General Data ProtectionPolicy

The GDPR is Europe's new framework for Data protection laws- it replaces the previous 1995 data protection directive, which current UK law is based upon.

What is a Privacy notice?

This Privacy notice explains how we as a practice collect information about our patients and how we use this information. Providing you with a privacy notice is our way of stating our commitment to following confidentiality rules.

What is GDPR?

The GDPR is Europe’s new framework for Data protection Laws it replaces the old Data protection 1995 directive.

Data Controller

Gough Walk Practice is a Data controller for the data they hold on patients

Data protection officer

Meher Hossain
Address: 21 Newby Place, London E14 0EY
Telephone: 0207 515 4701

What kind of Data is held by the practice

The principles in the guidance apply to Doctors working in private practice or other NHS healthcare settings.

The GDPR applies to ‘personal data’. This means data which relate to a living individual who can be identified from these data, or from these data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

Data can be in form of electronic or paper. Stored data includes:

  • Details about you such as name, address, carers legal representative and next of kin details
  • Treatment about your care
  • Results of your investigations Lab test, X-rays
  • Summary of active and past problems, medication scripts
  • Relevant information about you from other healthcare professionals
  • Any contact surgery has had with you such as appointments, clinic visits and emergency

The purposes for processing the data and the legal basis for processing the data

Consent for your medical record information will be requested for

  • Consent to share out- allow records from service to be added to your shared record.
  • Consent to share in- allows staff to view all information in your record for example extended walk-in clinics, cerner.

The Practice will share data on the basis for reasons in Articles 6 (1) and 9(2) Other legal bases when processing for reasons other than direct care might.

  • ‘...for compliance with a legal obligation…’ (Article 6(1)(c)) and Article 9(2)(h) ’…management of health or social care systems…’;
  • for medical research the lawful basis and special category condition are Article 6(1) (e) ‘…for the performance of a task carried out in the public interest…’ and Article 9(2)(j) ‘…research purposes…’;
  • To improve patient safety

Consent has been explicitly provided personally for specified purposes.

So how do we protect your information

We are committed to ensuring confidentiality of your information. There are a number of ways in which we do this.

  • Staff receive annual training about protecting and using personal data
  • Policies in place for staff to follow
  • We use smart cards to access systems ensuring right people access data
  • We use encrypted emails
  • We do not send your data outside of the EEA

Our Partner Organizations

We may share your information subject to strict agreement how it is being used with following types of Organizations:

  • NHS and specialist hospitals and Trusts, CCG
  • for clinical audits, information is anonymized
  • independant contactors optician, pharmacist and dentist’s, podiatrists
  • Ambulance trusts
  • Social services
  • Fire and rescue
  • Police
  • Other Data processors
  • Private clinic and voluntary charity sector providers offering service
  • Education services schools

Unless you explicitly wish not to have your information being shared with other NHS organizations.

The rights you have as a patient

Since 25th May 2018 you as a patient now have more explicit rights as the ‘data subject’ under the new Data protection rules.

The rights are summarized below:

  • Right to be informed
  • Right of access-
  • Right to rectification
  • Right to object
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right not to be subject to automated decision-making

For more information please visit the website:

Risk Stratification tool

The risk stratification is process for classifying and managing patients who are mostly likely to need hospital or other healthcare services. The tool used in NHS to help determine someone’s risk of suffering particular condition and enable us to prevent ill health. Information is collected from a number of sources. Section 251 of MNHS act 206 provides a legal basis to process data for risk stratification purpose.

Please follow this link for more information:

If you decide you do not want to be included in the risk stratification programme, please let us know.

Sources of information shared with third parties

Individual Funding Request

Information maybe shared in the request for individual funding requests. This request made for funding of specialised healthcare.

Invoice Validation

We can use your NHS number to check whether your care has been funded through specialist commission, which NHS England will pay for. Section 251 of NHS act 2006. Which provide a statutory legal basis to process data for invoice validation purposes.


In cases for Adult and children safeguarding matters, access to identifiable information will be shared in some limited cases. Where it is legally vital for safety of individuals concerned

Cabinet office

The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Mobile numbers and Email addresses

If you provide us with your mobile we will carry on sending you appointment reminders and notifications about your health i.e. flu invite, smoking cessation. As this is not a form of marketing GDPR isn’t applicable here but you are free to opt out of receiving texts. There maybe instances in future we could email for patient feedback or Patient participation group meeting invites etc.

Change of details

It is important you tell the person treating you if any of your information has changed for example your address, your name and contact number or be it your date of birth is wrong on our system. You have a direct responsibility to inform us of any such changes on your record to keep it current and accurate.

Subject Access request

As a patient the Data protection law provides you with different rights.

The right to a copy of information is held about, which is the subject access to records, this is now free. You have the right to rectification of your record if anything is incorrect you can request for it to be corrected.

A reasonable fee can be charged if the request is manifested unfounded or excessive. The practice must handle (SARs) in 30 working days. If it takes longer because of complications the subject will be informed.

Should you wish to make a ‘subject access request’ please contact the Practice in writing.

For the Attention of Information officer, Gough Walk Practice, 21 Newby Place, London E14 0EY


You have the right to make a complaint if you are unhappy with our services. Please contact the practice manager.

Opting out from sharing

The national data opt out replaces type 2 opt out

Type 2 opt-outs are those opt-outs recorded on the patient record to prevent NHS Digital sharing confidential patient information for research and planning.

For more information contact
Referencing National Opt-Outs – Data Requests’ in the subject line; or call NHS Digital on (0300) 303 5678; or visit the website


To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Retention period

GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:


Gough Walk Practice is registered with the ICO to describe the purposes for which they process personal and sensitive information. We are a registered Data Controller and our registration can be viewed online in the public register at:

For advice about Data protection privacy and data sharing issues you can contact information commissions office Wycliffe house, Water lane Wilmslow, Cheshire SK9 5AF or contact:
0303 123 1113 Website address:

Further information about the way in which the NHS uses personal information and your rights in that respect can be found here:

If you are satisfied with this privacy policy and your data to be extracted for purposes described then you do not need to do anything.

Policy Reviewed
By Practice Manager Meher Hossain
March 2019