Privacy Policy

How your information is shared so that this practice can meet legal requirements

The law requires Stokewood Surgery to share information from your medical records in certain circumstances. Information is shared so that the NHS or the UK Health Security Agency can, for example:

 

·       plan and manage services;

·       check that the care being provided is safe;

·       prevent infectious diseases from spreading. 

 

We will share information with NHS England, the Care Quality Commission, and local health protection team (or UK Health Security Agency) when the law requires us to do so. Please see below for more information.

We must also share your information if a court of law orders us to do so.

NHS England

·       NHS England is a national body which has legal responsibilities to collect information about health and social care services.

 

·       It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.

 

·       This practice must comply with the law and will send data to NHS England, for example, when it is told to do so by the Secretary of State for Health under the Health and Social Care Act 2012.

·       More information about NHS England and how it uses information can be found at:

https://www.england.nhs.uk/digitaltechnology/connecteddigitalsystems/health-and-care-data/ 

Care Quality Commission (CQC)

·       The CQC regulates health and social care services to ensure that safe care is provided. 

·       The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. 

·       For more information about the CQC see: http://www.cqc.org.uk/

Public Health

·       The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. 

·       We will report the relevant information to local health protection team or the UK Health Security Agency.

For more information about the UK Health Security Agency and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

Data Controller contact details

Stokewood Surgery, Fair Oak Road, Fair Oak, Eastleigh, Hampshire
SO50 8AU

hiowicb-hsi.stokewoodsurgery@nhs.net

023 8069 2000

Data Protection Officer contact details

Information Governance Services

10A Chandos St, London, W1G 9DQ

 

02081067936

Purpose of the processing

Compliance with legal obligations or court order.

Lawful basis for processing

The following sections of the UK GDPR mean that we can share information when the law tells us to.

Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’

Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

In the relevant circumstances, data will be shared with:

·        NHS England.

·        The Care Quality Commission. [Or equivalent body]

·        Our local health protection team or the UK Health Security Agency.

·        A court if we are ordered to do so.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • eMBED Health
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

Right to object and the National Data Opt-out

There are very limited rights to object when the law requires information to be shared. 

The National Data Opt-out prevents your confidential information being used for research and planning (subject to a small number of exclusions) but it does not apply when there is a legal requirement to share confidential information. 

For more on the national data opt-out see: https://www.nhs.uk/your-nhs-data-matters/ 

  • You are unable to object when information is legally required: 
  •           under public health legislation 
  •           if the Care Quality Commission needs information for their regulatory functions
  •           by a court.

Right of access and right to correct

You have the right to access your medical record. Please speak to a member of staff if you have an questions.

  • You have the right to correct personal information which is inaccurate or a mistake. Please speak to a member of staff. 
  • We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Access to your personal information

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

  • Your request should be made to the Practice – for information from the hospital you should write direct to them
  • There is no charge to have a copy of the information held about you
  • We are required to respond to you within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Right to restriction of processing

You have the right to ask us to restrict the processing of your personal information in certain circumstances. Please contact us if you would like to make a request.

Retention period

GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:

https://transform.england.nhs.uk/information-governance/guidance/records-management-code/

or speak to the practice.

Right to complain

You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/  or call the helpline 0303 123 1113

Page last reviewed: 26 June 2026
Page created: 10 October 2022