Privacy Policy




New Data Protection Regulation (G.D.P.R)

You may have heard about the new General Data Protection Regulation ("GDPR"), that comes into effect May 25, 2018. To help comply with GDPR consent requirements, we need to confirm that you would like to receive content from us.

Chingford Medical Practice takes your privacy very seriously.  We are registered with the Information Commissioner's Office as a Data Controller and our registration number is Z9702941.

  • Our Data Protection Officer is: Mrs Sevi Lynch, Practice Manager
  • Our Data Controller is: Mrs Sevi Lynch, Practice Manager

If you have any questions or wish to make a request in relation to your information, please contact us at:

Chingford Medical Practice
109 York Road
E4 8LF

For the attention of: Data Protection Officer or mail: Data Protection Officer. Contact us via Accurx


Information held about you 

This Privacy Notice explains why the GP practice collects information about you and how that information may be used. 

Health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records are used to help to provide you with the best possible healthcare. 

Your NHS health care record may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records this GP Practice hold about you may include the following information; 


Personal Data

  • Details about you, such as your name, address, carers, legal representatives and emergency contact details

Sensitive Data (Special Category Data)

  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you

Healthcare providers are permitted to collect, store, use and share this information under Data Protection Legislation which has a specific section related to healthcare information.

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.


What do we do with your information?

  • Refer you to other healthcare providers when you need other services or tests
  • Share samples with laboratories for testing (like blood samples)
  • Share test results with hospitals or community services (like blood tests)
  • allow out of hours Health Care Providers to look at your practice record when you go to an appointment
  • Send prescriptions to a pharmacy
  • Patients are texted in relation to healthcare service
  • Samples are provided to the courier for delivery to pathology
  • Share reports with the coroner
  • Receive reports of appointments you have attended elsewhere such as with the community nurse or if you have had a stay in hospital

Information access and rights

The value of personal data is increasing and technology is rapidly developing. Personal data can be manipulated and used in increasingly sophisticated ways and sometimes on a large scale

Data protection law provides you with a number of rights that the practice must support you with. 


Access Requests

You have the right to obtain:

  • confirmation that information is being used, stored or shared by the practice.
  • a copy of information held about you

We will respond to your request within one month of receipt or tell you when it might take longer.

We are required to validate your identity of someone making a request on your behalf


Right to Correction

If information about you is incorrect, you are entitled to request that we correct it

There may be occasions, where we are required by law to maintain the original information - our Data Protection Officer will talk to you about this and you may request that the information is only used during this time.

We will respond to your request within one month of receipt or tell you when it might take longer.


Right to Data Portability

If you change practices, all information held about you will be transferred to your new practice.



You also have the right to make complaints and request investigations into the way your information is used. Please contact our Data Protection Officer or visit the link below for more information.

For more detailed information on your rights click here to visit the Information Commissioner's Office website


Lawful basis for processing personal data

How do we maintain the confidentiality of your records? 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 1998 and General Data Protection Regulation 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. 

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies. 


Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • London Ambulance Service
  • Waltham Forest Clinical Commissioning Group
  • Social Care Services
  • Health and Social Care Information Centre (HSCIC)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.


Data Breaches 

How do we protect your Information?

We are committed to ensuring the security and confidentiality of your information. There are a number of ways in which we do this:

  • Staff receive annual training about protecting and using personal data
  • Policies are in place for staff to follow and are regularly reviewed
  • We check that only minimum amount of data is shared or accessed
  • Every member of staff uses a  'smartcard' to access the clinical system, this helps ensure that the right people are accessing data - people with a 'need to know'
  • Smartcard usage can be audited and monitored
  • We use encrypted emails and storage which would make it difficult for someone to 'intercept' your information
  • We report and manage incidents to make sure we learn from them and improve
  • We put in place contracts that require providers and suppliers to protect your data as well
  • We do not send your data outside of the EEA

Breaches of data 

  • The ICO ( information Controlling officer) will be notified if the data breach is likely to result in a risk to the rights and freedoms of individuals
  • Procedures are in place to effectively detect, report and investigate any personal data breaches
  • Audits (Data Protection Impact Assessments) will be undertaken to ensure that these processes are in place.


Consent must be freely given, clear, specific , informed and unambiguous. We will seek your consent to 

  • Pass information to some third parties ( eg solicitors acting on your behalf)
  • Have invasive procedures such as minor surgery carried out


The GDPR sets the age when a child can give their own consent to this processing at 16 years currently. If a child is younger than this, consent will need to be obtained for their continued healthcare from a person holding ‘parental responsibility’. 


Further information

Further information about the way in which the NHS uses personal information and your rights in that respect can be found in: