(e) – Public task
- Article 9(2)(f) – Legal claims
Public Health / Audits / Screening
- Article 6(1)(e) – Public task
- Article 9(2)(h) or (i) – Healthcare / public health
Administration & Service Delivery
- Article 6(1)(e) – Public task
Where appropriate, information is shared under the common law duty of confidence on the basis of implied consent for direct care.
How we use your information
Direct Care
We use your information to provide care and treatment. This may involve sharing relevant information with:
- Hospitals, community services, and specialists
- Ambulance service and NHS 111
- Out of hours and extended access providers
Where you are seen through Extended Access services, relevant parts of your GP record may be accessed by clinicians using approved NHS systems such as GP Connect.
Communication
We may contact you via:
- SMS (appointments, recalls)
- Email (with your consent)
- NHS App messaging
Medicines Management & Risk Stratification
We review records to:
- Optimise medication
- Identify patients at risk of certain conditions
Where possible, data used for risk stratification is de-identified.
Screening & Public Health
We share information to support:
- National screening programmes
- Public health reporting
- Disease prevention
Lung Cancer Screening Programme
Legal Claims and Indemnity
Where the practice is involved in a legal claim, complaint, or investigation, we may use and share relevant information from your medical record.
This may include sharing with:
- Medical Defence Organisations (e.g. MDU, MPS)
- NHS Resolution
- Solicitors or legal representatives
- Courts or regulatory bodies
We only share the minimum necessary information.
These disclosures do not require your consent where they are necessary for legal obligations or the establishment, exercise or defence of legal claims.
Complaints and Data Subject Requests
We process data to:
- Respond to complaints
- Fulfil Subject Access Requests
Recipients of your information
We may share your information with:
Healthcare Providers
Medical Defence Organisations & Legal Representatives
- MDU, MPS, NHS Resolution
- Solicitors acting on behalf of the practice
Regulatory Bodies
- CQC, ICO
NHS Digital
- For national data collections required by law
Local Authorities & Integrated Care Boards (ICBs)
- For commissioning and service planning
Operational Support from Integrated Care Boards (ICBs)
We receive certain specialist healthcare related services and administrative related support from the Surrey Heartlands ICBs. This assists us in providing the best possible care for our patients. We have robust data sharing arrangements in place with the ICBs.
Community acquired clostridium difficile infection reviews
An ICB employed Pharmacist will review the relevant parts of your GP record if identified as being community acquired clostridium difficile infection cases. The Pharmacist or Pharmacy Technician will advise whether the practice should undertake a more detailed review and a full root cause analysis.
Further information can be found within the Community acquired clostridium difficile infection reviews Data Protection Protocol.
Reporting
The Surrey Heartlands ICBs support our practice in reporting and service development activities to support the delivery of key NHS objectives around:
- Service redesign;
- Measuring performance and outcomes;
- Reducing health inequalities;
- Achieving efficiency savings; and
- Improving patient safety.
Further information can be found within the EMIS Enterprise Search and Reports Data Protection Protocol.
National registries
National Registries have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user. The National Cancer Registration and Analysis Service is an example of this.
Third Party Providers
We use trusted suppliers for:
- IT systems and data hosting
- Appointment systems
- Interpretation services
All suppliers:
-
- Are bound by contracts
- Have Data Processing Agreements in place
Other healthcare organisations
We share information about your health with other organisations who are involved in providing you with health and social care. For example, if you require a referral to secondary care or a community provider, we will send a referral to them with information about you that is relevant to the referral. If you present at or engage with other health or social care services, we may share information with them in order to support your direct care, for example, 111 and ambulance service, A&E and out of hours, NHS trusts and registered and regulated professionals in care homes.
Friends, Families and carers
We will share relevant information about you with these individuals where you have provided your consent or where they are acting as your attorney, deputy or guardian.
We will retain certain information about these individuals such as their name and contact details so that we can share information about your care, in ways that you have agreed.
Local Authority Safeguarding Team
There may be legal situations in which we have to share your information in order to maintain the safety of the individuals concerned. This includes both adult and child safeguarding and in these situations identifiable information will be shared. There is often a legal requirement to share this information without obtaining consent first.
NHS Digital
NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients and allow our practice to receive payment for the services which we deliver.
This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
More information about NHS Digital and how it uses information can be found on the Health and care information page on the NHS Digital website as well as on the GP data collections page.
Regulatory bodies
We are legally required to support organisations with regulatory functions such as the CQC and the ICO. Where appropriate, we may share information about you with these organisations to evidence compliance or to report an adverse or unexpected incident.
Public Health
The law requires us to share data for national public health reasons, to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
We will report the relevant information to local health protection teams or Public Health England.
For more information about Public Health England and disease reporting see the ‘Notifiable diseases and causative organisms: how to report’ page on the gov.uk website.
Supporting Locally Commissioned Services
Local authorities and ICBs have responsibility for improving the health of the local population. In this regard, in order for the practice to receive payment for our services, we will share relevant information with these organisations using a statutory permission under Section 251 of the NHS Act 2006 or by sharing information that does not identify you.
Third party service providers
In order to deliver the best possible service, the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure and that they do not use or share the information other than in accordance with our instructions.
Examples of functions that may be carried out by third parties include companies that provide;
- IT services and support, including our clinical systems;
- Systems which manage patient facing services (e.g. our website);
- Data hosting service providers;
- Systems which facilitate appointment bookings, electronic prescription services;
- Document management service; and
- Interpretation services.
Complaints, Data Subject Rights Requests and other similar requests
If you wish to exercise your rights under data protection law, we will process the information to be able to consider the request and provide an appropriate response. If you have instructed an individual or organisation to act on your behalf, we will respond to them providing we have your explicit consent.
In the unlikely event that the practice is subject to legal action or a complaint, we will need to access relevant information in order to investigate and respond. We may also need to share information with our insurance company and solicitors to manage and defend any claims.
Our lawful basis for processing your personal data for these purposes are:
- The processing is necessary to perform a task in the public interest or for official function
- The processing is necessary for compliance with a legal obligation
- The processing is necessary for the establishment, exercise or defense of legal claims
- The processing is necessary reasons of substantial public interest
- The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
Use of AI to Process Inbound Documents
We use AI-powered software to assist with processing and summarising inbound documents—such as discharge summaries, referral letters, and test results—before they are added to your electronic record. This technology is used solely as a tool to support our administrative workflows; all outputs are reviewed by a trained member of staff before being finalised.
The lawful basis for processing is Article 6(1)(e) – public task and Article 9(2)(h) – health or social care. A Data Protection Impact Assessment has been conducted in line with UK GDPR and ICO guidance to manage risks such as data accuracy, transparency, and bias. The software is subject to governance controls to ensure it does not make autonomous decisions regarding your care.
You have the right to object to the use of AI in this way - please contact the surgery on 01428 748206 if you would like to opt out. For more information, refer to the ICO’s guidance on AI and data protection and the NHS Transformation Directorate’s AI in health and care settings guidance.
Objecting to Sharing
You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive so please speak to the practice if you have any concerns about the ways in which your information is shared.
Sharing without your consent
There are exceptions to the duty of confidence that may make the use or disclosure of confidential information without consent appropriate. These situations are rare but could include:
- Sharing your name, address and other demographic information with NHS Digital as this is necessary if you wish to be registered to receive NHS care;
- Sharing required in the public interest or to protect the public in order to prevent and support detection, investigation and punishment of a serious crime or to prevent abuse/serious harm;
- Legal disclosures for example where we have received a court order;
- Where we are required to support organisations with regulatory functions such as the CQC or the ICO.
National data opt-out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
The National Data Opt-Out does not apply where information is used for your individual care.
Sharing partners
We have sharing agreements in place with some organisations where we believe this will facilitate care for our patients or where you have provided your explicit consent. This allows authorised individuals to directly access the electronic records which we hold about you and ensures that those involved in your care, treatment or research study can quickly, easily and securely access the information they need, when they need it.
Retention
All records held by the Practice will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially confidential information will be disposed of by approved and secure confidential waste procedures. We keep a record of retention schedules in line with the Records Management Code of Practice for Health and Social Care 2021.
Securing your information
We use various companies and sub-contractors to support our practice. These organisations are trusted partners and whom we authorise to use your information in line with our specific instructions.
We require these third parties to provide assurance that they meet the requirements of data protection law and we ensure written contracts are in place where access is provided to your personal data.
We use various technical and organisational controls to protect your information. We will only use information that identifies you where it is necessary and then only the minimum amount of information that is necessary to achieve the purpose will be collected and used.
Access to your information is restricted to individuals on a strict “need-to-know” basis i.e. only individuals supporting the provision of your healthcare can view your information.
Anyone we share your information with, and all practice staff, are legally, contractually and/or professionally bound to keep your information confidential and secure. We undertake regular auditing to check that information is being handled to the necessary standard.
Our staff receive regular training to ensure they understand how to comply with data protection and confidentiality requirements.
We use secure electronic systems to store your information and where we hold paper records, they will be protected from unauthorised access and confidentially destroyed where appropriate.
We do not routinely transfer your personal data outside of the UK. Where this is necessary, appropriate safeguards will be in place.
Your rights
You have various rights available to you under data protection law. These are set out below:
- Your right of access: You have the right to ask us for copies of your personal information
- Your right to rectification: You have the right to ask us to rectify information you think is inaccurate or complete information which you think is incomplete
- Your right to be informed: you have the right to be told about the collection and use of your information
- Your right to restriction of processing: In certain circumstances, you have the right to ask us to restrict the processing of your information
- Your right to object to processing: In certain circumstances, you have the right to object to the processing of your personal data
Requests can be made verbally or in writing although we may ask you to complete a form in order that we can ensure that you have the correct information that you require. You will also need to confirm your identity.
Please be aware that in certain situations we are able to charge a reasonable fee for responding to your request. We will inform you where this applies.
If you have a query about your rights or wish to exercise a right, please contact the Practice Manager at Haslemere Health Centre.
Online Services
You are able to access online services through this GP practice. This allows you to:
- Book, check or cancel appointments
- Order repeat prescriptions
- See parts of your health record
If you would like to access your GP record online visit Patient Access or use the NHS App.
NHS App
We use the NHS Account Messaging Service provided by NHS Digital to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at the privacy notice for the NHS App managed by NHS Digital at: https://www.nhs.uk/using-the-nhs/nhs-services/the-nhs-app/privacy/
Change of Details
It is important that you tell the practice if any of your contact details such as your name or address have changed, especially if any of your other contacts details are incorrect. It is important that we are made aware of any changes immediately in order that no information is shared in error.
You can change your details online by completing the Change Personal Details triage.
Data Protection Officer
Surrey Heartlands Primary Care Data Protection Officer Service. Provided by Dan Clements.
kmicb.ig@nhs.net
Please mark all correspondence “Private and Confidential- For the Attention of the Data Protection Officer”.
Complaining to the ICO
You have the right to complain to the Information Commissioner’s Office, you can visit the contact us page on their site at www.ico.org.uk – contact us or call their helpline on 0303 123 1113.
Reviews of and Changes to our Privacy Notice
We will keep our Privacy Notice under regular review. This notice was last reviewed in June 2026.