The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Practice, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology solutions to ensure that your information is kept confidential and secure. Records which this practice hold about you may include the following information:
- Details about you, such as your address, carer, legal representative, emergency contact details, next of kin
- Any contact the practice has had with you (the patient), such as appointments, telephone, eConsults, emails submitted by you, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided. Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – if this information needs to be identifiable, the practice will always gain your explicit consent before releasing the information for this purpose.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- Data (Use and Access) Act 2025
- General Data Protection Regulations 2016
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Any visitor to the premises who will or could be exposed to your identifiable information will sign a confidentiality agreement.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Risk Stratification Data Tools
Risk stratification data tools are being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP practice. A risk score is then arrived at through an analysis of your anonymised information using software managed by our clinical system provider and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt-out of your data being used in this way.
NHS OpenSAFELY Service
NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.
Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.
Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.
Patients who do not wish for their data to be used as part of this process can register type 1 opt out with their GP.
Who are our partner organisations?
- Other GP Practices
- NHS England via the General Practice Extraction Service (GPES)
- NHS Commissioning Support Units (including for Individual Funding Requests)
- Independent Contractors such as Dentists and Opticians
- Chemists / Pharmacists, including prescriptions
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Multi Agency Safeguarding Board (MASH) – Safeguarding Adults / Children
- Social Care Services
- Health and Social Care Information Centre (HSCIC)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Voluntary Sector Providers
- Private Sector Providers
- Other ‘data processors’ which you will be informed of
Integrated Care Boards (ICB) such as Hampshire & Isle of Wight ICB, including the ICB Pharmacy, Complaints and Significant Incidents teams.
You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required. We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Medicine Management
The practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided by pharmacists and Technicians employed by Hampshire & Isle of Wight ICB and / or Mid Hampshire Healthcare. They are bound by the same confidentiality rules as our staff are.
Mid Hampshire Healthcare (MHH)
Mid Hampshire Healthcare is an organisation that operates across the Winchester Rural South Network practices. It offers evening, weekend and bank holiday appointments with a number of clinicians, including GPs, Nurses, Musculoskeletal practitioners or Mental Health practitioners. By booking an appointment with MMH, patients are explicitly consenting to MHH staff accessing their medical records to provide medical care.
From August 2022, any notes recorded via the above staff / services will automatically file back to the practice’s medical record.
Southern Health Support Team
The practice also works alongside Southern Health which employs various community teams (listed below). In order for this team to accurately manage their patient caseload’s care, they have access to patient records via the practice’s clinical system.
- Complex Care Team
- District Nurses
- Frailty Team
- Leg Ulcer Service
- Midwives
Who are our partner software suppliers / businesses?
We use a number of pieces of software and organisations outside of the NHS to facilitate your healthcare and enable our staff to contact you. These are as follows:
| Name | Description | Can employees of the organisation access patient information? | GDPR Statement |
| Trusted Technology Partnership | Telephone system, including call recording via secure cloud-based servers | All the call recordings are recorded onto X-On Health’s cloud-based secure servers. Support staff from X-On Health are able to dial in remotely with the consent of our staff for problem solving. | X-On Health Privacy Policy |
| Trusted Technolgy Partnership | Trusted Technology Partnership | Trusted Technology Partnership support staff are able to remotely dial in with the consent of our staff for problem solving. | Trusted Technolgy Partnership GDPR Policy |
| Microsoft | The practice’s primary PC software is provided and updated by Microsoft. This includes Microsoft Office 365. | Microsoft (including Office 365) is supported via Trusted Technology Partnership as detailed above. | Microsoft Privacy Statement |
| EMIS | Clinical system that holds patient demographic and medical information | The servers and the connection to the practice are encrypted, so EMIS staff are not able to access patient information in this way. EMIS support staff are able to dial in remotely with the consent of our staff for problem solving. | EMIS Group Privacy Notice |
| Anima | Clinical software which holds patient letters and documents | Anima support staff can remotely dial in with the consent of our staff for problem solving. | Anima Privacy Policy |
| eConsult | Provides the platform for online consultations requests | Patient data is encrypted, consultation information is stored in pseudonymised form on eConsult’s servers. | eConsult Privacy Notices |
| accuRx | SMS system between the practice and patients Assists with the management of our recalls and screening of our chronic disease patients | Patient’s EMIS (clinical system) numbers are uploaded to the accuRx website. This website has an encrypted link to the patient database which is interrogated for the patient’s name and mobile number. accuRx employees would only have access to this identifiable information when troubleshooting – they will sometimes dial into a Twyford Surgery staff member’s PC with the consent of the member of staff to fix a problem. Our appointment reminder system is managed via accuRx. An SMS reminder is sent via accuRx’s system prior to your appointment, as detailed above. accuRx also provides our COVID-19 vaccine appointment system. | accuRx Privacy Policy |
| Ardens | Ardens provides the practice with various supporting tools, including searches / audits, referral documents and patient protocols | Ardens support staff are able to dial in remotely with the consent of our staff for problem solving. | Ardens Privacy Policy |
| Restore Medical Record Storage & Datashred | Store the practice’s Lloyd George (medical records) off site Shred paper on which is printed patient or other confidential data | Representatives comes to the practice and delivers requested / collects the medical records at the Practice’s request. Representatives comes to the practice and collects our shredding bins full of paper. This is then disposed of off-site. | Restore Datashred Privacy Policy |
| Edenbridge Health Care | Edenbridge provide the practice with the Apex GP Practice software which enables practices to review their appointment data | Edenbridge support staff are able to dial in remotely with the consent of our staff for problem solving. | Edenbridge Health Care Privacy Policy |
| Dragon Dictate (Nuance) | Dictation software used to assist staff when dictating into a PC | Nuance support staff are able to dial in remotely with the consent of our staff for problem solving. | Nuance Privacy Policy |
| Royal Mail | Royal Mail is an external mailing agency which we use to send individual letters | All letters / parcels are sealed in a labeled envelope. Royal Mail staff will only have access to the contents of these letters / parcels as per their privacy policy. | Royal Mail Privacy Policy |
| InHealth | Manage recall and screening of diabetic patients for diabetic retinopathy | The Diabetic Eye Screening Programme is operated by InHealth (commissioned by NHS England). This supports invitation for eye screening and ongoing care. This data may be shared with any Hospital Eye Services a patient is under the care of to support further treatment and with other healthcare professionals involved in patient care. | InHealth DESP Privacy Notice |
| Numed | Numed provides software and support for our ECG machine | Numed support staff can remotely dial in with the consent of our staff for problem solving. | Numed GDPR Statement of Compliance |
| Engage Health Systems | Engage Health Systems provide our patient check-in screen located in the reception area | Engage Health Systems support staff can remotely dial in with the consent of our staff for problem solving. | Engage Health Systems Privacy Notice |
| iGPR | iGPR is a software tool that assists us with creating patient reports, such as Subject Access Requests (SARs) as well as insurance and solicitor reports. | iGPR staff have no access to patient information as it is fully encrypted whilst being transmitted to the insurer. | iGPR Privacy Policy |
| WorldPay | WorldPay process the practice bank card or online bank payment for any private related work | WorldPay staff have no direct access to patient information, other than any demographic information added to an invoice. | WorldPay Privacy Policy |
| eMED3 (fit / sick note) | Department of Work & Pensions (DWP) uses fit note data to inform policy development. | This data is anonymously shared with the DWP. DWP does NOT have access to the practice’s clinical systems. | DWP Patient Information |
| NHS Prescription Services (Business Service Authority) | Certain prescriptions are sent to the NHS Prescription Services on a monthly basis in order for the NHS to reimburse practices for the use of NHS funded medication / appliances | The NHS Prescription Services team will have access to these prescriptions and will handle / store this data as per their privacy policy. | NHS Prescription Services Privacy Notice |
| University Hospital Southampton NHS Foundation Trust | UHS will be overseeing the local NHS Lung Health Check programme for our patients | UHS will invite those eligible patients as advised by the Practice. | UHS NHS Lung Health Check Programme |
| NHS Digital | General Practice Data for Planning and Research (GPDPR) | NHS Digital collects a cariety od fata to help improve services. | NHS Digital Privacy Notice |
| MDU / MPS / MDDUS / NHS Resolution | Indemnity organisations | We will sometimes send by email or discuss by phone identifiable information when the organisation is supporting a GP in a patient complaint or litigation. Information will be redacted where possible. | MDU Privacy Policy MPS Privacy Notice MDDUS Privacy Notice NHS Resolution: How We Use Your Data |
| Datix | Datix is used to anonymously record and inform the ICB of Significant Incidents that may occur | This system is managed by Hampshire & Isle of Wight ICB. | Datix Privacy Policy |
Access to personal information / Subject Access Requests
You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the practice holds about you (the patient – data subject) and to have it amended should it be inaccurate. In order to request this, you need to do the following:
- Your request should be made in writing to the GP practice, this can be made by email or letter (note for information from the hospital you should write directly to them).
- We will initially offer you online access to your Detailed Coded Record. This contains your electronic medical record and summarised paper record. It does not contain any letters from the hospitals or other attachments on your record. The advantage of applying for access to this record is that it updates as your medical record updates, so you will always have the most current information.
- If the Detailed Coded Record is not adequate for your needs, we will process a copy of your medical record, usually via email. If you are not able to receive an email containing your medical record, you will print a copy for yourself. There may be a charge to have a printed copy of the information held about you if the administrative burden of photocopying and printing is excessive.
- We are required to respond to you within a month. However, if there is a delay due to unforeseen circumstances, you will be promptly notified of this.
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
- If you are collecting this request in person, you may need to show photographic ID in order to obtain your request.
Objections / Complaints
Should you have any concerns about how your information is managed at the GP, please contact the Practice Manager via the contact us page or via a letter for the attention of the Practice Manager.
If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioner’s Office (ICO) www.ico.org.uk, [email protected], telephone: 0303 123 1113 (local rate).
If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the practice.
Cookies
Our practice website uses cookies to function correctly. You may delete cookies at any time but doing so may result in some parts of the site not working correctly.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
Information Commissioner’s Office (ICO) Registration
The General Data Protection Regulations 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioner’s Office (ICO) website www.ico.org.uk
The practice is registered with the Information Commissioner’s Office, registration reference Z6174736.
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential, is Twyford Surgery.
If you are still unhappy following a review by the practice, you can then complain to the Information Commissioner’s Office (ICO). www.ico.org.uk, [email protected], telephone: 0303 123 1113 (local rate).
Who is the Data Protection Officer?
As a public authority, we have to appoint a Data Protection Officer (DPO). The DPO details for Twyford Surgery are detailed below. They assist us in monitoring internal compliance, provide advice regarding Data Protection Impact Assessments (DPIAs), and help us demonstrate compliance with an enhanced focus on accountability.
E-Mail Address: [email protected]