GPDR

GPDR General data protection regulation

The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.  The regulation applies from 25 May 2018, and will apply even after the UK leaves the EU.

The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are: 

• Practices must comply with subject access requests 

• Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous 

• There are new, special protections for patient data 

• The Information Commissioner’s Office must be notified within 72 hours of a data breach 

• Higher fines for data breaches – up to 20 million euros 

We are required by law to provide you with information on how we use your data. There is a highly detailed privacy notice available from the following link privacy notice, but this simplified notice is provided for clarity. This notice was last updated 14th April 2025. 

What is ‘Patient Data’? 

Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc 

Who are we?

We are the West Green Surgery. We provide medical services to you as a patient as part of the NHS.

Address: 590-598 Green Lanes, London, N8 0RA

Email: westgreensurgery@nhs.net

Telephone: 02088819606

Website: www.westgreensurgery.co.uk

Data Protection Officer

The practice is required by law to have a Data Protection Officer. The contact details are:

Name: Steve Durbin

Email: Dpo.Ncl@nhs.net

Address: Please use the practice address above, marking “For the attention of the Data Protection Officer

Purposes of Processing, Legal Basis, Types of Data

We process data to carry out our role as your General Practitioner in providing you with healthcare.

The legal basis for this purpose is provided by the various NHS and social care acts. The Data Protection Act 2018 section 8 allows us to process data for these purposes. This provides a legal basis for processing under the UK GDPR Article 6 1(e) – task in the public interest.

For special category data, the Data Protection Act section 10 applies (health and social care purpose) and hence UK GDPR Article 9 2(h) – provision of health and social care. There are additionally some situations where other provisions are used; these are given in more detail in the full notice.

The types of data we keep relate to your health and care. These include both personal identifiers (e.g. your name, NHS number) and special category personal data (e.g. your health conditions). Further details are provided in the full notice.

Recipients of Your Data 

We share data with other health and social care providers in order to provide you with care. You can opt out of this sharing, but this may affect your care. See the full privacy notice for details.

We are additionally required to supply data to other parts of the NHS for commissioning and audit purposes, as well as to provide information that’s used in the NHS App.

We share data for research purposes, and for health and care planning. You again can opt out of these purposes; this will generally not affect you individually, but will mean that research and planning may not take into account needs of people such as yourself. See the full privacy notice for details.

Transfer to Other Countries 

We do not store or transmit your data outside of the UK unless this is either:

a) Required for your care and you have consented to this

b) Covered by a formal contract with a system provider to the NHS ensuring your data is not used for any purposes not in this notice and compliant with the UK GDPR; or

c) We are required to under international law

We do not sell your data.

How Long Will You Keep My Data?

This depends on a number of factors such as how long you stay with our practice and the type of data. Generally, when you leave our practice, your data is transferred to the new practice or to central records; we retain access to the data up to when you left our practice for medico-legal reasons and only access it for a complaint, clinical audit purposes or we are required to do so by law. Full details of how long different types of data are held can be found in the NHS Records Management Code of Practice 

Your Rights

You have the right to:

· Receive a copy of your data (Subject Access Request)

· Have your data corrected, erased or restrict processing

· Complain to our Data Protection Officer or the supervisory authority (the Information Commissioner) about our use or handling of your data

If you wish to exercise your rights, please contact the practice in the first instance - details below. You can also contact the Data Protection Officer if you prefer – details are again given above, or you can contact the Information Commissioner (ICO) – details via their website at https://ico.org.uk.

Provision of Data

It is not generally a legal requirement for you to provide us with data – however if you do not do so we may be unable to provide you with treatment. For more detail see the full privacy notice. 

Automated Decision Making

We use various tools to simplify care and ensure that you get the best care possible.

Some of these have a degree of automation, for example, where a regular test is recommended for a health condition you have, or you are in a particular age and gender range and have not had a recommended screening test, we will have an automated list that flags you to be contacted. These recalls are automated, but it’s up to you to book an appointment; no action is taken beyond contacting you.

NO decisions on your care are taken without human intervention.

• We can only provide you with information we hold. This will mostly consist of data that has been entered into the GP record by West Green Surgery or GP practices that you have previously been registered with (provided with have been sent these records).

• If you wish to obtain the reports or images for scans or investigations organised by hospital departments / clinics please make a separate Subject Access Request directly to the Hospital in question. Typically the only information sent to Practices after a hospital attendance is an outpatient clinic letter or discharge summary. These are typically also sent to or provided to the patient therefore we are unlikely to hold additional information relating to activity occurring outside of the Practice.

• If there is significant third party information held within your medical record we are legally required to redact this information.

• We are only able to provide information through the “Patient Access” if it is already currently part of your electronic medical record. If the record contains third party information it may not be possible to provide the record via Patient Records Access App like NHS App/Patient Access- in this situation a PDF of the redacted dataset will be sent via e-mail (even if the preference was for this information to be accessed through channel)

• We are required to not share information that can potentially cause harm to a patient or others.

• We are not able to retrospectively change or remove data already held within the medical record unless it is obviously incorrect (e.g. if it related to a different patient). Diagnoses are by definition an opinion. In cases where a diagnosis has changed or a patient disagrees with a diagnosis the Information Commissioner’s Office confirms that the “right to rectification” does not apply. The medical record has to be a contemporaneous record of opinion. Therefore if a diagnosis has changed we have to retain both the original diagnosis and the subsequent correction / change. When a patient disagrees with a recorded entry we can record (in the medical record) this disagreement however it is not possible to amend an entry unless (as above) it is clearly false.

• We will normally respond to a Subject Access Request within one calendar month or receipt. This period commences once we have received the SAR and have confirmed the identity and authority of the applicant.

• We may have to seek further information from the application to clarify details relating to the specific information requested. During this time the one calendar month response time period will be suspended until the required information is received.

• To complete a subject access request please attend reception with 2 forms of identification (e.g passport and utility bill). You will be asked to complete a request form