We ask you for personal information so that you can receive appropriate care and treatment. This information is recorded on computer and we are registered under the Data Protection Act. Your personal and medical details together with a record of all consultations are held within the Practice’s electronic records on our computer system. The Practice takes the privacy of your personal information very seriously and works to the highest standards to maintain confidentiality. We respect our patients’ privacy and confidentiality at all times.

Your medical data and personal information are used, stored and disposed of under strict regulations set out in the Data Protection 2003. As part of providing quality health care your medical information may need to be shared with allied health professionals on a need to know basis (i.e. hospitals, district nurses etc.). Information is never shared with third parties i.e. external organisations or insurance companies without your full written consent.

Consent to treatment is the principle that a person must give permission before they receive any type of medical treatment, test or examination.

This must be done on the basis of an explanation by a clinician.

Consent from a patient is needed regardless of the procedure, whether it’s a physical examination, organ donation or something else. The principle of consent is an important part of medical ethics and the international human rights law.

Defining consent

For consent to be valid, it must be voluntary and informed, and the person consenting must have the capacity to make the decision.

These terms are explained below:

  • voluntary – the decision to either consent or not to consent to treatment must be made by the person themselves, and must not be influenced by pressure from medical staff, friends or family
  • informed – the person must be given all of the information in terms of what the treatment involves, including the benefits and risks, whether there are reasonable alternative treatments, and what will happen if treatment doesn’t go ahead
  • capacity – the person must be capable of giving consent, which means they understand the information given to them and they can use it to make an informed decision.


If an adult has the capacity to make a voluntary and informed decision to consent to or refuse a particular treatment, their decision must be respected.

This is still the case even if refusing treatment would result in their death, or the death of their unborn child.

If a person doesn’t have the capacity to make a decision about their treatment, the healthcare professionals treating them can go ahead and give treatment if they believe it’s in the person’s best interests.

But clinicians must take reasonable steps to seek advice from the patient’s friends or relatives before making these decisions.

Read more about assessing the capacity to consent.


How consent is given

Consent can be given:

verbally – for example, by saying they’re happy to have an X-ray

in writing – for example, by signing a consent form for surgery

Someone could also give non-verbal consent, as long as they understand the treatment or examination about to take place – for example, holding out an arm for a blood test.

Consent should be given to the healthcare professional directly responsible for the person’s current treatment, such as:

  • a nurse arranging a blood test
  • a GP prescribing new medication
  • a surgeon planning an operation


If someone is going to have a major medical procedure, such as an operation, their consent should ideally be secured well in advance, so they have plenty of time to obtain information about the procedure and ask questions.

If they change their mind at any point before the procedure, the person is entitled to withdraw their previous consent.

Consent from children and young people

If they are able to, consent is usually given by patients themselves.

However, someone with parental responsibility may need to give consent for a child up to the age of 16 to have treatment.

Read more about the rules of consent applying to children and young people


When consent is not needed


There are a few exceptions when treatment may be able to go ahead without the person’s consent, even if they’re capable of giving their permission.

It may not be necessary to obtain consent if a person:

requires emergency treatment to save their life, but they’re incapacitated (for example, they’re unconscious) – the reasons why treatment was necessary should be fully explained once they’ve recovered

  • immediately requires an additional emergency procedure during an operation – there has to be a clear medical reason why it would be unsafe to wait to obtain consent, and it can’t be simply for convenience
  • with a severe mental health condition, such as schizophrenia, bipolar disorder or dementia, lacks the capacity to consent to the treatment of their mental health (under the Mental Health Act 1983) – in these cases, treatment for unrelated physical conditions still requires consent, which the patient may be able to provide, despite their mental illness
  • requires hospital treatment for a severe mental health condition, but self-harmed or attempted suicide while competent and is refusing treatment (under the Mental Health Act 1983) – the person’s nearest relative or an approved social worker must make an application for the person to be forcibly kept in hospital, and two doctors must assess the person’s condition
  • is a risk to public health as a result of rabies, cholera or tuberculosis (TB)
    is severely ill and living in unhygienic conditions (under the National Assistance Act 1948) – a person who is severely ill or infirm and is living in unsanitary conditions can be taken to a place of care without their consent


Consent and life-sustaining treatments


A person may be being kept alive with supportive treatments – such as lung ventilation – without having made an advance decision, which outlines the care they would refuse to receive.

In these cases, a decision about continuing or stopping treatment needs to be made based on what that person’s best interests are believed to be.

To help reach a decision, the healthcare professionals responsible for the person’s care should discuss the issue with the relatives and friends of the person receiving the treatment.

They should consider, among other things:

  • what the person’s quality of life will be if treatment is continued
  • how long the person may live if treatment is continued
  • whether there’s any chance of the person recovering

Treatment can be withdrawn if there’s an agreement that continuing treatment isn’t in the person’s best interests.

The case will be referred to the courts before further action is taken if:

  • an agreement can’t be reached
  • a decision has to be made on whether to withdraw treatment from someone who has been in a state of impaired consciousness for a long time (usually at least 12 months)

It’s important to note the difference between withdrawing a person’s life support and taking a deliberate action to make them die. For example, injecting a lethal drug would illegal.

Fair Processing Notice

How we use your personal information

This fair processing notice explains why the GP practice collects information about you and how that information may be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walkin clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice holds about you may include the following information:-

  • Details about you, such as your address, contact number, legal representative, emergency contact details, kin of kin details, power of Attorney etc.
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health including assessment reports
  • Details about your treatment and care including referrals etc.
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you


To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.  Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose.

Please note that you have the right to opt out at any time.

Risk Stratification Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from your GP Practice. A risk score is then arrived at through an analysis of your unidentifiable information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services.


Invoice Validation

If you have received treatment within the NHS, South West London Commissioning Support Unit may require access to your personal information in order to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.  Information such as your name, address and date of treatment may be passed on to enable the billing process. These details are held in a secure system and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes.


Other Data Sharing /Access Projects

How we keep information confidential 

We process and manage information in accordance with our legal duties under the Data Protection Act 1998. This includes the requirement to keep information secure and not hold it for longer than necessary.

To support our legal duties, the Practice and SWLCCG has a robust suite of Information Governance policies in place, including policies on information security, confidentiality and data protection. The Practice and SWLCCG follows the retention and destruction guidelines issued in the Records Management Code of Practice.

Under the Data Protection Act, we must ensure we have a legal justification for holding and using personal information. Under the Common Law Duty of Confidentiality, we have a duty to respect any duty of confidence attached to information we hold.

As an NHS organisation, we work in accordance with the confidentiality principles and guidelines laid out in the Caldicott reviews and the ‘Confidentiality: NHS Code of Conduct’.

We have strict information governance terms and conditions within our contractual agreements and policies and procedures which outline the expectations we have on staff to safeguard personal information. We ensure that all staff who access personal information receive appropriate on-going information governance training.

Who are our partner organisations? We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • 111 and urgent care centres
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Health and Social Care Information Centre (HSCIC)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • The National Diabetes Audit
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.


Access to personal information

You have a right under the Data Protection Act 1998 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the GP – for information from the hospital you should write direct to them
  • We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within a reasonable time period from the date of receipt unless there is a reason for delay that is justifiable under the Data Protection Act.
  • There may be a charge to have a printed copy of the information held about you
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and reasons for your request) so that your identity can be verified and your records located


Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the Practice Manager.  If you are still unhappy following a review by the GP practice, you can then raise a complaint to the Information Commissioners Office (ICO) via their website


If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.

If you do not want your personal data being extracted and leaving the GP practice for any of the purposes described, you need to let us know as soon as possible.

We will then enter encrypted read codes into your records that will prevent data being shared by the practice and / or being shared with the central information system at the Health and Social Care Information Centre.


Change of Details

It is important that you tell your GP practice if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended.  You are responsible for informing us of any changes so our records are accurate and up to date.



The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The GP practice is registered with the Information Commissioners Office (ICO).


Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is your GP Practice.


Further Information

Under the Data Protection Act 1998 people have the right to see any files about them, including their health records. Access can only be denied if there is a compelling reason, the Data Protection Act replaced the access to Health Records Act 1990 on 1st March 2000, except applications to see records of someone who has died. If there is anything you do not understand, or find upsetting please speak to a receptionist who will pass your concern onto a doctor as appropriate.

Access to your medical records is available online through Patient Access. Click here to register

Complaints Procedure

Let the Practice know your views

Thurleigh Road Practice is always looking for ways to improve the services it offers to patients. To do this effectively, the practice needs to know what you think about the services you receive. Tell us what we do best, where we do not meet your expectations plus any ideas and suggestions you may have. Only by listening to you can the practice continue to build and improve upon the service it offers.


Tell us about our Service by submitting your comments here

  • Could you easily get through on the telephone?
  • Did you get an appointment with the practitioner you wanted to see?
  • Were you seen within 20 minutes of your scheduled appointment time?
  • Were our staff helpful and courteous?


Practice Complaint Procedure

If you have a complaint about the service you have received from any member of staff working in this Practice, please let us know. The Practice operates a Complaints Procedure as part of the NHS system for dealing with complaints. Our complaints system meets national criteria.

Note: If you make a complaint it is Practice policy to ensure you are not discriminated against, or subjected to any negative effect on your care, treatment or support.


How to complain

We hope that most problems can be resolved easily and quickly, often at the time they arise and with the person concerned. Where the issue cannot be resolved at this stage and you wish to make a complaint, please contact our Practice Manager, who will try to resolve the issue and offer you further advice on the complaints procedure. If your problem cannot be resolved at this stage and you wish to make a formal complaint, please let us know as soon as possible, ideally within a matter of days. This will enable the practice to get a clear picture of the circumstances surrounding the complaint.


If it is not possible to raise your complaint immediately, please let us have details of your complaint within the following timescales:


  • Within 12 months of the incident that caused the problem


  • Within 12 months from when the complaint comes to your notice



The Practice will acknowledge your complaint within three working days and may arrange a meeting with you to discuss the complaint, to agree with you how the complaint is going to be investigated and the timescale for this to be completed.



What we will do


We shall acknowledge your complaint within three working days and aim to have looked into your complaint within ten working days of the date when you raised it with us.  We shall then be in a position to offer you an explanation, or a meeting with the people involved.  When we look into your complaint, we shall aim to:

  • Ascertain the full circumstances of the complaint;
  • Make arrangements for you to discuss the problem with those concerned, if you’d like this;
  • Make sure you receive an apology, where this is appropriate;
  • Identify what the Practice can do to make sure the problem does not happen again.


Complaining on behalf of someone else

Please note that Thurleigh Road Practice keeps strictly to the rules of medical confidentiality. If you are complaining on behalf of someone else, the Practice needs to know that you have their permission to do so. A note signed by the person concerned will be required, unless they are incapable of   providing this due to ill-ness or disability.



NHS Complaints Advocacy Service

This is a free and independent national service that supports people who want to make a complaint about their NHS care or treatment.

Your local NHS Complaints advocate can be contacted on 0300 330 5454 or



If you are not happy with the response from this practice, you can refer your complaint to the Parliamentary and Health Service Ombudsman who investigates complaints about the NHS in England.

You can call the Ombudsman’s Complaints Helpline on 0345 015 4033 or


Complaining to other Authorities

The practice management team hope that if you have a problem you will use the Practice Complaints Procedure.

However, if you feel you cannot raise your complaint with us, you can contact any of the following bodies:


NHS Complaints Advocacy Service

NHS ENGLAND Complaints Team

PO Box 16738


B97 9PT

Tel: 0300 311 22 33


The practice will not tolerate violent or abusive behaviour.

Anyone verbally abusing either a member of staff or the public, or using inappropriate language, will be asked to leave the premises and requested to find another GP.

Anyone who is violent or causes damage will be removed from the list immediately.

Patients will also be removed from the list in the following circumstances:

  • Violence and aggression towards staff or members of the public
  • Damage to practice property or equipment
  • Change of residence to outside of the practice area
  • Persistent misuse of the system
  • Patients who the doctors are unable to manage clinically e.g. breach of contract with doctor regarding use of prescribed medicine, break down in patient communication

Patients who are disruptive and display aggressive and/or intimidating behaviour and refuse to leave the premises, staff are instructed to dial 999 for Police assistance, charges may then be brought against these individuals.


It is our policy to be helpful and polite to all our patients regardless of age, ethnic origin, disability, gender or sexual orientation. We expect the same courtesy from our patients. Discriminatory, unsocial, threatening, violent or abusive behaviour towards staff, other patients or the premises will not be tolerated. The Practice will take action in these circumstances. This may involve the Police and result in the removal of the patient from our practice list.

In England please refer to NHS Constitution your rights and responsibilities for further information.

Subject Access Requests

A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a subject access request (SAR). If you want to see your health records or wish a copy, you can write or call your Practice and then arrange a time to come in and read them. You do not have to give a reason for wanting to see your records. There is no charge for this service.

It’s a good idea to state the dates of the records that you want to see – for example, from 2010-2017 – and to send the letter by recorded delivery or deliver it to the Practice. (if you are requesting this in writing). You should also keep a copy of your letter for your records. The Practice, has up to 28 days to respond. If additional information is needed before copies can be supplied, the 28-day time limit will begin as soon as the additional information has been received.

The 28-day time-limit can be extended for two months for complex or numerous requests where the data controller (usually your practice) needs more time to collate and supply the data. You will be informed about this within 28 days and provided with an explanation of why the extension is necessary.

When writing/calling, you should say if you:

  • want a copy as well as to see them (if you wish to see them your doctor or member of staff will be present to assist you and explain any medical terms to you)
  • want all or just part of them
  • would like your records to be given to you in a format that meets your needs, and we will endeavour to accommodate your request
  • If you request your records to be emailed, then we will secure your or your representative’s agreement (in writing or in email) that they accept the risk if sending unencrypted information to a non-nhs email address


You may also need to fill in an application form and give proof of your identity. The Practice has an obligation under the GDPR and DPA2018 to ensure that any information provided for the patient, can be verified.

Please note we never send original medical records because of the potential detriment to patient care should these be lost

Who may apply for access?

  1. Patients with capacity

Subject to the exemptions listed in paragraph 1(6) (below) patients with capacity have a right to access their own health records via a SAR. You may also authorise a third party such as a solicitor to do so on your behalf. Competent young people may also seek access to their own records. It is not necessary for you to give reasons as to why they wish to access their records.

2. Children and young people under 18

Where a child is competent, they are entitled to make or consent to a SAR to access their record.

Children aged over 16 years are presumed to be competent. Children under 16 in England, Wales and Northern Ireland must demonstrate that they have sufficient understanding of what is proposed in order to be entitled to make or consent to an SAR. However, children who are aged 12 or over are generally expected to have the competence to give or withhold their consent to the release of information from their health records. In Scotland, anyone aged 12 or over is legally presumed to have such competence. Where, in the view of the appropriate health professional, a child lacks competency to understand the nature of his or her SAR application, the holder of the record is entitled to refuse to comply with the SAR. Where a child is considered capable of making decisions about access to his or her medical record, the consent of the child must be sought before a parent or other third party can be given access via a SAR (see paragraph 3) below).

3. Next of kin

Despite the widespread use of the phrase ‘next of kin’, this is not defined, nor does it have formal legal status. A next of kin cannot give or withhold their consent to the sharing of information on a patient’s behalf. As next of kin they have no rights of access to medical records. For parental rights of access, see the information above.

4. Solicitors

You can authorise a solicitor acting on your behalf to make a SAR. We must have your written consent before releasing your medical records to your solicitors acting. The consent must cover the nature and extent of the information to be disclosed under the SAR (for example, past medical history), and who might have access to it as part of the legal proceedings. Where there is any doubt, we may contact you before disclosing the information. (England and Wales only – Should you refuse, your solicitor may apply for a court order requiring disclosure of the information. A standard consent form has been issued by the BMA and the Law Society of England and Wales. While it is not compulsory for solicitors to use the form, it is hoped it will improve the process of seeking consent).

The Practice may also contact you to let you know when your medical records are ready. If your solicitor is based within our area, then we may ask you to uplift them and deliver them to your solicitor. This is because we can no longer charge for copying and postage, so we would appreciate your help if you can do this, or alternatively ask your solicitor if they can uplift your medical records.

5. Supplementary Information under SAR requests

The purposes for processing data

The purpose for which data is processed is for the delivery of healthcare to individual patients. In addition, the data is also processed for other non-direct healthcare purposes such as medical research, public health or health planning purposes when the law allows.

The categories of personal data

The category of your personal data is healthcare data.

The organisations with which the data has been shared

Your health records are shared with the appropriate organisations which are involved in the provision of healthcare and treatment to the individual. Other organisations will receive your confidential health information, for example Digital or the Scottish Primary Care Information Resource (SPIRE) or research bodies such as the Secure Anonymised Linkage Databank (SAIL). (This information is already available to patients in our practice privacy notices).

The existence of rights to have inaccurate data corrected and any rights of objection

For example, a national ‘opt-out’ model such as SPIRE etc.

Any automated decision taking including the significance and envisaged consequences for the data subject

For example, risk stratification.

The right to make a complaint to the Information Commissioner’s Office (ICO)

6. Information that should not be disclosed

The GDPR and Data Protection Act 2018 provides for a number of exemptions in respect of information falling within the scope of a SAR. If we are unable to disclose information to you, we will inform you and discuss this with you.

7. Individuals on behalf of adults who lack capacity

Both the Mental Capacity Act in England and Wales and the Adults with Incapacity (Scotland) Act contain powers to nominate individuals to make health and welfare decisions on behalf of incapacitated adults. The Court of Protection in England and Wales, and the Sheriff’s Court in Scotland, can also appoint deputies to do so. This may entail giving access to relevant parts of the incapacitated person’s medical record, unless health professionals can demonstrate that it would not be in the patient’s best interests. These individuals can also be asked to consent to requests for access to records from third parties.

Where there are no nominated individuals, requests for access to information relating to incapacitated adults should be granted if it is in the best interests of the patient. In all cases, only information relevant to the purposes for which it is requested should be provided.

8. Deceased records

The law allows you to see records of a patient that has died as long as they were made after 1st November 1991.

Records are usually only kept for three years after death (In England and wales GP records are generally retained for 10 years after the patient’s death before they are destroyed).

Who can access deceased records?

You can only see that person’s records if you are their personal representative, administrator or executor.

You won’t be able to see the records of someone who made it clear that they didn’t want other people to see their records after their death.

Accessing deceased records

Before you get access to these records, you may be asked for:

  • proof of your identity
  • proof of your relationship to the person who has died

Viewing deceased records

You won’t be able to see information that could:

  • cause serious harm to your or someone else’s physical or mental health
  • identify another person (except members of NHS staff who have treated the patient), unless that person gives their permission
  • If you have a claim as a result of that person’s death, you can only see information that is relevant to the claim.

9. Hospital Records

To see your hospital records, you will have to contact your local Hospital.

10. Power of attorney

Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney.

A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.

The person you appoint is known as your attorney. An attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the Office of the Public Guardian before it can be used.

If you wish to see the health records of someone who has died, you will have to apply under the Access to Medical Records Act 1990. You can only apply if you:

  • are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person),
  • have the permission of the next of kin or have obtained written permission from the deceased person before they died.
  • To access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the Practice or the hospital where the records are stored.


If you think that information in your health records is incorrect, or you need to update your personal details (name, address, phone number), approach the relevant health professional informally and ask to have the record amended. Some hospitals and GP surgeries have online forms for updating your details. If this doesn’t work, you can formally request that the information be amended under the NHS complaints procedure.

All NHS trusts, NHS England, CCGs, GPs, dentists, opticians and pharmacists have a complaints procedure. If you want to make a complaint, go to the organisation concerned and ask for a copy of their complaints procedure.

Alternatively, you can complain to the Information Commissioner (the person responsible for regulating and enforcing the Data Protection Act), at:


The Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane

Telephone: 0303 123 1113 (local rate) or 01625 545745 if you prefer to use a national rate number.

If your request to have your records amended is refused, the record holder must attach a statement of your views to the record.