top of page

GDPR and Patient Data Protection 

Your Data 

Under the Data Protection Act (DPA) 2018, we are obliged to disclose how your data is collected, processed, stored, and used. In order to provide you with safe care and treatment, we need to store personal information about you, such as your name, address, date of birth, and contact details. Our medical record system will also store information about your medical history, including your care history, any diagnoses you may have had, your appointments and who you have seen, tests which you have had, treatments and medications you have been supplied, and the results of any scans or investigations which may have been performed. 

How your data is used

By registering with us and attending the practice, it is assumed that you are consenting to the sharing of your information both with the practice and with other organisations who may also provide you with care. We are also allowed by law to share this information. 


 It may not always be possible for your GP to handle all of your information. Where necessary, this responsibility may need to be delegated to others in the practice and, where necessary, to members of other organisations. If your care requires us to share information with others outside the practice, we will exchange whatever information is necessary to ensure that you receive the care you need. Where you have attended other care providers, such as hospitals or other clinics, we will receive details of the care which they have provided for you. The practice team, including clinicians, administration, and reception staff) will only access information which is necessary for them to perform their duties. 

In order to provide you with safe and effective care, we use your data for a number of purposes. Your medical records may be accessed by a computer program to identify whether you are in a group which is vulnerable to certain risks, such as heart disease, unplanned hospital admission, or seasonal diseases such as the flu. This is done in order to provide you with care as soon as possible. This process may require us to link information from your GP record to information from other health providers, NHS Trusts, or social care services which you have used. This data may also be used by local Clinical Commissioning Groups (CCGs) to improve local services and commission new services where this is deemed necessary. The legal basis for this usage is laid out under Section 251 of the NHS Act 2006, more information on which can be found here. Information which identifies you will only be seen by this practice.  


Sometimes it may be necessary for us to share your information with other medical professionals or organisations so that other people, including healthcare workers, children, vulnerable adults, and others with safeguarding needs, are safeguarded and protected from harm. It is rare for these circumstances to arise, but in the event that it is deemed necessary, such as in an emergency, we are able to share your information without your agreement or consent. Please see our Safeguarding Policy for more information.

Summary Care Records

In order to facilitate medical care outside of your GP practice, the NHS uses a system called the Summary Care Record (SCR). The Summary Care Record contains information about any medication allergies you may have and any medications you may be taken which might react adversely to common treatments. If additional information is included in the SCR, it may also include any major procedures you have had, your significant underlying disorders, reasons for prescribing medication, vaccinations you might have received, and information relating to anticipatory treatment and end-of-life care. The SCR allows medical professionals such as A&E staff, Out of Hours care systems, and emergency service workers to access your information. It is important that emergency medical workers know your care history, such as whether you are allergic to any medications. Additional information can only be added to your SCR with your consent. You are legally allowed to request that you are opted out of the SCR system, but you should be aware that if you do so, your medical history will be unavailable to healthcare professionals who will use this information to provide you with the best and safest care path. 

Your information may also be accessed and shared for the following care protocols:

  • Clinical audits, such as the National Diabetes Audit.

  • Clinical research conducted by partner organisations. Your permission will always be sought in cases where your medical history will be shared for research purposes.

  • Individual Funding Requests made by your organisation, where requests are made for funding on your behalf and with your consent for treatment which falls outside the remit of the practice.

  • Invoice validation, where information such as your NHS number will be processed to ensure which Clinical Commissioning Group is responsible for paying for your healthcare. 

  • The National Fraud Initiative, which may access information without the consent of the concerned party. More information on the NFI can be found here. 

  • National Registries, such as the Learning Disabilities Register, which may access patient data without the requirement to seek consent from each individual user.

The NHS Database

When you register with the NHS, your information is stored on the National Health Application and Infrastructure Service database.  This database contains your name, address, date of birth, and NHS number, but does not contain any information about your care history. The database is held by NHS Digital, a national organisation which has a legal responsibility to collect and store NHS data. More information can be found here. 

How your Data is Stored

Our storage of patient data and records is governed by the Records Management NHS Code of Practice for Health and Social Care. The Code of Practice determines how records are created, managed, stored, and destroyed, and all Practice engagement with patient records is in line with this code. 

Phone System

All calls to and from the Practice are recorded for the purposes of training and monitoring. 

NHS App Messaging Service

We use the NHS Account Messaging Service provided by NHS England to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at the privacy notice for the NHS App managed by NHS England.

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

Data Controller: 

Chartfield Surgery 

30 Chartfield Avenue


SW15 6HG


Data Protection Officer

Soraya Dizia – Practice Manager 

Purpose of Processing your personal information


Direct Care is care delivered to the individual alone, most of which is provided in the surgery.


After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, technicians, etc.


The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.


Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This is called “risk stratification”. This means we can offer patients additional care or support as early as possible. This process will involve linking information from your GP record with information from other health or social care services you have used.

Lawful Basis for Processing your personal information

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:


Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.


Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”


Recipient or categories of recipients of your personal data

The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.


In addition, personal data may be shared which is sent to or may be received from providers such as our 8to8 hubs (who provide some evening and weekend appointments on behalf of the practice), 111, out of hours services, local social services and care services, or other services the Wandsworth clinical commissioning group has commissioned. In all cases, we ensure the data is supplied is appropriate and within the law.

Your right to object

You have the right to object to some or all the information being processed, which is detailed under Article 21. Please contact the Data Protection Officer. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance.

Your right to access and correction

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

How long do we hold your personal data for?

We retain your personal data in line with both national guidance and law.

Your right to complain

Use of personal data is overseen by the Information Commissioners Office, often known as the ICO. You have to complain or raise concerns with the ICO and they can be contacted via their website: or you can also call their helpline at Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate).  



Free of Charge

Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:


(a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) Refuse to act on the request.


The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.



We and our trusted partners use cookies and other technologies in our related services, including when you visit our Site or access our services.


A ‘cookie’ is a small piece of information that a website assigns to your device while you are viewing a website. Cookies are very helpful and can be used for various different purposes. These purposes include allowing you to navigate between pages effectively, enabling automatic activation of certain features, remembering your preferences and making the interaction between you and our Services quicker and easier.  Cookies are also used to help make sure that the advertisements you see are relevant to you and your interests and to compile statistical data on your use of our Services.


The Site uses the following types of cookies:


1. ‘session cookies’, which are stored only temporarily during a browsing session in order to allow normal use of the system and are deleted from your device when the browser is closed;

2. ‘persistent cookies’, which are read only by the Site, saved on your computer for a fixed period and are not deleted when the browser is closed. 

3. ‘third-party cookies’, which are set by other online series who run content on the page you are viewing, for example by third-party analytics companies who monitor and analyse our web access.


Cookies do not contain any information that personally identifies you, but Personal Information that we store about you may be linked, by us, to the information stored in and obtained from cookies. You may remove the cookies by following the instructions of your device preferences; however, if you choose to disable cookies, some features of our Site may not operate properly and your online experience may be limited.

Updates or amendments to this Privacy Policy

We reserve the right to periodically amend or revise the Privacy Policy; material changes will be effective immediately upon the display of the revised Privacy policy. The last revision will be reflected in the "Last modified" section. Your continued use of the Platform, following the notification of such amendments on our website, constitutes your acknowledgment and consent of such amendments to the Privacy Policy and your agreement to be bound by the terms of such amendments.

How to contact us

If you have any general questions about the Site or the information we collect about you and how we use it, you can contact us at

bottom of page