GDPR & Privacy Notice


The Data Protection Act 2018(DPA) and GDPR requires a clear direction on policy for security of information held within the practice and provides individuals with a right of access to a copy of information held about them.

Heathcote Medical Centre [“the Practice”] is a term used in this document to describe an NHS general practice operating under contract with NHS England and Surrey Downs Commissioning Group.

The practice understands that with the advent of modern technologies and in particular “social media type communications” the emphasis of data processing needs to be refocused to a default of protection and move forward only when disclosure is of benefit to the subject.

The contract is a GMS Contract.

The data controller is Heathcote Medical Centre.

The practice needs to collect personal information about people with whom it deals in order to carry out its business and provide its services.  Such people include patients, employees (present, past and prospective), suppliers and other business contacts.  The information we hold will include personal, sensitive and corporate information.  In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law.  We are also required by certain laws to disclose certain types of data to other organisations on a regular basis including NHS Digital or Public Health England or NHS England or Surrey Downs/Surrey Heartlands CCGs.  We are also required by certain laws to disclose certain types of data to other organisations such as CQC or the General Medical Council. We also participate in some research and our practice is part of the Surrey Care Record. Relevant Privacy Notices are held.

No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the DPA.

The lawful and proper treatment of personal information by the practice is extremely important to the success of our business and in order to maintain the confidence of our service users and employees.  We ensure that the practice treats personal information lawfully and correctly.

This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.

Data Protection Principles

We support fully and comply with the eight principles of the Act which are summarised below:

  • Personal data shall be processed fairly and lawfully.
  • Personal data shall be obtained/processed for specific lawful purposes.
  • Personal data held must be adequate, relevant and not excessive. In particular we would highlight that data within a referral document or a letter to, for eg, an insurance company, is restricted to data which is relevant to that communication. The automatic inclusion of past medical history must be checked for relevance.
  • Personal data must be accurate and kept up to date.
  • Personal data shall not be kept for longer than necessary.
  • Personal data shall be processed in accordance with rights of data subjects.
  • Personal data must be kept secure.
  • Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection.

Employee Responsibilities

All employees will, through appropriate training and responsible management:

  • Comply at all times with the above Data Protection Act principles
  • Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information
  • Understand fully the purposes for which the practice uses personal information
  • Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the practice to meet its service needs or legal requirements
  • Ensure the information is correctly input into the practice’s systems
  • Ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required
  • On receipt of a request from an individual for information held about them by or on behalf of immediately notify the practice manager
  • Not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian / IG Lead
  • Understand that breaches of this Policy may result in disciplinary action, including dismissal

Practice Responsibilities

The practice will:

  • Ensure that there is always one person with overall responsibility for data protection. From November 2018 this person is Tracey Murphy, should you have any questions about data protection.
  • Maintain its registration with the Information Commissioner’s Office
  • Since 25/05/2018 a Data Protection Impact Assessment is carried out before the introduction of any new software or systems that may impact on data protection.
  • Ensure that all subject access requests are dealt with as per our Subject Access Request policy
  • Provide training for all staff members who handle personal information
  • Ensure that password change is set up on first login for all staff on all systems
  • Provide clear lines of report and supervision for compliance with data protection and also have a system for breach reporting
  • Carry out regular checks to monitor and assess new processing of personal data and to ensure the practice’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data
  • Develop and maintain DPA procedures to include: roles and responsibilities, notification, subject access, training and compliance testing.
  • Display a poster in the waiting room explaining to patients the practice policy, plus a copy of the Information Commissioners certificate.
  • Make available the form for Subject Access Requests for the information of patients.
  • Take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. This will include training on confidentiality issues, DPA principles, working security procedures, and the application of best practice in the workplace.
  • With the increasing use of secure email to send referrals and clinical correspondence, staff need to be vigilant that any email recipient is secure and, if not a known encrypted address, that security is verified by telephoning ahead.
  • To prevent accidental inclusion of data which is superfluous or irrelevant to the enquiry, referral or correspondence, doctors must check included material for sensitive information.
  • Undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.
  • Maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.
  • Include DPA issues as part of the practice general procedures for the management of risk.
  • Ensure confidentiality clauses are included in all contracts of employment.
  • Ensure that all aspects of confidentiality and information security are promoted to all staff.
  • Remain committed to the security of patient and staff records.
  • Ensure that any personal staff data requested by the CCG or NHS, i.e. age, sexual orientation and religion etc., is not released without the written consent of the staff member

Signed: T Murphy – Information Governance Lead & Practice Manager

  • Date: 07.02.17
  • Reviewed Oct 18 RG
  • Date of next review Oct 19
  • Reviewed September 18 RG
  • Reviewed Oct 18 RG
  • Date 21.3.19
  • Reviewed March 2019
  • Reviewed March 2020
  • Date of next review March 2021