Privacy Notice

COVID-19 and Your Information
Updated on 16th April 2020
Supplementary Privacy Notice on Covid-19 for Patients

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital, NHS England and Improvement, arm’s-length bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on the website and some FAQs on this law are available on the NHS website.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-Outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access Requests (SARs), Freedom of Information requests (FOIs) and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information included health and care records with clinical and non-clinical staff in other health and care providers, for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text message or email.

During this period of emergency we may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is available on the NHS website.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this Privacy Policy at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

What information is an individual entitled to under the GDPR?

Under the GDPR, individuals have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.

Can GP surgery charge a fee for dealing with a subject access request?

The practice must provide a copy of the information free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. A reasonable fee can be charged to comply with requests for further copies of the same information. This does not mean that the surgery can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information.

How long does the Surgery have to comply?

Information must be provided without delay and at the latest within one month of receipt. The surgery will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the surgery must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the surgery can:

  • Charge a reasonable fee taking into account the administrative costs of providing the information
  • Refuse to respond

Where the surgery refuses to respond to a request, it must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

How should the information be provided?

The surgery must verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically; it should provide the information in a commonly used electronic format.

What about requests for large amounts of personal data?

Where the surgery processes a large quantity of information about an individual, the GDPR permits the practice to ask the individual to specify the information the request relates to.The GDPR does not include an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.

Please request in writing to Carol Endall Admin Manager using the form below:

Request to view Medical Records

If the request is to view vaccinations then please request in writing to the Carol Endall Admin Manager using the form below:

Request to view Medical Vaccines

Freedom of Information (FOIA) 1988

The Freedom of Information (FOI) Act gives a general right of access to all types of recorded information held by public authorities, with full access granted in January 2005. The Act sets out exemptions to that right and places certain obligations on public authorities.

The FOIA will be affected by the European General Data Protection Regulation (‘GDPR’), which is due to come into effect on 25th May 2018.

Details of the practice Publication Scheme.


The surgery Caldicott Lead is Doctor Andrew Green. The surgery Data Protection Officer is Doctor Caroline Domney-Strange.

Your rights are protected as we are registered under the Data Protection Act 1998 (DPA)/GDPR. The Act provides a framework which governs the processing of information that identifies living individuals.

The NHS Confidentiality Code of Practice (COP) applies only to patient information. It incorporates the requirements of the DPA and other relevant legislation together with the recommendations of the Caldicott report and medical ethical considerations, in some cases extending statutory requirements and provides detailed specific guidance.


All staff in the practice are bound contractually to maintain patient confidentiality and any proven breach of this will be treated extremely seriously.

We respect your right to privacy and keep all your health information confidential and secure. Confidentiality also extends to patients’ family members. Medical information relating to you will not be divulged to a family member or anyone else, without your written consent.

As we are a computerised practice, all our patient records are kept on computer and can assure patients of complete confidentiality.

It is important that the NHS keeps accurate and up-to-date records about your health and treatment so that those treating you can give you the best possible advice and care. However, for the effective functioning of a multi-disciplinary team it is sometimes necessary that medical information about you is shared between members of the practice team.

We follow the guidance issued by the GMC in ‘Confidentiality: Protecting and Providing Information’ which explains circumstances in which information may be disclosed.

This information is only available to those involved in your care and you should never be asked for personal medical information by anyone not involved in your care.

You have a right to know what information we hold about you. If you would like to see your records, please speak to Carol Endall Admin manager.

Sharing your health care records

Your patient record will be held securely and confidentially on our electronic system.

If you require treatment in another NHS healthcare setting such as an Emergency Department or Improved Access Clinic, those treating you would be better able to give you appropriate care if some of the information from the GP practice were available to them.This information can now be shared electronically (with your permission) via:-

  • NHS Summary Care Record (SCR) -used nationally across England.
  • Joining Up Your Information (JUYI) -used locally across Gloucestershire.
  • Enhanced Data Sharing Module (eDSM) -used for Improved Access Clinics across Gloucestershire.

The information will be used only by authorised healthcare professionals directly involved in your care. Your permission will be asked each time before the information is accessed, unless the Clinician is unable to ask you and there is a clinical reason for access. The doctors at Yorkleigh Surgery recommend you consent to the sharing of information to ensure you receive the best possible care.

Parents, guardians or someone with power of attorney can ask for people in their care to be opted out, but ultimately it is the GP’s decision whether to share information, or not, because of their duty of care.

If you are caring for someone and feel that they are able to understand, then you should make the information about the different methods of sharing available to them.

Differences between the Gloucestershire Shared Record/Summary Care Records/Enhance Data Sharing Module

Gloucestershire shared health and social care information Summary Care Record Enhanced Data Sharing Module (eDSM)
Shared Across Gloucestershire

Across health care settings, including urgent care, Community Care and outpatient departments

With GPs, and with NHS clinicians employed by Gloucestershire Hospitals NHS Foundation Trust, Gloucestershire Care Services NHS Trust (Community hospitals and community-based services, such as district nursing), 2gether NHS Foundation Trust (mental health services), South Western Ambulance Service NHS Foundation Trust.

Gloucestershire social care.

Across England

Across health care settings, including urgent care, Community Care and outpatient departments

With GPs, and with clinicians employed by any NHS Trust or organisation involved in your care across England

Across Gloucestershire

With GPs, and with clinicians contracted by GP Cluster.

Information source GP record

Other medical records held by different NHS organisations in Gloucestershire care.

GP record GP record
Content Your current medications

Any allergies you have

Any bad reactions you have had to medicines

Your medical history and diagnoses

Test results and X-ray reports

Your vaccination history

General health readings such as blood pressure

Your appointments, hospital admissions, GP out-of-hours attendances and ambulance calls

Care / management plans

Correspondence such as referral letters and discharge summaries.

Your current medications

Any allergies you have

Any bad reactions you have had to medicines

SCR with Additional information can be added (upon request to your GP practice) includes:

– Significant problems (past and present)

– Significant procedures (past and present)

– Anticipatory care information

– End of life care information – as per EOLC dataset ISB 1580

– Immunisations

Complete GP record

Sharing your anonymous health information

The Practice shares anonymous data about you with the NHS. This information includes information required for GP Contract monitoring and data required for local and national clinical audits eg National Diabetic Audit.

It is important that the NHS, can use this information to plan and improve services for all patients. The NHS would like to link information from all the different places where you receive care, such as your GP, hospital and community service, to help provide a full picture. This will allow the NHS to compare the care you received in one area against the care you received in another, so professionals can see what has worked best. Information such as your postcode and NHS number, but not your name, will be used to link your records in a secure system, so your identity is protected. Information which does not reveal your identity can then be used by others, such as researchers and those planning health services, to make sure we provide the best care possible for everyone. How your information is used and shared is controlled by law and strict rules are in place to protect your privacy.

You have the right to prevent confidential information about you from being shared or used for any purpose other than providing your care, except in special circumstances. If you do not want information that identifies you to be shared outside your GP practice, ask the practice in writing to make a note of this in your medical record. This will prevent your confidential information being used other than where necessary by law, (for example, if there is a public health emergency).

If you want to opt out of the above data sharing then please request this in writing to Carol Endall at Yorkleigh Surgery.

Privacy Information: ACR project for patients with diabetes (and/or other conditions)

The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with to enable them to contact you and send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from we will continue to manage your care within the Practice. are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at: