General Data Protection Regulation (GDPR)




The General Data Protection Regulation (UK GDPR) is a piece of legislation that has superseded the Data Protection Act.  It applies not only to the UK and EU but anywhere in the world in which data about UK citizens is processed.

The UK GDPR is similar to the Data Protection Act (DPA) 1998, but enhances many of the DPA’s principles.  As a health provider we process information under Article 6(1)(e) and Article 9(2)(h).



What is ‘Patient Data’?

Patient data is information that relates to a single person, and is stored by the practice.  It contains information such as your diagnosis, name, age and full medical history. 


What does ‘Consent’ mean?

Consent is permission from you as an individual and is defined as; “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

This means that when you join the practice and complete our registration form you provide us with consent to process your medical record for the purpose of your healthcare.



Under the regulations we must ensure that all Data is kept full confidential and we:

  • May ask you for information so that you can receive proper care and treatment.
  • Will keep your information, together with details of your care, because it may be needed if we see you again (continuity of care).
  • May use some of this information for other reasons: e.g., to help us protect the health of the public generally and to contribute to improving the efficiency of the NHS.
  • May need to carry out medical and other health research for the benefit of everyone (in these cases your data will be fully anonymised so no-one will know who you are).
  • Sometimes have to pass on information under the law: e.g., to notify the NHS Central Register for England & Wales (this contains basic personal details of all patients registered with a general practitioner and does not contain clinical information).

What does this mean for you our Patients?

  • We must process data lawfully, fairly and transparently
  • We must only collect data for specific, explicit and legitimate purposes
  • We must limit collection to what is necessary for the purposes for which it is processed
  • Our information must be accurate and kept up to date
  • We must hold your data securely
  • We can only retain the data for as long as is necessary and for the reasons it was collected
  • We must inform you about how we use your data
  • You can have access to your own data
  • You can ask to have incorrect information changed
  • You can restrict how your data is used
  • You can move your patient data from one health organisation to  another
  • You have the right to object to your patient information being processed (in certain circumstances)

So why do we need access at the Practice?

We need to:

  • Provide you with health care and treatment
  • Look after your general health
  • Manage and plan within the NHS, e.g. we need to;
    • make sure that our services can meet patient needs in the future
    • pay your doctor, nurse, or other staff, and the hospital which treats you for the care they provide
    • audit accounts
    • prepare statistics on NHS performance and activity (anonymised)
    • investigate complaints or legal claims
    • help staff to review the care they provide to make sure it is of the highest standard
    • train and educate staff (but you can choose whether or not to be involved personally)
    • complete research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to see if you are willing)

Everyone working for the NHS has a legal duty to keep information about you confidential

All our staff sign a confidentiality agreement when they begin work at the practice, but you may also be receiving care from other areas within the NHS.  Therefore so that we can all work together for your benefit, we may need to share some information about you.

We only ever use or pass on information about you if people have a genuine need for it in your and it is in everyone's interests.  Whenever we can we remove details which identify you.  Law strictly controls the sharing of some types of very sensitive personal information.

Anyone who receives information from us is also under a legal duty to keep it confidential.