GDPR & Statutory Information

General Data Protection Regulations (GDPR)

New rules on Data Protection From 25th May 2018, new rules on Data Protection will come into place across Europe. Detailed below is how we collect, use and protect your personal data. 

Information about you and how we use it

When you come to the surgery, information about you, your medical treatment and family background may be recorded, on paper and computer, to help us care for you. The information is part of your health record and will be kept in case we need to see you again. We hold demographic information (name, address, telephone numbers, data of birth, ethnic origin, family relationships, next of kin and clinical data (diagnoses, family history, allergies, and sensitivities, medication, consultation records, investigations, test results, referrals and letters to and from other NHS Organisations about your care).

Members of the clinical teams looking after you may share your personal health information with each other. This team may include healthcare professionals and support staff.

All NHS staff are bound by law and a strict code of confidentiality, and are monitored by the Surgery’s Caldicott Guardian (Dr Alexander Goodman), who is responsible for ensuring patients' confidentiality is respected. Your confidentiality is very important to us, and we have strict controls in place to protect your information.

Data will be retained only for as long as necessary to provide care for you. Our document retention policy is available by clicking here

How you records are used to help you

Accurate, up to date information about you:

  • Helps staff to assess your health and care for you
  • Will help staff to treat you in the future, in the surgery or elsewhere
  • Allows staff to monitor and if necessary investigate the care you have received.

How your records help us

Accurate, up to date information about you:

  • helps us provide high quality care and meet all our patients' needs
  • helps us train healthcare professionals and support research and development
  • is necessary for the surgery to be paid for your treatment
  • supports audits of NHS services and accounts
  • supports investigation of any incidents or issues that arise
  • contributes to national NHS statistics.

Patient Leaflet

We have a patient leaflet that you are able to download from here

Privacy Notice

Click here to see a full version of our Privacy Notice

Accessing your medical records (a 'Subject Access' request)

You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the GP - for information from the hospital you should write direct to them
  • There may be a charge to have a printed copy of the information held about you
  • We are required to respond to you within 30 days
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of the reason for your request) so that your identity can be verified and your records located.

To request a copy of you health records or ask to see parts of it relating to specific points, please ask to speak to, or complete a Subject access request form or send a written request to:

Nicky (Practice Manager) Chawton Park Surgery, Chawton Park Road, Alton, GU34 1RJ

Your notes will be prepared for you and depending on what you require access to online records may be granted, a document could be emailed to you or a qualified member of staff will talk you through the content. Your right to see some information may be limited - for example, if it includes details about other people.


The General Data Protection Regulations 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. This information is publicly available on the Information Commissioners Office (ICO) website and the practice is registered with them.

Our Data Protection Officer is Caroline Simms.

Our Data Controller, responsible for keeping your information secure and confidential is Dr Alexander Goodman. 

Lawful basis for direct care and administrative purposes

All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and currently the DPA98 (and in due course the DPA18 and GDPR).

For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.

Under the GDPR, for processing personal data in the delivery of direct care, and for providers' administrative purposes, the Article 6 condition for lawful processing that applies to the surgery and all publicly funded health and social care organisations in the delivery of their functions is:
6(1)(e) for the performance of a task carried out in the public interest or in the exercise of official authority

Under the GDPR, personal data concerning health are special categories of personal data; the most appropriate Article 9 condition which applies to the surgery for direct care or administrative purposes is:
9(2)(h) medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Data transferred outside the EU

The data we hold on you will not be transferred outside the EU. Should any future changes in the NHS mean that this is possible, we will seek you permission before transferring any of your information outside the EU.


Our practice website uses cookies to function correctly. You may delete cookies at any time but doing so may result in some parts of the site not working correctly.