Brockwood Medical Practice Privacy Notice

PRIVACY/TRANSPARENCY NOTICE - Protecting your Confidentiality

We are a Primary Care General Practice providing a wide range of services including:

  • Patient consultations – GP’s and Practice nurses
  • Chronic disease management
  • Minor surgery
  • Phlebotomy
  • Anticoagulant clinics
  • Dispensing
  • Family planning including antenatal
  • Research
  • Counselling

We have approximately 12,700 patients registered, we have 4 Partners and employ 45 staff across 3 sites; Brockham, North Holmwood and Newdigate.

Your information, what you need to know

This privacy notice explains why we collect information about you, how that information may be used and how we keep it safe and confidential.

  • What information are we collecting?
  • Who collects the data?
  • How is it collected?
  • Why do we collect it?
  • How will we use the data?
  • Who will we share it with?
  • What is the effect on the individuals?

Why we collect information

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.  These records help to provide you with the best possible healthcare.  We collect and hold data for the sole purpose of providing healthcare services to our patients. 

In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services. 

We keep your information in written form and/or in electronic form.  The records may include basic details about you and they may also contain more sensitive information about your health.

Details we collect about you

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g., NHS Trusts, GP Surgeries, Walk-in Clinics, etc).  We keep data on you which will be used to support delivery of appropriate care and treatment and this may include:

  • Details such as your name, address, date of birth, next of kin
  • Any contact the surgery has had with you such as appointments, clinics visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations, such as blood tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you.

Sensitive data relates to genetic data, sexual orientation, race, your religious or beliefs, whether you have a disability, allergies and health records.

Information is collected via you, healthcare professionals and hospital correspondence.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidence and the Data Protection Act 2018.  Information provided in confidence will only be used for the purposes to which you consent to, unless there are other circumstances covered by the law.

The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared.

All our staff undertake annual mandatory training in data protection, confidentiality, information governance.  All our staff are expected to make sure information is kept confidential and safe and they are aware of their personal responsibility. 

Our doctors, nurses and other healthcare professionals are registered, regulated and governed by professional bodies.

NHS health records may be electronic, on paper or a mixture of both.  We use a combination of working practices and technology to ensure that your information is kept confidential and secure.  Information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personal.  Records are backed up securely in line with NHS procedures.

We may be asked to share basic information about you, such as your name and parts of your address which does not include sensitive information from your health records.  We ensure external data processors are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. 

For example, healthcare services, public health or national audits.  We are committed to protecting your privacy and will only use information collected lawfully in accordance with:Data Protection Act 2018

  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2015
  • Public Records Act 1958
  • Records Management Code of Practice Health & Social Care 2016
  • Information Security Management NHS Code of Practice
  • The Care Record Guarantee for England
  • International Organisation for Standardisation (ISO) – information
  • Security Management Standards (ISMS)

Non-NHS organisations may include but are not restricted to; social services, education services, local authorities, the police, voluntary sector providers and private sector providers.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your consent unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

How we use your information

Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

You can object to your personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Occasionally your information may be requested to be used for research purposes. We will always gain your consent before releasing any information for this purpose.

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to: 

·         Improve individual care, diagnosis and safety

·         Help protect the health of the general public

·         Understand more about disease risks and causes

·         Develop new treatments and preventions

·         Plan services and to help us manage the NHS

·         Train healthcare professionals

·         Help with research and audits

·         Provide data on performance

We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function.  We will assume you are happy to for your information to be shared unless you choose to opt-out (see below).

This means you will need to express an explicit wish not to have your information shared with the other NHS organisations; otherwise they will be automatically shared. We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional.

There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued. Our guiding principle is that we are holding your records in strictest confidence.

Your right to object or withdraw consent for us to share your information (opt-out)

We mainly use, store and share your information because we are permitted in order to deliver your healthcare but you do have a right to object to us doing this.

Where we are using, storing and sharing your information based on explicit consent, you have a right to withdraw your consent to personal data being used at any time. 

NHS Digital - National Data Opt Out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘National Data Opt-Out’.   For further information about Opt-Out, please contact NHS Digital Contact Centre at referencing ‘National Data Opt-Out – Data Requests’ in the subject line; or call NHS Digital on (0300) 303 5678.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards off care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, our family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymized data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opting-out setting

You can also find out more about how patient information is used at: 

·         NHS Digital:

·         NHS Health Research Authority:

·         Understanding Patient Data:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

NHS Digital - Pandemic Planning and Research (COVID-19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England. 

Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with the Practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients.

It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.  The Legal notice under COPI

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

Supporting Locally Commissioned Services
ICBs and Public Health Surrey County Council support GP practices by auditing pseudonymised data to monitor locally commissioned services, measure prevalence and support data quality.  The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.

Your right to correction

If information about you is incorrect you are entitled to request that we correct it.  There may be occasions where we are required by law to maintain the original information.

Who will the information be shared with?

We may need to share information about you with others, subject to strict agreements on how it will be used.  These are the type of organisations we may share your information with:

  • NHS Trusts/Specialist Trusts
  • Private Healthcare Organisations
  • Independent Contractors such as dentists, opticians, pharmacists
  • Primary Care Networks
  • Voluntary Sector Providers
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Ambulance Trusts
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘Data Processors’

 Summary Care Record (SCR)

NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. All patients registered with a GP have a Summary Care Record unless they have chosen not to. SCR contains basic (core) information comprises your allergies, adverse reactions and medications. An SCR with additional information (SCR-AI) can also include reason for medication, vaccinations, significant diagnoses /problems, significant procedures, anticipatory care information and end of life care information.

Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.

Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please contact the Practice.

More information can be found on the NHS Digital website Summary Care Record supplementary transparency notice - NHS Digital.

Clinical Audits
Information may be used for clinical audit to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes. Where we do this we take strict measures to ensure that individual patients cannot be identified e.g. the National Diabetes Audit.

National Registries
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Population Health Management
The GP Practice and the Surrey Heartlands Partnership work with partners to link local data together to make better decisions on the care of our patients.  What this means is that data that is held in GPs, Hospitals and community care can be linked to see what the needs of the local population are. This will help partners improve care for groups of people in the community. This is called a Population Health approach. Whilst the data will be linked, those partners will not be able to identify individuals as any identifiable data will be removed. If there is a need to identify individuals then this can only be done by the GP or other organisation that holds that data.  

To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

We may use other software within the practice as part of our data processing but data is not shared with anyone else and is not stored outside of the practice.

Surrey Care Record
The Surrey Care Record is an Electronic Health Record (EHR) linking system that brings together patient/client’s information across health and care systems in a secure manner, giving a summary of your information which is held within a number of local records.

For more information see:

 You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.

Clinical Research
Occasionally your information may be requested to be used for research purposes. The practice will always gain your consent before releasing any information for this purpose.  Research organisations ethically approve companies to gather data on their behalf:

Sharing Partners
We have sharing agreements in place with some organisations where we believe this will facilitate care for our patients or where you have provided your explicit consent.  This allows authorised individuals to directly access the electronic records which we hold about you and ensures that those involved in your care, treatment or research study can quickly, easily and securely access the information they need, when they need it.  We have sharing agreements in place with:

Alliance for Better Care (ABC)
The Practice has subcontracted as a Sharing Partner to ABC to provide comprehensive health checks and some vaccinations for Home Office asylum seekers registered at the Practice. The Practice and ABC will have joint data controllership for these patients only. ABC will have access to these patients’ full medical records in order to provide these services whilst the contract remains in place.  Data will be shared when patients are booked in for a health check. Data will be shared based on implied consent to share confidential data. ABC will seek explicit consent at the point of care.

Ardens Ltd
Software used to extract information for reporting purposes onto a secure dashboard, Ardens Manager. Pseudoanonymised, record level data is extracted automatically from the clinical system and uploaded to Ardens Manager dashboard. This is used for reporting rules and output values.

Ash Lane Consultancy
Contracted by Brockwood Medical Practice to accessed prescribing information, extracting Name, Date of Birth, Gender & healthcare coded activity. Data is extracted from the clinical system using unique user credentials onto an encrypted USB drive. On completion of the project the data is securely erased and a certificate of destruction is provided to the practice on request.  The purpose of accessing the data is for conducting an audit on recording Personally Administered items to change and improve accurate recording and to support financial processes.

CHIS (Child Health Immunisation Services)
Scheduling and monitoring for new born screening for immunisation programmes. Lawful sharing of data under Article 6 – necessary for the performance of a task carried out in the public interest and Article 9 – necessary for the purposes of preventative or occupational medicine. The practice is required to report on immunisation status and 6-8 week baby checks. Further information is available through the NHS England South Central & West Commissioning Support Unit’s privacy notice. 

DHC – Enhanced Access Clinics
As part of Dorking Primary Care Network (PCN) we are able to offer Enhanced Access appointments to patients outside the core contract hours of 8.00am to 6.30pm. Clinics are available Monday to Friday 6.30pm to 8.30pm and Saturday 9.00am to 5.00pm. These clinics are staffed by members of the Dorking PCN and this may be by clinicians who work outside the Practice or the clinics may be held at another Practice. By accepting an appointment for one of these Enhanced Access clinics the patient is consenting for their record to be shared with DHC in order to ensure clinical safety so the clinicians can provide the appropriate treatment. Access to the clinical system is limited to NHS pass worded identity service card.

GPimhs (GP Integrated Mental Health Service)
In joint control with Surrey & Borders Partnership NHS Foundation (SABP) to provide mental health services to deliver support to patients within the Dorking Primary Care Network within the GP practice buildings and community from a Mental Health Practitioner, Consultant Psychiatrist, clinical lead, pharmacist and GPimhs administrator employed by SABP. Access to patient records will be granted through the secure clinical system, TPP SystmOne with the knowledge of the patient to support the provision of direct patient care.

LumiraDx (INRstar)
LumiraDx is point of care software that allows the Practice to manage anticoagulation monitoring on a safe and effective basis. It supports the induction, dosing and review of all anticoagulant patients. Access to this system is via authorised username and password connected to the HSCN (N3).  LumiraDx privacy notice can be found at

The data extracted from the practice is de-identified pseudonymised data (removal of name, date of birth, address, contact information, NHS number) is stored on their database.   The OPC Research Database is approved by NHS Health Research Authority and only provides anonymised data for ethically approved, scientific and exploratory research to help improve patient outcomes.  Research data is anonymised in accordance with the Information Commissioner’s Anonymisation Code of Practice.

Nova Solutions
Nova Solutions processes clinical correspondence into patient medical record ensuring it is accurately coded and any actions are forwarded to the appropriate clinician.  The work is regularly audited and the company does not store any information. Persons processing the data are given secure access to the practice clinical system in order to do so.

St Catherine’s Hospice
Personal information is shared with other secondary care trusts and providers of care in order to provide the patient with direct care services. This could be hospitals or community providers for a range of services, including treatment, operations, physio and community nursing, ambulance service.

The process of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 1 (e) direct care and 9 2 (h) to provide health or social care: In some cases patients may be required t5o consent to having their record opened by the third party provider before patients information is accessed. Where there is an overriding need to access the GP record in order to provide patients with life saving care, their consent may not be required.

Supporting Medicines Management
ICBs support local GP practices with prescribing queries which generally do not require identifiable information. ICB pharmacists work with the Practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective.

Surgery Connect (telephones) – Southern Communications
All inbound and outbound calls to the practice are recorded for training and monitoring purposes. Patients are informed on a phone message when calling into the practice. A call can be terminated or recording paused on request. Call recording is not saved to the patient record but stored securely on the Surgery Connect dashboard.  Recordings on the Surgery Connect dashboard are retained for 36 months.  Access to the dashboard is via authorised username and password connected to the HSCN (N3). Access to call recordings within the practice can only be accessed by Admin Supervisor level allocated to management. Southern Communications privacy notice can be found at Privacy Policy | Southern Communications (

Risk Stratification
Risk Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services.

 Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness, i.e. diabetes, heart disease, risk of falling. Information about you is collected from a number of sources including NHS Trusts who link our records to other records that they access such as hospital attendance records.  This shared information enables other healthcare workers to provide the most appropriate advice, investigations and treatments.

Access to your information
Under the new General Data Protection Regulation (GDPR) 2018 everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data.

 Every patient can have access to their medication records on-line but if you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. If you wish to have a copy of the information we hold about you, please contact the Practice.

Data Protection Officer
If you wish to discuss or exercise any of your rights, please contact the Practice directly in the first instance:

Liz Spreadbury, Practice Manager
Tel: 01737 843259
Brockwood Medical Practice
Tanners Meadow
Surrey  RH3 7NJ

 Alternatively, the Practice’s Data Protection Officer can be contacted directly.

 Every Practice is required to have a Data Protection Officer, responsible for overseeing data privacy compliance and manage data protection.  Our Data Protection Officer is:

Adam Spinks, Surrey Heartlands Primary Care Data Protection Officer Service, Tel: 0203 887 6923

Change of details
It is important that you tell the Practice if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended.  Please inform us of any changes so our records for you are accurate and up to date.

Mobile numbers & email addresses
If you provide us with your mobile phone number/email address, we may use this to send you reminders about your appointments, other health screening information or to make an appointment for a review.  Please let us know if you do not wish to receive reminders on your mobile and/or email address.

Complaints, Compliments & Feedback
If you have a complaint, compliment or feedback you would like to share with the practice you can submit information to Practice contact above or via our website: through the Feedback, Compliments and Complaints section. 

Further information
Brockwood Medical Practice is registered with the Information Commissioners Office (ICO).  Our registration can be viewed online at