Privacy Notice Chertsey Health Centre

This GP Practice is registered with the Information Commissioner’s Office as a Data
Controller and our registration number can be found by searching the ICO Register.

We aim to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you. This Privacy Notice sets out how we will use these records.

Information which we will collect about you

We will collect information which identifies you and pertaining to your physical, mental health or condition, including your;

  • Name, date of birth, contact information and next of kin
  • Medication
  • Gender and ethnicity
  • Allergies
  • Vaccinations
  • Previous illnesses and current health including details of any diagnoses,
    consultations and investigations
  • Notes made during consultations
  • Correspondence between health professionals such as referrals and discharge
  • Results of tests and their interpretation
  • Videotapes, audiotapes and photographs
  • Reports written for third parties such as solicitors and insurance companies

We will collect information directly from you, for example when you register with the practice and attend any appointments. We also receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

Purposes for which your information will be used


All health and social care providers have a legal ‘duty to share’ under the Health and Social Care (Safety and Quality) Act 2015. This requires health and adult social care bodies to share information with others where this will facilitate care for an individual. It makes it clear that, unless you object, information can be lawfully shared for purposes likely to facilitate the provision of health services or adult social care and are in an individual’s best interests.

This Practice routinely shares confidential personal data with other health and social care providers when they are involved in your care or treatment. Sharing information in this way is considered to facilitate care for individuals and we rely on implied consent.

We will ask for your explicit consent before we use information which identifies you for purposes that do not directly contribute to, or support the delivery of your care.

We will respect your decisions to restrict disclosure or use of information, unless in the case of exceptional circumstances (see Objecting to Sharing below).

Direct Care

All the health care professionals who provide you with medical care will maintain a record of your health and any treatment provided. We use relevant information about you, including information about your health, to support the delivery of your care and treatment.

Some components of direct care may be delivered by non-registered and non-regulated health and social care staff, for example a ‘system administrator’ scanning a report onto our electronic record keeping system.

If you provide us with your mobile phone number, we may use your mobile phone number to send you text messages in relation to appointment reminders, recalls and health campaigns. Please let the practice know if you do not wish to receive text messages from the practice.

Where you have provided us with your email address, with your consent we will use this to send you information relating to your health and the services we provide. If you do not wish to receive communications by email please let us know.

We are always looking to improve the accessibility and availability of our services. If you are seen by a healthcare professional as part of the Extended Access Service, we will share relevant information from your GP record with the healthcare professional who will be seeing you under the Extended Access Service.

We may offer you a remote consultation and use telephone recordings to support these consultations. You will be reminded where call or video recording is in place.

Where appropriate, we will share information about your health needs with the Ambulance Service and 111 Service. Information will only be shared with your consent or where sharing information is considered to be in your best interests. The information will be used to ensure clinicians have access to required information to help make the best decision about your care needs as a result of a call to 999 or 111.

We undertake medicines management reviews which involve reviewing relevant parts of the GP record and identifying potential changes which should be made to the medicine which has been prescribed to you.

We undertake risk stratification for preventative care purpose. This process enables the identification and subsequent management of patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it  develops. Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health. If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

If you require a referral, for example to a specialist or to secondary care, we will share relevant information about you with these organisations. We can do this electronically through our IT systems, secure email or by post.

Where required, we can arrange interpretation and translation services to ensure we meet your language and communication requirements. We use a third party to provide this service who are subject to contractual obligations of security and confidentiality.

The Summary Care Record (SCR) is an electronic record which contains information about the medicines you take, allergies you suffer from and any reactions to medicines you have had. It is held on a national database by NHS England. The SCR may be shared with other healthcare professionals and organisations involved with your care. These professionals and organisations may also be able to update the record in order to ensure you are provided with the best possible care.

The Surrey Care Record is an Electronic Health Record (EHR) linking system that brings together patient/client’s information across health and care systems in a secure manner, giving a summary of your information which is held within a number of local records.

You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.

Our lawful basis for processing your personal data for these purposes are;

  • the processing is necessary for you to perform a task in the public interest or for
    official function
  • The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Vital Interests

There may be situations in which you are unable to provide your consent, for example you become seriously unwell requiring emergency treatment or have an accident requiring emergency treatment. In these situations, if you are unable to give your consent then we may use or share your information in order to protect your vital interests.

National Clinical Audits

We contribute to national clinical audits so that healthcare can be checked and reviewed.

Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.

The results of the checks or audits can show where organisations are doing well and where they need to improve.

The results of the checks or audits are used to recommend improvements to patient care.

The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure – and will be sent to NHS Digital.

We will only share your information for national clinical audits or checking purposes when the law allows.

We participate in the following national clinical audits;

  • National Diabetes Audit
  • National Cancer Diagnosis Audit

For more information about national clinical audits see the Healthcare Quality
Improvements Partnership website: or phone 020 7997 7370.

Our lawful basis for processing your personal data for these purposes are;

  • the processing is necessary to perform a task in the public interest or for official
  • The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

National screening programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage.

These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.

The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: or you can speak to the practice.

Our lawful basis for processing your personal data for these purposes are;

  • the processing is necessary for you to perform a task in the public interest or for
    official function
  • The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Operational Support from Clinical Commissioning Groups (CCGs)

We receive certain specialist healthcare related services and administrative related support from the Surrey Heartlands CCGs. This assists us in providing the best possible care for our patients. We have robust data sharing arrangements in place with the CCGs.


The Surrey Heartlands CCGs support our practice in reporting and service development activities to support the delivery of key NHS objectives around:

  • Service redesign;
  • Measuring performance and outcomes;
  • Reducing health inequalities;
  • Achieving efficiency savings; and
  • Improving patient safety.

Further information can be found within the EMIS Enterprise Search and Reports Data Protection Protocol.


We use CCTV to ensure the security of property and premises and for preventing and investigating crime purposes only. Areas monitored by CCTV are sign-posted with posters.

Our lawful basis for processing your personal data for this purpose is;

  • the processing is necessary for our legitimate interests of the legitimate interests of a third party

National registries

National Registries have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user. The National Cancer Registration and Analysis Service is an example of this.

Complaints, Data Subject Rights Requests and other similar requests

If you wish to exercise your rights under data protection law, we will process the
information to be able to consider the request and provide an appropriate response. If you have instructed an individual or organisation to act on your behalf, we will respond to them providing we have your explicit consent.

In the unlikely event that the practice is subject to legal action or a complaint, we will need to access relevant information in order to investigate and respond. We may also need to share information with our insurance company and solicitors to manage and defend any claims.

Our lawful basis for processing your personal data for these purposes are;

  • the processing is necessary to perform a task in the public interest or for official
  • The processing is necessary for compliance with a legal obligation
  • The processing is necessary for the establishment, exercise or defense of legal claims
  • The processing is necessary reasons of substantial public interest
  • The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Recipients of your information

Other healthcare organisations

We share information about your health with other organisations who are involved in
providing you with health and social care. For example, if you require a referral to secondary care or a community provider, we will send a referral to them with information about you that is relevant to the referral. If you present at or engage with other health or social care services, we may share information with them in order to support your direct care, for example, 111 and ambulance service, A&E and out of hours, NHS trusts and registered and regulated professionals in care homes.

Friends, Families and Carers

We will share relevant information about you with these individuals where you have
provided your consent or where they are acting as your attorney, deputy or guardian.
We will retain certain information about these individuals such as their name and contact details so that we can share information about your care, in ways that you have agreed.

Local Authority Safeguarding Team

There may be legal situations in which we have to share your information in order to maintain the safety of the individuals concerned. This includes both adult and child
safeguarding and in these situations identifiable information will be shared. There is often a legal requirement to share this information without obtaining consent first.

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.

It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients and allow our practice to receive payment for the services which we deliver.

This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.

More information about NHS Digital and how it uses information can be found at:

Regulatory bodies

We are legally required to support organisations with regulatory functions such as the CQC and the ICO. Where appropriate, we may share information about you with these organisations to evidence compliance or to report an adverse or unexpected incident.

Public Health

The law requires us to share data for national public health reasons, to prevent the spread of infectious diseases or other diseases which threaten the health of the population.

We will report the relevant information to local health protection teams or Public Health England.

For more information about Public Health England and disease reporting see:

Supporting Locally Commissioned Services

Local authorities and CCGs have responsibility for improving the health of the local
population. In this regard, in order for the practice to receive payment for our services, we will share relevant information with these organisations using a statutory permission under Section 251 of the NHS Act 2006 or by sharing information that does not identify you.

Research organisations

We share information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best.

We will also use your medical records to carry out research within the practice.
This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer
    important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations with your explicit consent or when the law allows.

UK Biobank

Where you have provided your explicit consent, we will share information from your GP record with UK Biobank to support medical research.

For UK Biobank, access to these primary care records will substantially enhance the research capabilities of the UK Biobank resource. For example, it will enable certain diseases (such as diabetes and dementia) to be studied in greater depth.

This increase in UK Biobank’s research capability has been endorsed by, amongst others, the Secretary of State for Health, the Chief Medical Officer for England, and the Head of NHS Digital.

Such enrichment will enhance the value of the UK Biobank resource and provide benefit to the research community to improve the prevention, diagnosis and treatment of a wide range of serious and life-threatening illnesses.

UK Biobank have provided the practice with assurance that they will only have access to information relating to patients who have provided explicit consent to participate in the UK Biobank study. This is achieved by UK Biobank providing the practice with unique information relating to its participants (NHS number, date of birth and gender) which we then match to the GP record of relevant participants. Only the matched participant records will be shared with UK Biobank.

The practice will provide the following information to UK Biobank in a secure manner:

  • Appointment dates and attended status
  • Coded diagnoses, symptoms, observations, referrals and associated dates
  • Prescriptions and dates prescribed
  • Lab test results and date the test was performed
  • Immunisation records

Information released by UK Biobank to approved researchers is provided in a de-identified format such that it is not possible for researchers to re-identify any participant.

UK Biobank participants maintain full control, and can withdraw from UK Biobank
unilaterally for any reason at any time by simply contacting UK Biobank directly.
Further information about how your information is used by UK Biobank can be found on their website.

Third party service providers

In order to deliver the best possible service, the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure and that they do not use or share the information other than in accordance with our instructions.

Examples of functions that may be carried out by third parties include companies that

  • IT services and support, including our clinical systems;
  • Systems which manage patient facing services (e.g. our website);
  • Data hosting service providers;
  • Systems which facilitate appointment bookings, electronic prescription services;
  • Document management service; and
  • Interpretation services.

Objecting to Sharing

You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive so please speak to the practice if you have any concerns about the ways in which your information is shared.

Sharing without your consent

There are exceptions to the duty of confidence that may make the use or disclosure of confidential information without consent appropriate. These situations are rare but could include:

  • Sharing your name, address and other demographic information with NHS Digital as this is necessary if you wish to be registered to receive NHS care;
  • Sharing required in the public interest or to protect the public in order to prevent
    and support detection, investigation and punishment of a serious crime or to
    prevent abuse/serious harm;
  • Legal disclosures for example where we have received a court order;
  • Where we are required to support organisations with regulatory functions such as the CQC or the ICO.

National data opt-out

The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. To find out more or to register your choice to opt out, please visit

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply


Sharing partners

We have sharing agreements in place with some organisations where we believe this will facilitate care for our patients or where you have provided your explicit consent. This allows authorised individuals to directly access the electronic records which we hold about you and ensures that those involved in your care, treatment or research study can quickly, easily and securely access the information they need, when they need it.

Shared Care Record

Purpose: In order for the practice to have access to a shared record, the Integrated Care Service has commissioned a number of systems including, GP Connect: GDPR information - NHS Digital which is managed by NHS England, to enable a shared care record, which will assist in patient information to be used for a number of care related services. These may include Population Health Management, Direct Care, and analytics to assist with planning services for the use of the local health population.

Where data is used for secondary uses no personal identifiable data will be used.

Where personal confidential data is used for Research explicit consent will be required.

Legal Basis: Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) Health data as stated below

Processor: NHS England


All records held by the Practice will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially confidential information will be disposed of by approved and secure confidential waste procedures. We keep a record of retention schedules in line with the Records Management Code of Practice for Health and Social Care 2016.

Securing your information

We use various companies and sub-contractors to support our practice. These organisations are trusted partners and whom we authorise to use your information in line with our specific instructions.

We require these third parties to provide assurance that they meet the requirements of data protection law and we ensure written contracts are in place where access is provided to your personal data.

We use various technical and organisational controls to protect your information. We will only use information that identifies you where it is necessary and then only the minimum amount of information that is necessary to achieve the purpose will be collected and used.

Access to your information is restricted to individuals on a strict “need-to-know” basis i.e. only individuals supporting the provision of your healthcare can view your information.

Anyone we share your information with, and all practice staff, are legally, contractually and/or professionally bound to keep your information confidential and secure. We undertake regular auditing to check that information is being handled to the necessary standard.

Our staff receive regular training to ensure they understand how to comply with data
protection and confidentiality requirements.

We use secure electronic systems to store your information and where we hold paper
records, they will be protected from unauthorised access and confidentially destroyed
where appropriate.

Your rights

You have various rights available to you under data protection law. These are set out below;

  • Your right of access: You have the right to ask us for copies of your personal
  • Your right to rectification: You have the right to ask us to rectify information you
    think is inaccurate or complete information which you think is incomplete
  • Your right to be informed: you have the right to be told about the collection and use of your information
  • Your right to restriction of processing: In certain circumstances, you have the right to ask us to restrict the processing of your information
  • Your right to object to processing: In certain circumstances, you have the right to object to the processing of your personal data

Requests can be made verbally or in writing although we may ask you to complete a form in order that we can ensure that you have the correct information that you require. You will also need to confirm your identity.

Please be aware that in certain situations we are able to charge a reasonable fee for responding to your request. We will inform you where this applies.

If you have a query about your rights or wish to exercise a right, please contact
The Practice Manager, Kendra Hay.

Online Services

You can are able to access online services through this GP practice. This allows you to:

  • Book, check or cancel appointments
  • Order repeat prescriptions
  • See parts of your health record

Change of Details

It is important that you tell the practice if any of your contact details such as your name or address have changed, especially if any of your other contacts details are incorrect. It is important that we are made aware of any changes immediately in order that no information is shared in error.

Data Protection Officer

We receive a Data Protection Officer support service from AJ Spinks Limited. You can contact our DPO via the practice: or Chertsey Health Centre, Stepgates, Surrey, KT16 8HZ.

Please mark all correspondence “Private and Confidential- For the Attention of the Data Protection Officer”.

Complaining to the ICO

You have the right to complain to the Information Commissioner’s Office, you can use this link or call their helpline Tel: 0303 123 1113

Reviews of and Changes to our Privacy Notice

We will keep our Privacy Notice under regular review. This notice was last reviewed in March 2020.