Privacy Policy

Confidentiality, Data Protection & Freedom of Information act

It is important that the practice keep accurate and up-to-date records about your health and treatment so that those treating you can give you the best possible advice and care. This information is only available to those involved in your care.

You have a right to know what information we hold about you. The Freedom of Information Act gives you the right to request information we hold. If you would like to see your records, please contact our Practice Manager. You will be asked to complete a request form and there may be a charge for this information.

Please ask for a listing of all charges for letters, reports and copies of your information.

Information requested by third party organisations outside the NHS will NOT be shared without your explicit written consent.

GDPR Compliance Statement


The EU General Data Protection Regulation (“GDPR) came into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

Our Commitment

Health and Beyond is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection programme in place which complies with existing law. However, we recognise our obligations to meet the demands of the GDPR and the UK’s Data Protection Bill.

H&B is dedicated to safeguarding personal information and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of new regulations.

H&B have a consistent level of data protection and security across our organisation, and are fully compliant with the GDPR from 25th May 2018. Our process includes:

  • Information Audits – scheduled network wide information audit to identify and assess what personal information we hold
  • Policies & Procedures – revised data protection policies and procedures which meet the requirements and standards of the GDPR and any relevant data protection laws.
  • Data Protection – our main policy and procedure document for data protection meets the standards and requirements of the GDPR laws. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities.
  • Data Breaches – our breach procedures ensure that we have measures in place to identify, assess, investigate and report any personal data breach within the required timeframe. Our procedures have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
  • Subject Access Request (SAR) – (Requests for information for insurance reports or legal action) we have revised our SAR procedures to meet the 30-day timeframe for responses to third party requestors provided there is appropriate patient consent. Our new procedures detail how to verify the data subject, what steps to take for processing an access request, and what exemptions apply.
  • Privacy Policy – we have revised our Privacy Policy to comply with the GDPR, ensuring that all individuals whose personal information we process are informed of why we need it, how it is used, what their rights are.
  • Summary Care Record – Consent or Rescind – Patients are requested upon registration if they agree to participate in Summary Care Records. This means that any medically pertinent information is able to be shared with other health care professionals who are providing care for our patients. Patients can decline to give consent and this will be recorded clearly in their record.
  • Obtaining Consent ” we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed a simple process to withdraw consent at any time.

Any patient over 16 must give written consent for any family member who will need to have access to medical information. If consent is not given we will be unable to share ay information with parents or care givers.

If you have any questions about our compliance with GDPR, please contact your surgery.