General Data Protection Regulation (GDPR)

Auckland Surgery has a legal duty to explain how we use any personal information we collect about you, as a patient at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format. As your registered GP practice, we are the data controller for any personal data that we hold about you.

What information do we collect and use?

We will collect the following types of information from you or about you from healthcare professionals engaged in the delivery of your care:

‘Personal data’ – information relating to an identifiable person who can be directly or indirectly identified from this data. This includes, but is not limited to name, date of birth, address, next of kin and NHS number

‘Special category/sensitive data’ – such as medical history, medication, appointments and admissions, treatments, results of investigations etc

Why do we collect this information?

Healthcare professionals who provide you with care are required by law to maintain records about your health and any treatment or care received within any NHS organisation. We collect and hold data for the sole purpose of providing healthcare services to our patients.

How will we use your information?

Your data is collected for the purpose of providing direct patient care. Confidential data will be shared within the practice healthcare team and other healthcare professionals to whom you are referred. Information will be disclosed where it is required by law, if you give consent or if it is justified in the public interest. Additionally the practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows.

Maintaining confidentiality

We are committed to maintaining confidentiality and protecting the information we hold about you. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to a third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on. We adhere to the General Data Protection Regulation (GDPR) and the NHS Codes of Confidentiality and Security.

Risk stratification/health risk screening

This is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long term conditions e.g. cancer. This information is collected by a number of sources and is processed electronically and given a risk score which can help your GP decide if on any necessary actions to ensure you receive the most appropriate care.

Invoice validation

If you have received treatment your information may be shared to determine which Clinical Commissioning Group (CCG) is responsible for paying for treatment. This information may include your name, address and treatment date. All this information is held securely and confidentially; it will not be used for any other purpose or shared with third parties.


You have the right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of information outside the practice.

Your right to access your records

You have the right to access the information we, or another NHS organisation hold about you. If you would like to access your records you can make a request in writing – a Subject Access Request (SAR) to see all or part of your records. Please ask at reception and you will be given a SAR form to complete. Or contact the relevant NHS organisation. If you have online access to your medical records you can also view the records we hold this way.

Retention periods

In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.


In the unlikely event that you are unhappy with any element of our data processing methods, please let us know. If you are unhappy with our response you have a right to lodge a complaint with the Information Commissioners Office (ICO). For further details visit and select ‘raising a concern’.