Fair Processing & Privacy Notice

The Loughton Surgery

Introduction

The Loughton Surgery is committed to protecting your privacy and ensuring your personal information is used fairly and lawfully. This notice explains how we use your data under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

We aim to be transparent and accessible in how we manage your information, ensuring it supports your care, meets our legal obligations, and helps improve the healthcare system.


What This Notice Covers

This Privacy Notice explains how we use your information for:

  • Managing your patient records

  • Communicating about your clinical, social, and support care

  • Ensuring high-quality care through clinical audits and reviews

  • Participation in health and social care research

  • Planning and managing services for current and future patient needs


Who We Are
  • Data Controller: The Loughton Surgery is the data controller for your personal information.

  • Data Protection Officer: Ruth Boughton, Information Governance Manager, DPO for West Essex GP Practices, Hertfordshire and West Essex ICB.


What Information We Collect

We may collect and process the following:

Personal Data

Information that identifies you, such as:

  • Name, date of birth, address, postcode

  • NHS number, next of kin

Special Category Data (Sensitive Information)

Details about:

  • Medical history, appointments, medications, test results

  • Mental and physical health, social care needs

  • Ethnic origin, genetics, and sexual orientation

This data is stored securely in electronic and/or paper records.

Note on Remote Consultations:
Patients should avoid including intimate areas in photos sent to the surgery via SMS.


Why We Collect Your Information

We use your data to:

  • Provide and manage your care

  • Safeguard your vital interests, especially for children or vulnerable adults

  • Support clinical research, public health, and service planning

  • Meet our legal and regulatory obligations under NHS legislation


How We Collect Your Data

Information may be shared with us directly by you or through:

  • NHS Mail or encrypted NHS networks

  • Paper-based documents sent securely

  • External health and care providers


Who We Share Your Information With

To provide and coordinate your care, we may share data with:

  • Other GP practices (e.g. extended access services)

  • NHS hospitals, 111, out-of-hours services

  • Social services, community care, and voluntary sector partners

  • NHS Digital and the Department of Health (e.g. vaccination uptake)

We do not transfer your data outside of the UK or EU.


Confidentiality & Security

We protect your privacy through:

  • Strict access controls and annual staff training

  • Data minimization and secure systems

  • Retention policies aligned with the Records Management Code of Practice for Health and Social Care 2016


Consent & Your Rights

Do I need to give consent?
Not always. Most processing is done under legal bases other than consent (e.g., public interest). However, we will seek your explicit consent for any additional use not covered here.

Withdrawing Consent
You can withdraw consent at any time, provided it was the legal basis for processing. Contact us for more information.


Risk Stratification

We use risk stratification tools to:

  • Identify patients at risk of deteriorating health

  • Prevent unplanned hospital admissions

  • Improve care planning

This is done under a Section 251 Agreement, with no access to identifiable data by third-party providers.

You may opt out—however, doing so could affect the timely delivery of care. Please speak with the Practice Manager.


Sharing Your Electronic Health Records

We share your electronic records with care providers involved in your treatment, including:

  • Other GP practices, community services, urgent care

  • Child health services, hospitals, mental health trusts

  • Social care, care homes, and pharmacies

You can opt out or limit this sharing by speaking to your GP. You can reinstate sharing at any time.


National Use of Health Information

Beyond your care, your data may support:

  • NHS research, planning, and service improvement

  • Public health monitoring and disease prevention

  • Safety and quality assurance

Your Choice Matters:
To opt out of your data being used for non-care purposes, visit www.nhs.uk/your-nhs-data-matters.

Your data is never shared with insurers or for marketing without explicit consent.


Invoice Validation

The Commissioning Support Unit (CSU) may access limited information (e.g. name, treatment details) to confirm which NHS body is responsible for your care costs. This is done securely and under legal provisions.


Accessing Your Records

Under the UK GDPR, you have the right to access your records. To request them, contact:

The Loughton Surgery
25 Traps Hill, Loughton
IG10 1SZ

Some parts of your record may be redacted for safety or third-party privacy.


Complaints

If you feel your data has been mishandled, please contact:

Practice Manager
The Loughton Surgery
25 Traps Hill, Loughton, IG10 1SZ

If unresolved, you can raise your concern with:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
📞 01625 545700
🌐 www.ico.gov.uk