Data Privacy

This privacy notice explains why Greggwood and Speldhurst Medical Group collects information about you, how we keep it safe and confidential and how that information may be used. The policy provides a summary of these issues followed by a section that explains in more detail on why and how we process information in different ways.

Why we collect information about you

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.

We collect and hold data for the sole purpose of providing healthcare services to our patients. In carrying out this role we may collect information about you, which helps us respond to your queries or secure specialist services. We may keep your information in electronic form (and occasionally in written form). The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and information such as outcomes of needs assessments.

Details we collect about you

The health care professionals who provide you with care, maintain records about your health and any treatment or care you have received previously or elsewhere (e.g. NHS Hospital Trust, other GP Surgery, Out of Hours GP Centre, A&E, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

Records which we may hold about you may include the following:

  • Details about you, such as your address and next of kin, emergency contacts and carers,
  • Your home telephone number, mobile phone number, email address
  • Any contact the surgery has had with you, such as appointments, clinic visits, immunisations, emergency appointments, etc.
  • Notes and reports about your health, treatment and care
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you, or information provided to the surgery by you

How we keep your information confidential and safe

All your GP NHS health records are kept electronically. Our GP records database is hosted by EMIS Health Ltd, who is acting as a data processor, and all information is stored on their secure servers in Leeds, is protected by appropriate security, and access is restricted to authorised personnel. We also make sure that data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. We only use your mobile number to text you or email address to email you, regarding matters of medical care, such as appointment reminders. We maintain our duty of confidentiality to you always. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

We are committed to ensuring the security and confidentiality of your information. There are a number of ways in which we do this:

  • Staff receive annual training about protecting and using personal data
  • Policies are in place for staff to follow and are regularly reviewed
  • We check that only minimum amount of data is shared or accessed
  • We use 'smartcards' to access systems, this helps ensure that the right people are accessing data - people with a 'need to know'
  • We use encrypted emails and storage which would make it difficult for someone to 'intercept' your information
  • We report and manage incidents to make sure we learn from them and improve

How we use information about you

Confidential patient data will be shared within the healthcare team at the practice, including nursing staff, admin staff, secretaries and receptionists, and with other healthcare professionals to whom a patient is referred. Those individuals have a professional and contractual duty of confidentiality.

Data Processors

Greggswood and Speldhurst Medical Group (the data controller) use data processors for various reasons including maintaining an electronic patient document, receiving electronic correspondence from other health and social care providers, ensuring correct payments are received, quality monitoring and mandatory data collections.

Referrals for specific health care purposes

We sometimes provide your information to other organisations for them to provide you with medical services. We will always inform you of such a referral and you always have the right not to be referred in this way. These include:

  • NHS Hospital Trusts
  • Specialist Trusts including Mental Health Services
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘data processors’ during specific project work, e.g local GP federation

Data Sharing for Direct care

We share your personal information on national (summary care record) and local data sharing platforms to create care records that would allow healthcare professionals to see information on your medical history if needed in an urgent clinical situation with your consent when possible.

Data Sharing for Secondary Uses

Data is also shared with national organisations and data processors based on national guidelines and law.  This is for purposes that go beyond direct medical care that GP surgeries and other healthcare organisations provide you when you are unwell, or to keep you well. Secondary purposes include healthcare planning, audit, population analytics, research, and commissioning at a local, regional or national level. Often this will include patient identifiable data but sometimes may be anonymised aggregate data.

Your Data Rights to object to sharing of your information

You have the right to object to (or opt-out of) ways by which your information is shared, both for direct medical care purposes (such as the national summary care record or connect care or point of care referrals), i.e. primary uses of your information, or for purposes other than your direct medical care – so-called secondary uses. You cannot object to some of the ways by which your information is disclosed as they are mandated by law.

Details of these purposes are outlined in the patient Data Opt-out Policy, which outlines ways in which you can opt out of certain data sharing agreements. A copy of this can be found on the practice website.

Your right to rectification

You have the right to have any factual inaccuracies about you in your GP record corrected. However, there is no right to have accurate medical records deleted except when ordered by a court of Law.

Accessing your own medical information

You have the right to access your own GP record. Please see the Subject Access Request Policy available our website for further information on the process of accessing you’re your medical information.

Your right to be informed

We provide fair processing information about all data processing activities concerning your medical records, by means of posters, and detailed privacy notices.

Lawful bases for processing and the European Union (EU) General Data Protection Regulations (GDPR)

GDRP is the new European Union privacy law, approved in 2016 jointly by European Parliament, the Council of the European Union and the European Commission. GDPR aims to bring all the EU member states under one umbrella by enforcing a single data protection law. It came into effect as of May 2018.

 You have the right to be informed about the collection and use of your personal data i.e. data processing . This is a key transparency requirement under GDPR. (

In common with all GP surgeries, we rely on “Official Authority” to process personal data using Article 6(1)(e) of GDPR . The other commonly used Articles of GDPR used for the lawful basis of processioning data include Article 9 (2)(h) and Article 6(1)(c) and Article 6(1)(d) and Article 9(2)(b) and Article 9(2)(i) of GDPR –

Article 6(1)(e) Official Authority “…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h)– Provision of Health “necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

Article 6(1)(c)– Legal Obligation - “processing is necessary for compliance with a legal obligation to  which the controller  is subject.”

Article 6(1)(d) Vital Interests - “processing is necessary in order to protect the vital interests of the data subject or of another natural person”

Article 9(2)(b) – Employment & Social Security - “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security”

Article 9(2)(i) Public Interest  -“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”

That “official authority” is NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs.

The “supervisory authority” mentioned in all of the above is the Information Commissioner.


The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

We are registered as a data controller and our registration can be viewed here.

Diabetes Prevention Programme

NHS England has commissioned a provider, Xyla Health and Wellbeing, to provide the ‘Your local Healthier You: NHS Diabetes Prevention Programme’ for patients at risk of type 2 diabetes. Once a patient is referred, they will be contacted for a motivational interview with the provider (Xyla) to help them enrol onto the course and to have an opportunity to ask any questions they have at this time, including if you don’t want to enrol in the programme. Xyla Health and Wellbeing is part of the Acacium Group and sometimes, if required and legally allowed, Xyla may share some of your basic details such as your name and contact details with providers who have been identified as suitable to contact you to provide support for you during this programme. Any sharing of your data is done as little as possible, under due diligence and in compliance with applicable laws. For full details on how Xyla would use your data for the diabetes prevention programme, see their privacy notice at: For general information on the national diabetes prevention programme, please visit the NHS England website on this at: 

ACR project for patients with diabetes (and/or other conditions)

The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with to enable them to contact you and send you a test kit.  This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from we will continue to manage your care within the Practice. are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at:


If you have concerns or are unhappy about any of our services in terms of data processing please contact our Practice Manager –

Mrs Mandy Cole

Practice Manager

The Old Bakery

Penshurst Road



For independent advice about data protection, privacy, and data sharing issues, you can contact:

The Information Commissioner Website:

Wycliffe House, Water Lane


Cheshire SK9 5AF

Phone:  0303 123 1113 (local rate) or 01625 545 700 (national rate)