Privacy Policy

NHS England

Privacy Notice for patients: data protection and confidentiality

The reasons why we collect and use patient data.

We collect data on patients, so we can delivery direct patient care and this means we can process patient data lawfully under the General Data Protection Regulations 2018 (GDPR). We are therefore known as a Data Controller.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this service hold about you may include the following information and they are retained until a person dies;

  • Details about you, such as your address, email address, telephone number, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within our services for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing information for this purpose – further detail below

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation 2018
  • Data Protection Act 1998
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All our staff undergo training on data protection.

We will only ever use or pass on health information about you if others involved in your care have a genuine need for it. We will not disclose your health information to any 3rd party without your permission unless:

  • there are exceptional circumstances (i.e. life or death situations),
  • where the law requires information to be passed on (e.g. in event of a serious crime)
  • in accordance with the new information sharing principle following Dame Fiona’s Caldicott information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

We have assigned a Data Protection Officer who has oversight of the handling of information within Kingston Health Centre. They oversee and makes decisions on information sharing and are accountable for information risk.

If you wish to contact the Data Protection Officer please contact

Other Data Sharing / Access Projects and Special cases

Direct Patient Care

Often we have to share information for your medical care, such as with hospital when we refer you or if you attended an urgent care centre. Many of our services also have electronic links with another GP service, hospital, out of hours or community service so they can see your record that we hold and vice versa when they are dealing with your medical care directly. Please contact the service if you would like more detail.

Special cases and the Law

The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.

NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  • This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  • More information about NHS Digital and how it uses information can be found at:
  • NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here.

General Practice Data for Planning and Research

  • This new service replaces existing GP data extraction services on 1st September 2021
  • It shares pseudonymised data i.e. it will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, full postcode and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.
  • The service will collect:
    • data on your sex, ethnicity and sexual orientation
    • clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls, and appointments, including information about your physical, mental and sexual health
    • data about staff who have treated you
  • More information is available here.

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
  • For more information about the CQC see:
  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England.

For more information about Public Health England and disease reporting see:

National screening programmes

  • The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
  • These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
  • The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at:

Medical Research

Kingston Health Centre shares information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
  • we will also use your medical records to carry out research within the practice.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations only with your explicit consent or when the law allows.

The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits)

Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

Article 9(2)(a) – ‘the data subject has given explicit consent…’


Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.

To check the quality of care (clinical audit):

Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object

Teaching and training

Kingston Health Centre is a teaching practice. We have doctors and nurses who are completing specialist training in general practice. They are fully qualified doctors/ nurses and work under supervision of a trainer in the practice and work within the same frameworks for confidentiality and data protection. Sometimes GP trainees are required to record consultations – either by video or phone as part of their specialist training. Patients will be asked for their explicit consent for a recording to be made where relevant before the consultation takes place. You are under no obligation to agree and the consultation will take place without a recording if you decline. Where a recording has been made this will be shown to the GP trainer. The recording is made and temporarily stored on the trainee’s confidential electronic training portfolio (Royal College of GPs) which are encrypted and have the highest standards of data protection. It will be deleted when it has been viewed by the trainer.

Recorded consultation information for patients – FourteenFish


We have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice.

Information is only shared in the exceptional circumstances set out above

Recorded Telephone calls

Patients should be aware that this Practice records telephone calls to and from the practice.

The primary purpose of call recording at our Practice sites is for training and monitoring purposes.  This includes the provision of a record of incoming and outgoing calls which can:

  • Identify practice staff training needs
  • Protect practice staff from nuisance or abusive calls
  • Establish facts relating to incoming/outgoing calls made (e.g. complaints)
  • identify any issues in practice processes with a view to improving them (e.g. to aid workforce planning)

Our Practice will make every reasonable effort to advise callers that their call may be recorded and for what purpose the recording may be used. This will normally be via a pre-recorded message within the telephone system and via signage at the practice.

We lawfully do not require your consent under articles 6(1)(e) and 9(2)(b)(c)(h) of the Data Protection Act 2018; however you do have the right to terminate the call if you do not wish for the call to be recorded
The recording will be securely stored within the telephone recording system software to which strict rules of confidentiality will apply.

The telephone service supplier operates under an approved code of practice for the storage of recorded calls. Calls are stored for a limited period of time.

The practice sites’ data protection registration also covers voice files similarly to other data.

If you need to request a copy of a recording, please do the following:

Make a request, in writing to the Practice Manager.  The request the written request must state the following:

  1. The reason for the request
  2. Date and time of the call if known
  3. External number involved
  4. Where possible, the names of all parties to the telephone call
  5. Any other information on the nature of the call

Video Consultations

If either you or one of our clinicians have requested a video consultation it will be treated as any other consultation you have with your GP. However, you will need to be aware of the following:

Kingston Health Centre takes your privacy and the security of your personal information very seriously and we will ensure that it is kept secure and protected. To ensure the safety of your personal information all communication between the GP and patient devices is encrypted to NHS standards. However, you should be aware that no communication over the internet is 100% secure. If you have any concerns about this, you may request a face to face or telephone appointment. Video consultations are entirely voluntary and are offered to extend the access and provide the patient choice.

The Video Consultation application itself cannot protect users from spyware so you should always ensure that you have adequate ant-virus/malware protection on any device you use for the video consultation. If you choose to use the Video Consultation solution on your mobile device you should make adequate provision to ensure the security of the device you choose to use.

We will always conduct a video consultation in a quiet, private space, free of interruptions where others cannot overhear. You are responsible for ensuring that you are in an appropriate environment and recommend that you find a quiet, private place to speak to us.

You will be provided with instructions for joining the video consultation. You will be required to provide your consent to the terms and conditions of the service and the invitation in order for you to proceed with the scheduled consultation. If you share an account with other people, such as your family members, they may have access to some information about the consultation. If you are using a public or shared device then you should be aware that some of your personal information may be stored locally on the computer you are using.

Should we seek to record the video consultation we will obtain and document your consent to do so. We will also explain why a recording will help in providing clinical care, who can access the recording, where and how it will be stored securely, how long it will be stored for and how it will be used (i.e. that the recording will not be used for any other purpose except for direct care without the patient’s express permission).

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.

Access to personal information (Subject Access Request)

You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the service – for information from the hospital you should write direct to them
  • There is no charge for this
  • We are required to respond to you within one calendar month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located

Objections / Complaints

Should you have any concerns about how your information is managed, please contact Cassie Hunt, Practice Business Manager, . If you are still unhappy following a review by the service, you can then complain to the Information Commissioners Office (ICO) via their website

Opting out of Data Sharing

If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.

If you do not want your personal data being extracted and leaving the GP practice for any of the purposes described, you need to let us know as soon as possible.

We will then enter clinical codes into your records that will prevent data leaving the practice and / or leaving the central information system at NHS Digital.

Other Useful Sources of Information

A highly recommended source of information for patients that helps explain how your data is used in the health service –

2024 © Kingston Health Centre. All Rights Reserved | Web Design by Nadja