GDPR and freedom of information

GDPR: Statement of intent

Under the GDPR regulations which came in effect on 25th May 2018 we may need to ask your permission to provide you with information about health care services which are not related to your direct care. You will also be asked to express a preference in choosing services such as your designated pharmacy for prescriptions. You can find out more about the information we hold on you and your choices about how you share through:

Privacy notice, April 2023 (PDF)

How we use your information (PDF)

You also have the right to access your medical records. The easiest way for you to do this is to sign up for online access.

Freedom of information

The Freedom of Information Act creates a right of access to recorded information and obliges a public authority to:

  • Have a publication scheme in place
  • Allow public access to information held by public authorities.

The Act covers any recorded organisational information such as reports, policies or strategies that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland, however it does not cover personal information such as patient records which are covered by the Data Protection Act.

Public authorities include government departments, local authorities, the NHS, state schools and police forces.

The Act is enforced by the Information Commissioner who regulates both the Freedom of Information Act and the Data Protection Act.

The surgery publication scheme

A publication scheme requires an authority to make information available to the public as part of its normal business activities. The scheme lists information under seven broad classes, which are:

  • who we are and what we do
  • what our priorities are and how we are doing it
  • how we make decisions
  • our policies and procedures
  • lists and registers
  • the services we offer

You can request our publication scheme leaflet at the surgery.

Who can request information?

Under the Act, any individual, anywhere in the world, is able to make a request to a practice for information. An applicant is entitled to be informed in writing, by the practice, whether the practice holds information of the description specified in the request and if that is the case, have the information communicated to him. An individual can request information, regardless of whether he/she is the subject of the information or affected by its use.

How should requests be made?

Requests must:

  • be made in writing (this can be electronically e.g. email/fax)
  • state the name of the applicant and an address for correspondence
  • describe the information requested.

What cannot be requested?

Personal data about staff and patients covered under Data Protection Act.

Accessing your medical records

Introduction

In accordance with the UK General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by Ashville Surgery. This is commonly known as a subject access request (SAR). Data subjects have a right to receive:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Access to any other supplementary information held about them

Options for access

As of April 2016, organisations have been obliged to allow patients access to their coded health record online. As of April 2020, this service now enables the patient to view their prospective full medical record. Prior to accessing this information, you will have to visit the organisation and undertake an identity check before being granted access to your records.

In addition, you can make a request to be provided with copies of your health record. To do so, you must submit a SAR form. This can be submitted electronically and the SAR form is available on the organisation website. Alternatively, a paper copy of the SAR is available from reception. You will need to submit the form online or return the completed paper copy of the SAR to the organisation. Patients do not have to pay a fee for copies of their records.

Time frame

Once the SAR form is submitted, Ashville Surgery will aim to process the request within 28 days; however, this may not always be possible. The maximum time permitted to process SARs is one calendar month.

Exemptions

There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

Data controller

At Ashville Surgery the data controller is Magnus Nelson and should you have any questions relating to accessing your medical records, please ask to discuss this with the named data controller.

For more information see these websites: