Data Protection and Confidentiality Policy

Policy Overview

This policy outlines how the Practice manages, protects, and discloses patient information in accordance with the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the NHS Code of Confidentiality. Please also see our GDPR - General Data Protection Regulation Policy and Privacy Notice.

The Practice is committed to ensuring that all personal and medical information is handled lawfully, fairly, and transparently. This document forms part of the Practice’s governance and compliance framework and may be updated periodically to reflect changes in legislation, NHS guidance, or internal procedures.

Patients are encouraged to review this policy regularly and to contact the Practice Manager/IT Manager with any questions regarding confidentiality or data protection.

1. Policy Statement

The Practice is committed to maintaining the highest standards of data protection and confidentiality.

All information relating to patients is treated as strictly confidential. This includes clinical details, administrative information, and the fact that an individual is registered with or has attended the Practice.

No information will be disclosed to any third party without the explicit consent of the patient, except where required by law or in circumstances where there is a serious risk of harm to the patient or others.

2. Access to Patient Information

Members of the primary healthcare team, including general practitioners, nurses, administrative, and reception staff, may require access to patient records to perform their duties.

All staff are bound by a duty of confidentiality and are required to comply with the NHS Code of Practice on Confidentiality and the Practice’s internal data protection policies.

All employees receive regular information governance training, and any breach of confidentiality will be regarded as a serious disciplinary matter.

3. Data Controller and Patient Rights

Patients have the right to know who holds and processes their personal data. The organisation or individual responsible for determining how and why data is used is referred to as the Data Controller.

Within the NHS, the Data Controller is typically the General Practice and/or the local NHS Health Authority.

The NHS has a legal and ethical obligation to ensure that all personal health information is processed lawfully, fairly, and securely.

Patients have the right to:

• Access their personal information.

• Request rectification of inaccuracies.

• Withdraw consent for specific uses of their data (where applicable).

• Be informed about how their information is collected, used, and stored.

Requests to access personal data or to exercise any of these rights must be submitted in writing to the IT Manager/Practice Manager.

4. Consent and Third-Party Requests

Practice staff are not authorised to discuss any aspect of a patient’s medical record, registration status, or attendance without the patient’s written consent.

Once consent has been received and verified, the Practice may share relevant information with an authorised representative — for example, in relation to a formal complaint or care coordination.

This policy does not apply to patients who already have a legally designated representative or carer responsible for their care.

Patients wishing to grant consent for information sharing must complete a Consent to Share Information Form in person at the Practice.

5. Confidentiality and Patients Under 16

The duty of confidentiality owed to individuals under the age of 16 is equivalent to that owed to any other patient.

A young person under the age of 16 may consult a GP or healthcare professional without parental or guardian involvement if the clinician determines that the young person has sufficient competence and understanding to make informed decisions about their health.

In such cases, advice, treatment, and prescriptions may be provided without parental consent. However, clinicians will encourage young people to involve a parent, guardian, or trusted adult whenever possible.

Where required by law — for example, in cases involving safeguarding or child protection — information may be disclosed to appropriate authorities.

6. Requests from Relatives, Guardians, or Friends

In accordance with this policy, the Practice cannot release any patient information to relatives, guardians, or friends without the patient’s written consent.

We respectfully request that individuals do not seek medical information or submit complaints on behalf of another person unless formal consent has been granted and verified.

Where consent is required, the patient must attend the Practice to complete the necessary documentation before any information can be disclosed.

7. Further Information

For further information regarding this policy, or to exercise any of your rights under data protection legislation, please contact the IT Manager/Practice Manager in writing.

All requests will be processed in accordance with statutory requirements and within the appropriate timeframes defined under the Data Protection Act 2018 and UK GDPR.