Privacy Statement

How does the NHS and Overton Park Surgery Use Your Information?

Overton Park Surgery are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998/GDPR 2018 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and committee members receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on. GP records are held either manually or electronically at the practice until death, whereupon they will be transferred to Primary Care Support England.


Health care professionals maintain records about your health and any NHS treatment or care you have received (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.), in order to provide you with the best possible healthcare.

Overton Park Surgery are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act
  • General Data Protection Regulations (GDPR) March 2018 (to replace the DPA 1998).
  • Human Rights Act 1998.
  • Common Law Duty of
  • Health and Social Care Act 2012.
  • NHS Codes of Confidentiality and Information

NHS health records are processed electronically and on written record; a combination of both are used to ensure your information is kept confidential and secure. Records held by this GP practice may include the following information:

  • Details about you, such as address and next of kin
  • Any contact the practice has had with you, including appointments (emergency or scheduled), clinic visits,
  • Notes and reports about your health
  • Details about treatment and care received
  • Results of investigations, such as laboratory tests, x-rays,
  • Relevant information from other health professionals, relatives or those who care for

Patient information is confidential; however, we can disclose personal information:

  • If it is required by law
  • If you provide consent – either implicitly or for the sake of their own care, or explicitly for other purposes
  • If it is justified to be in the public interest

Some patient information is held centrally for statistical purposes; however, we take strict and secure measures to ensure that individual patients cannot be identified.

Patient information may be shared (under strict protocol) with the following organisations:

  • NHS Health Boards
  • Specialist Health Organisations
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘data processors’

You have a responsibility to inform us of any inaccuracies or changes in your details (i.e. Name, DOB, Address), so our records are accurate and up to date.

Your Information, Your Rights

Providing access to transperent information about how we use your personal information is key to the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR). This document informs you of your rights in respect to the above legislation and of how Overton Park will lawfully use your data to deliver care within the local NHS system.

This page covers how we use information for:

  • The management of patient records
  • Communication concerning your clinical, social and supported care
  • Ensuring quality of care and the best clinical outcomes are achieved through clinical audit and retrospective review
  • Participation in health and social care research
  • The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future

As your registered GP practice, we are the data controller for any personal data that we hold about you.

Overton Park Surgery is registered with the Information Commissioners Office (ICO) as a data controller under the Data Protection Act 1998. Our registration can be viewed on-line in the public register at Patients have the right to complain to the ICO, if they are not  happy with how their data is being handled at the practice.

The Data Controller responsible for keeping your information secure and confidential is Dr Julian Wilson, Senior Partner, Overton Park Surgery. The Data Protection Officer for General Practices in Gloucestershire is Caroline Dominey-Strange. Any changes to this will be published on our website and displayed in prominent notices in the surgery.

Caroline Dominey-Strange

GP Data Protection Officer (Gloucestershire) & Information Governance Manager

Governance Services NHS South, Central and West

Your Right of Access to Your Records (Right of Subject access)

The Data Protection Act and GDPR allow you to find out what information is held about you including both your electronic and physical medical records. If you would like to have access to all or part of your records, you can make a request to the organisation that holds your records. This can be your GP, or a provider that has delivered your treatment and care. However, in the interest of your wellbeing some details within your health records may be exempt from disclosure.

Online Access to your medical record can be granted online using SystmOnline. If you would like Online Access to your GP record, please speak to the Receptionist. If you are after paper copies of your records, please make this request to the Secretaries.

What Patient Information Is Collected And How Is It Used?

We collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:

Personal Data

Any information relating to an identifiable person who can be directly or indirectly identified from the data.  This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS number.

Special Category / Sensitive Data

Such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services).

Invoice Validation

If you have received treatment within the NHS your personal information may be shared within a strictly monitored, secure and confidential environment in order to determine which Health Board should pay for the treatment or procedure you have received.

Your Mobile Number (if provided)

May be used to send appointment reminders or health screening information.  Please ensure to inform us if your number changes.

When patients turn 14, (who have previously consented to receiving text messages) they will be required to re-confirm whether they wish to receive texts to their registered number, in order to avoid sending records to their parent or guardians’ mobile number.

Our Website

May use cookies to optimise your experience. Using this feature means that you agree to the use of cookies as required by the EU Data Protection Directive 95/46/EC. You have the option to decline the use of cookies on your first visit to the website.

If it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations, we may share information with the following organisations.

  • Local GP Practices in order to deliver extended primary care services (Improved Access)
  • NHS England, Gloucestershire CCG, 2gether Trust
  • 111 and Out of Hours Service
  • Local Social Services and Community Care services
  • Voluntary Support Organisations commissioned to provide services by the Gloucestershire CCG

We may also receive information from the above organisations. In addition, we receive data from NHS Digital (as directed by the Department of Health) e.g. uptake of flu vaccinations and disease prevalence, to assist with “out of hospital care”. Information not sent out of EU.

NB. Your data will not be shared with insurance companies or for marketing purposes without specific agreement. Overton Park Surgery uses the clinical system TTP SystmOne, which has a technical component which allows us to be fully compliant with the national data opt-out policy.

Electronic Patient Records within the NHS are kept at most healthcare services, enabling your record to be shared quickly with other organisations involved in your direct care.

NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past. The shared electronic health record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health. Some patients are not able to provide a full account of their care, the shared record means patients do not have to repeat their medical history at every care setting.

Your record will be automatically setup to be shared, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.

You can also reinstate your consent at any time by giving your permission to override your previous dissent.

Anti Coagulation Data Base

Purpose: Personal confidential data is shared with the INR database in order to provide certain patients who meet the criteria with an anticoagulation service.

Data is held on the data base and can be accessed by the practice. Legal Basis: Under UK GDPR Article 6 1 (e) Public Task And Article 9 2 (h) Health data Processor: LumiraDx.

How the NHS and Care Services Use Your Information

Whenever you use a health or care service, important information about you is collected in a patient record for that service (when there is a clear legal basis for collection), in order to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

Data is typically anonymised for research and planning; therefore, you cannot be identified, in which case your confidential patient information isn’t needed. You have a choice about whether you want your confidential patient information to be used in this way.

To find out more or to register to opt out please visit:

You can also find out more about how patient information is used at:

National NHS Data Opt-Out – Your right to withdraw consent

If you are happy for your data to be extracted and used for the purposes described in this document, then no action is required.  If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision, but in some circumstances, we may still be legally required to disclose your data.

There are two main types of opt-out: You can change your mind at any time.

Type 1 Opt-Out

If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 Opt-Out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’. For further information about Type 2 Opt-Outs, please visit the website:

To find out more or to register your choice to opt out, please visit

Why Do We Collect This Information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education /training.  OPS process your information according to current data protection legislation to:

  • Protect your vital interests.
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult.
  • Perform tasks in the public’s interest.
  • Deliver preventative medicine, medical diagnosis, medical research.
  • Manage the health and social care system and services.

The GDPR lawful basis for processing special category health data for direct care that does not require explicit consent, is that processing is ‘necessary… in the exercise of official authority vested in the controller’ Article 6(1)(e). Patient information processing is also, ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ Article 9(2)(h).

How Do We Maintain The Confidentiality Of Your Records?

We are committed to protecting your privacy, every member of staff who works for an NHS organisation has a legal obligation to keep your information confidential.  We conduct annual training and awareness, to ensure access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals with a legitimate and legal basis for access.

Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Consent and Objections

The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However consent is only one potential lawful basis for processing information. Therefore this GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Overton Park Surgery will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

You have the right to withdraw your consent for any particular instance of processing, provided consent is the legal basis for the processing. Please contact us if you wish to raise an objection.

Health Risk Screening / Risk Stratification

Health Risk Screening / Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition.
  • Prevent an emergency admission.
  • Identify if a patient needs medical help to prevent a health condition from getting worse and/or…
  • Review and amend provision of current health and social care services.

Your GP will use computer-based algorithms to identify patients at the most risk, with support from the local Commissioning Support Unit and/or a third-party accredited Risk Stratification provider.  The risk stratification contracts are arranged by Gloucestershire CCG in accordance with the current Section 251 Agreement. Neither the CSU nor your local CCG will at any time have access to your personal or confidential data.  They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers. You have the right to object to your information being used in this way.  However, you should be aware that your objection may have a negative impact on the timely provision of your direct care.  Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.

Your GP will routinely conduct the risk stratification process outside of your GP appointment.  This process is conducted electronically, and the resulting report is reviewed by a team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

Sharing Information with NHS Gloucestershire Clinical Commissioning Group (CCG):

Overton Park Surgery, like all other Practices in Gloucestershire, has historically worked with NHS Gloucestershire CCG to receive support in providing the best possible treatment and care to patients, by sharing data with the CCG to:

  • Enable regular Clinical audits helps to ensure that patients can be diagnosed as early as possible and allow us to work with you to design appropriate care that help improve the quality of life.
  • For support with identifying patients at risk (risk-stratification).
  • Reviewing medicines uses and management, including the prescribing of medicines to ensure that it is safe and cost-effective.
  • Undertaking population wide analysis for commissioning to understand the care needs of our patients, to evaluate current care programmes and design new care pathways and services that reflect the specific needs of our patients.

Anonymised health and care related information such as the below are shared (under data protection law to allow the above-mentioned important work to take place):

  • Health conditions patients suffer in the local area.
  • The types and frequency of appointments and care delivered to patients.
  • Medicines prescribed and dispensed for treatment of different conditions.
  • How well a new or existing service has been accessed and used by patients.

NHS numbers are used to enable GPs and clinicians to identify patients under their care.

If you do not want this non-confidential information about you from your GP Practice system to be shared with NHS Gloucestershire CCG, for the above outlined purposes, you have the right to opt-out. You can do this by informing your GP practice. This however, will mean your details will be excluded from all local clinical audits and may mean you miss out on the key patient benefits listed above.

If you require more information about data sharing and usage by NHS Gloucestershire CCG, please see the NHS Gloucestershire Website:

Phone: 0300 421 1500


ACR project for patients with diabetes (and/or other conditions)

The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with to enable them to contact you and send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from we will continue to manage your care within the Practice. are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available on this Self Test for kidney disease at home PDF.


In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at the below address:

Overton Park Surgery

Overton Park Road


GL50 3BP

If you remain dissatisfied with our response, you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Enquiry Line: 01625 545700 or online at

Further Information

About the way in which the NHS uses personal information and your rights in that respect can be found in:

An independent review of how information about patients is shared across the health and care system was conducted by Dame Fiona Caldicott in 2012. The report, Information: To share or not to share? The Information Governance Review, can be found at:

The Information Commissioner’s Office is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit the

Should you have any concerns about how your information is managed or wish to opt out of any data collection at the practice, please contact the practice or the CCG to discuss how the disclosure of your personal information can be limited.

Overton Park Surgery

Overton Park Road


GL50 3BP

Tel: 01242 580 511

This Document is reviewed annually: updated on: 18/05/2022