GDPR - General Data Protection Regulation Policy and Privacy Notice
What is a Privacy Notice?
This Privacy Notice explains how we, as a healthcare practice, collect, store, and use information about our patients. By providing this notice, we demonstrate our commitment to patient confidentiality and data protection.
What is GDPR?
The General Data Protection Regulation (GDPR) is the UK and EU framework for data protection laws. It replaced the 1995 Data Protection Directive. In the UK, it is implemented alongside the Data Protection Act 2018.
GDPR ensures that your personal data is processed lawfully, transparently, and securely.
Who controls your data?
Data Controller
Crouch Oak Family Practice is the Data Controller for the personal data we hold about our patients.
Data Protection Officer (DPO)
Dr Mohan Kanagasundaram oversees our data protection obligations.
What data do we hold?
We hold data that is necessary to provide you with healthcare services. This includes:
-
Personal details (name, address, date of birth, next of kin, carers, legal representatives)
-
Details of your consultations, treatments, and care
-
Results of investigations (e.g. blood tests, X-rays)
-
Records of medication and prescriptions
-
Information from other health or social care professionals
-
Notes of appointments and communications with the practice
Data is held securely in both electronic and paper formats.
How do we use your information?
We process your data for several reasons, including:
-
Direct care: To provide safe and effective medical care.
-
Medical research: Where legally allowed and anonymised, or with explicit consent.
-
Clinical audits & quality improvement: To monitor and improve the services we provide.
-
Legal requirements: E.g. to comply with safeguarding laws or to validate NHS funding.
-
Public health purposes: Such as risk stratification to identify patients at risk and support preventative care.
The lawful bases we rely on include GDPR Articles 6(1)(c), 6(1)(e), 9(2)(h) and 9(2)(j).
How do we protect your data?
We are committed to keeping your data secure. This includes:
-
Staff receiving regular data protection and confidentiality training.
-
Use of secure systems and smart cards to control access.
-
Encrypted emails for data sharing.
-
Not transferring your data outside the UK or EEA without safeguards.
Who do we share your information with?
We may share your data under strict agreements with:
-
NHS organisations (hospitals, community services, ICBs)
-
Ambulance services
-
Social services & safeguarding teams
-
Pharmacists, opticians, dentists, and other independent contractors
-
Private healthcare providers and approved charities delivering care
-
Police, fire and rescue services (where legally required)
-
Education services (e.g. schools involved in care)
-
NHS Digital for payment validation and audits
We only share what is necessary, and where possible, anonymised.
You can choose to opt out of sharing for purposes beyond your direct care.
Your rights under data protection law
Under GDPR and the Data Protection Act 2018, you have rights regarding your personal data. These include:
-
Right to be informed – about how your data is used
-
Right of access – to see what data we hold about you
-
Right to rectification – to correct inaccurate data
-
Right to erasure – to request deletion in certain circumstances
-
Right to restrict processing – to limit how your data is used
-
Right to object – to certain uses of your data
-
Right to data portability – to transfer your data to another provider
-
Rights relating to automated decision-making – to ensure decisions affecting you aren’t made by computers alone
For more, visit www.ico.org.uk.
Subject Access Requests (SAR)
You have the right to request a copy of the information we hold about you. This is usually free and we will respond within one month. A reasonable fee may be charged if the request is excessive.
To make a request, please write to:
For the attention of: IT Manager
the Crouch Oak Family Practice, 45 Station Road, Addlestone Surrey KT15 2BH
Opting out of data sharing
The National Data Opt-Out lets you choose if your confidential patient information is used for research and planning beyond your individual care.
For details visit: www.digital.nhs.uk
Risk stratification
We use NHS-approved risk stratification tools to identify patients at risk of certain conditions, to help provide preventive care. This processing is supported by Section 251 of the NHS Act 2006.
If you wish to opt out of this, please inform us.
More information: NHS England Risk Stratification
Other uses of data
-
Individual Funding Requests (IFR): Data may be shared to secure funding for specialised treatments.
-
Invoice validation: We use your NHS number to verify services funded by NHS England.
-
Safeguarding: We may share identifiable information to protect children and vulnerable adults.
-
Data matching by the Cabinet Office: under the Local Audit and Accountability Act 2014.
Communication via SMS & email
We may use your mobile number or email to:
-
Send appointment reminders
-
Notify you about vaccinations or health reviews
-
Invite you to feedback surveys or patient group meetings
You can opt out of these communications at any time.
Keeping your information up to date
Please inform us if your address, phone number, or other personal details change, so we can keep your records accurate.
Retention of your records
Your medical records are kept in line with NHS guidelines. For details on retention schedules, visit:
Records Retention & Disposal Schedule
Registration & oversight
CO Practice is registered with the Information Commissioner’s Office (ICO) as a Data Controller. You can see our registration at: ico.org.uk/ESDWebPages/Search
Complaints or concerns
If you are unhappy with how we handle your data, please contact our Practice Manager.
You can also raise concerns with the ICO:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk