Privacy Notice – GDPR

This Policy tells you in more depth why Locking Hill Surgery collects information about you, who we may share it with and how that information may be used.

The health care professionals who provide you with care also maintain records about your health and any treatment or care that you have received previously.  This may include your GP Surgery, the NHS Trust, Walk-In Clinics and Out of Hours care).  The reason for sharing this information is to provide you with the best possible joined up healthcare.

What sort of records about me do you hold?

Records may be held in both electronic or manual (written down) formats and may include the following important information :

  • Details about you such as address, contact numbers and next of kin.
  • Any contacts that you have had with health services such as appointments, clinic visit, emergency appointments etc.
  • Notes and reports about your health.
  • Details about your treatment and care.
  • Results of investigations such as laboratory tests, x-rays, retinopathy screening etc.
  • Relevant information from other health professionals, relatives or those who act as your designated Carer and know you well.

Apart from my own healthcare why might you hold these records?

Information held about you may be used to help protect the health of the public and to help us manage the NHS for clinical audit to monitor the quality of service provided be held centrally and used for statistical purposes for research purposes.

In all cases you can expect that that we will ensure that individual patients cannot be identified and consent will be obtained where research work is carried out.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive annual training on how to do this. NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel. We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 1998
  • General Data Protection Regulation 2018
  • Human Rights Act
  • Common Law Duty of Confidentiality
  • NHS Codes of Confidentiality and Information Security
  • Health and Social Care Act 2015

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations) or where the law requires information to be passed on

How we use your information

 Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care but you may choose to withdraw your consent to personal data being used in this way. You can object to your personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time. To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS

Who are our information sharing partners?

As mentioned above, we share information with a variety of organisations for different reasons.

NHS Gloucestershire Clinical Commissioning Group

 Like all other Practices in Gloucestershire, Locking Hill Surgery has historically worked with NHS Gloucestershire CCG to receive support in providing the best possible treatment and care to patients. This is achieved through sharing data with the CCG from our GP system :

  • To enable regular clinical audits of the care we deliver to our patients.
  • For support with identifying patients at risk.
  • For support with medicines use and management.
  • To support commissioners in understanding the care needs of our patients.
  • To evaluate current care programmes and design new care pathways and services that reflect the specific needs of our patients.

 In line with clear NHS England guidance and Data Protection laws, Personal or Confidential information about you is never shared with anyone other than doctors, nurses or clinicians involved in caring for you. Only non-identifiable health and care related information such as the below are shared to allow the above mentioned important work to take place:

  • Health conditions patients suffer in the local area.
  • The types and frequency of appointments and care delivered to patients.
  • Medicines prescribed and dispensed for treatment of different conditions.
  • How well a new or existing service has been accessed and used by patients.

NHS numbers are instead used to enable GPs and clinicians to identify patients under their care. NHS Gloucestershire CCG with whom the data is shared, follows strict NHS England governed guidelines to ensure that the information about patients it receives is anonymised and analysed securely and confidentially in line with the latest Data Protection laws and Information Security guidance issued by the government. This means personal or confidential details such as your name and address are never shared.

Can I Opt-out of this?

If you do not want this non-confidential information about you from our Practice system to be shared with NHS Gloucestershire CCG, for the above outlined purposes, you have the right to opt- out. You can do this by informing us and we will record and respect your wishes. This however, will mean your details will be excluded from all local clinical audits and may mean you miss out on the key patient benefits listed above. For more information about this see NHS Gloucestershire Website:  Phone: 0300 421 1500 Email:

NHS Hospitals and Trusts and Private Consultant Hospitals and Organisations

Your Clinician will discuss with you beforehand any referral that is to be made to a secondary care consultant who specialises in your particular condition.  Only information relevant to the referral and your contact details and NHS identifier will be shared.

Out of Hours Care and Your Summary Care Record (SCR)

 NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.

Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please return a completed opt-out form to the practice.


Requests for medication are now made both manually (on a paper prescription) or electronically.

There may be occasions when a local Pharmacist contacts the practice to clarify details about the medication which has been prescribed.

Other GPs

If you are on holiday elsewhere in the country you may need to register as a temporary resident for urgent treatment.  The GP looking after you may contact the surgery for specific information regarding an existing condition, history of vaccinations or medication to enable them to treat you appropriately.

 National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Cabinet Office

The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.  It does not require the consent

of the individuals concerned under the Data Protection Act 1998.  Data matching by the Cabinet Office is subject to a Code of Practice.  Information on the Cabinet Office’s legal powers and reasons why it matches particular information.

Risk Stratification

 Risk Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services.  Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice.   Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Further information is available from the following link:

If you have, in the past, been considered at risk of hospitalisation or needing additional health input you will have received a letter from the Practice asking permission to include you in the Practice programme.  We will have asked if we can share specific information to ensure that you receive consistent and seamless care if you are admitted urgently such as your current repeat medication or next of kin details.  If you do not wish information about you to be included in the risk stratification programme, please let us know. We can add a code to your records that will stop your information from being used for this purpose.

 Individual Funding Request

 An ‘Individual Funding Request’ is a request made on your behalf, with your consent, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that our Clinical Commissing Group has agreed to fund for the local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment.  A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.

Invoice Validation

 Invoice validation is part of the process by which providers of care or services get paid for the work they do.  Invoices are submitted to the commissioners of their service for payment, but before payment can be released, commissioners need to ensure that the activity claimed for each patient is their responsibility.  This is done by using your NHS number to check the CCG that is responsible for paying for your treatment.  Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes.

Supporting Medicines Management

Clinical Commissioning Groups support local GP practices with prescribing queries which generally do not require identifiable information. CCG pharmacists work with our practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective. Where specialist support is required e.g. to order a drug that comes in solid form, in gas or liquid, the CCG medicines management team will order this on behalf of the practice to support your care.

Local sharing via Joining Up Your Information (JUYI)

 Your patient record is held securely and confidentially on our electronic system. We want to provide you with the best care possible.  If you require attention from a health professional such as an Emergency Department, Minor Injury Unit or Out Of Hours location, those treating you are better able to give appropriate care if some of the information from your GP patient record is available to them. This information can be locally shared electronically via the JUYI system.

The information is only used by authorised health and social care professionals in Gloucestershire-based organisations, involved in your direct care.  Your permission will be asked before the information is accessed, unless the health and social care user is unable to ask you and there is a valid reason for access, which will then be logged.

If you do not wish to share your medical records outside of your practice you can opt out at any time by contacting the practice, but this might impact the care you receive.

Further information about JUYI can be found online at


To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Social Prescribing

 At Locking Hill Surgery we work closely with a Social Prescriber who puts patients in touch with local organisations which may benefit their health and wellbeing.  A GP or Nurse at the Practice will talk to you about the kind of support or help that you need and make a referral with your consent.  We will not directly refer you to an organisation or give your details out to anyone except the Social Prescriber.

Data Retention

 We will approach the management of patient records in line with the Records Management. NHS Code of Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.

Medical Student placements

Our practice is involved in the training of medical students. As part of this programme medical students will work in the practice and may be involved in your care.  If clinicians would like a student to be present they will always ask for your permission before the start of the consultation. The treatment or care you receive will not be affected if you refuse to have a student present during your appointment. It is usual for GPs to discuss patient case histories as part of their continuing medical education or for the purpose of training GPs and/or medical students. In these situations the identity of the patient concerned will not be revealed. We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • Specialist Trusts.
  • Independent Contractors such as dentists, opticians, pharmacists.
  • Private Sector Providers.
  • Voluntary Sector Providers.
  • Ambulance Trusts.
  • Social Care Services.
  • Local Authorities.
  • Education Services.
  • Fire and Rescue Services.
  • Police.
  • Other ‘data processors’.

We will never share your information outside of health partner organisations without your consent unless there are lawful circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function.

Within the health partner organisations (NHS and Specialist Trusts) and in relation to the above mentioned purposes – Risk Stratification, Invoice Validation, Supporting Medicines Management, Summary Care Record – we will assume you are happy to for your information to be shared unless you choose to opt-out (see below).

What can I do if I do not wish to share my records?

If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still be legally required to disclose your data. You can object to sharing information with other health care providers but if this limits your treatment options we will tell you. There are two main types of opt-out.

Type 1 Opt-Out

If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 Opt-Out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’.

For further information about Type 2 Opt-Outs, please contact NHS Digital contact centre at referencing ‘Type 2 Opt-Outs – Data Requests’ in the subject line; or call NHS Digital on 0300 303 5678; or visit the website .

If you wish to discuss or change your opt-out preferences at any time please contact the Practice Manager. For more information about who our partner organisations are and how your data is used please see the privacy notice on our website or ask at reception for a copy.

Access to your information

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing

Under the GDPR, individuals will have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

Will I be charged?

We will provide the information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee must be based on the administrative cost of providing the information.

How do I request the information?

 In all cases we would need to your identity to ensure that we are releasing information safely to the correct person. Verification may be done either verbally to a member of staff that can confirm your identity or in writing via signed consent.

How long will I have to wait?

Information must be provided within one calendar month of receipt of the request. We may need to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we would inform you within one month of the receipt of the request and explain why the extension is necessary

How will I receive the information?

You will be provided with paper copies which we can post to the address we hold on your medical record or you can collect from the surgery (you will be asked for photo ID if you opt to collect)

Change of Details

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended. Please inform us of any changes so our records for you are accurate and up to date.

Mobile telephone number

 If you provide us with your mobile phone number we may use this to send you reminders about your appointments or other health screening information. Please let us know if you do not wish to receive reminders on your mobile.


 The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. We are registered as a data controller and our registration can be viewed online in the public register at:

Any changes to this notice will be published on our website and in a prominent area at the Practice.


If you have concerns or are unhappy about any of our services, please contact the Practice Manager. For independent advice about data protection, privacy and data-sharing issues, you can contact: The Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Phone: 0303 123 1113  Website:

Further Information

Further information about the way in which the NHS uses personal information and your rights in that respect can be found here:

The NHS Care Record Guarantee

The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under the Data Protection Act 1998.

The NHS Constitution

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to.  These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.

NHS Digital

NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.