Privacy Notice

How we use your personal information

At Manor Brook Medical Practice we are committed to protecting and respecting your privacy and will only process personal confidential data in accordance with the General Data Protection Act (GDPR).

This policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

Manor Brook Medical Practice is the Data Controller under the terms of the General Data Protection Act. We are therefore legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the GDPR. Our ICO Data Protection Register number is Z7083127 and our entry can be found in the Data Protection Register on the ICO website.

Everyone working for Manor Brook Medical Practice has a legal duty to keep information about you confidential. All of our staff receive appropriate training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

This fair processing notice explains why the GP practice collects information about you and how that information may be used.

We will only use and process your personal data for:

Maintaining your health record and any treatment or care you have received previously (e.g. NHS Trust, A&E, Walk-In Clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records we hold about you may include the following information:

  • Details about you, such as your address, contact details, carer, Next of Kin details etc.
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations
  • Relevant information from other health professionals, relatives or those who care for you
  • Sensitive information, such as racial, ethnic origin, religious beliefs and sexual orientation
  • Criminal offence information and/or safeguarding

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose. We will not use your personal data for an unrelated purpose without informing you and the legal basis that we intend to rely on for processing it.

Health Risk Screening/Risk Stratification

Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, [NHS number/HCN number/ CHI number], diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

To summarise Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition;
  • Prevent an emergency admission;
  • Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
  • Review and amend provision of current health and social care services.

Primary Care Fair Processing Notice

Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are arranged by [your local CCG/Health Board] in accordance with the current Section 251 Agreement. Neither the CSU nor your local CCG will at any time have access to your personal or confidential data. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.

As mentioned above, you have the right to object to your information being used in this way. However you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.

Closed Circuit Television

The Surgery uses closed circuit television (CCTV) images to provide a safe and secure environment for employees and for visitors to the Surgery’s premises.

This policy sets out the use and management of the CCTV equipment and images in compliance with the Data Protection Act 1998, the CCTV Code of Practice and the GDPR 2018.

The Surgery’s CCTV facility records images only. There is no audio recording.

Purposes of CCTV

The purposes of the Surgery installing and using CCTV systems include:

  • To monitor the security of the Surgery’s business premises.
  • To ensure that health and safety rules and Surgery procedures are being complied with.
  • To assist with the identification of unauthorised actions or unsafe working practices that might result in disciplinary proceedings being instituted against employees and to assist in providing relevant evidence.
  • To assist in the prevention or detection of crime or equivalent malpractice.
  • To assist in the identification and prosecution of offenders.

Telephone Recording

The practice has a telephone system in place that records all incoming and outgoing conversations for period of 3 years. Like many other organisations, this is a standard practice that allows the recording of telephone calls for quality monitoring, training, compliance and security purposes.

Medicine Management

The Practice may conduct Medicine Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. The practice works closely with the Clinical Commissioning Group medicines management team.

Patient and public involvement

If you are a member of the GP practice patient participation group (PPG) information will be held about you so the practice can keep you informed regarding the work the practice is involved in, as well as details of meetings and consultation events. When you submit your details to us for involvement purposes, we will only use your information for this purpose and you can opt out at any time by contacting the practice on 020 8856 5678.

Accessible Information Standard and translation services

In line with the Accessible Information Standard (AIS) which was introduced in July 2015, the practice aims to ensure that people who have a disability, impairment or sensory loss receive information that they can access and understand. For example, in large print, braille or via email or professional communication support if it is required. i.e. British Sign Language (BSL) interpreter.

The GP practice also offers translation services to support patients with their translation needs.

In both cases, this will require support from another service provider to assist with your requirements. Organisations that provide these services may maintain small amounts of information about you, such as your name, address, contact and NHS number.

When these services are used, it will be done so with your consent and the information you provide will be handled in strict confidence in line with the data protection laws.

Your preferences for communication can be provided to the GP practice and will be registered on your records.


The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is always kept secure and confidential.

Where possible, researchers will make efforts to take out any information that could identify you, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit permission (consent).

Further information regarding how information is used for research and planning can be found below under ‘National Data Opt-Out’

Safeguarding adults and children

Sometimes, health and social care professionals may need to share information so that other people, including healthcare staff, children or other safeguarding needs are protected from risk of harm.

These circumstances are rare and we do not need your consent or agreement to do this.

People’s wellbeing is at the heart of the care and support system under the Care Act 2014 and the prevention of abuse and neglect is one of the elements identified under a person’s wellbeing.

Our GP practice is committed to working in partnership with local authorities and the Clinical Commissioning Group’s safeguarding team to fulfill their safeguarding responsibilities.

GP practice website

As part of the enhanced services available on the GP practice website, personal information will be gathered when accessing on-line consultation services, such as, name, address/postcode, date of birth, gender, phone number and email address.

Staff and job applications

When individuals apply to work at our practice the information is used to process applications and recruit GP practice staff. Where the GP practice needs to disclose information to a third party, for example, to gain a reference, or to obtain a ‘disclosure’ from the Disclosure and Barring Service, the GP practice will not do so without informing the applicant beforehand, unless the disclosure is required by law.

Once a person has taken up employment the GP practice will maintain an employment file. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person’s employment.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

Processors of personal data

In order to deliver the best possible service, the practice contracts Processors to process personal data, including patient data on our behalf.

When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:

Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services.

  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Sharing information for your care and well-being

We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.

Healthcare staff working in A&E/Urgent Care Centres and the out of hours GP care service will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions and the medication you are taking. This will involve the use of your Summary Care Record For more information see: or alternatively speak to your practice.

Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This may include your name, address, NHS number and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as;

  • Through a court order, where a judge has ordered that specific and relevant information should be disclosed – in such an event as preventing crime or fraud
  • When it is necessary for the reasons of public interest in the area of public health such as protecting again serious cross-border threats to health, such as a flu pandemic or rare infectious disease
  • When it is necessary to protect the vital interests of an individual to protect the safety and welfare of vulnerable children and adults
  • When there are specific lawful conditions to do so under the General Data Protection Regulations; or any subsequent data protection laws.

Caldicott Principle 7

The duty to share information can be as important as the duty to protect patient confidentiality. This means that health and social care professionals will share information in the best interest of their patients with the framework which is set out in the Caldicott principles.

Caldicott Guardian details

All NHS organisations are required to nominate a Caldicott Guardian. This role has the responsibility for protecting the confidentiality of patient information and enabling appropriate information sharing.

The name of our GP practice Caldicott Guardian is:

Dr Shikha Singh

National data opt-out preference

The National data-opt-out was introduced on 25 May 2018, following recommendations of the National Data Guardian review of Data Security, Consent and Opt-Outs. This enables patients to opt out from their data being used for research and planning purposes.

Patients and public who decide they do not want their personal identifiable data used for planning and research purposes will be able to set their national opt-out preference.

Residents have the right to opt out of their personal identifiable data being used for the following purposes.

  • Providing local services and running the NHS and social care
  • Supporting research and improving treatment of care

To set an opt-out preference, NHS Digital provides an online and non-digital non-digital national data opt-out service.

For further information on the National Data Opt-out and to see how ‘Your Data Matters’ please visit Or call 0300 303 5678 (Monday to Friday, 9am to 5pm, excluding bank holidays).

Exceptional circumstances

The opt-out will not apply where there is a mandatory legal requirement or an overriding public interest. These will be areas where there is a legal duty to share information (for example a fraud investigation) or an overriding public interest (for example to tackle Ebola and Covid-19 ).

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • NHS Trusts / Foundation Trusts
  • Public Health England
  • GP’s (including Primary Care Networks)
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups (CCG)
  • Social Care Services
  • NHS Digital
  • Health and Social Care Information Centre (HSCIC)
  • Primary Care Support England (PCSE)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police and Judicial Services
  • National Screening Programmes – Bowel Cancer, Breast Cancer, Cervical Cancer, Aortic Aneurysms etc.
  • Other organisation for your care (eg iPlato)

You will be informed who your data will be shared with and in some cases asked for explicit consent when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Sharing your information to improve your care

To be able to provide the best care for our patients a system called Connect Care was developed. A similar system called Local Care Record is used in other parts of south east London. These systems allows GP staff, hospital staff, district nurses and other local organisations involved in your care to share important information about the people they care for. This could include checking which medications a patient is taking or a child’s immunisation history.

Only authorised staff will have access to these systems on a need to know basis and the information is operated over a secure network.

You will be asked your permission at the point of care before viewing your record. If you are unable to give permission e.g. in an emergency, your care provider may access your record if they believe it is in your best interest.

Health providers who have access to your records will be better informed about your care and it enables faster and effective delivery of your care, without the need for sharing information by letter, email, fax or phone.

You have the right to choose not to have your information available through Connect Care and the Local Care Record. If you don’t want your information to be available through this service and want to find out how to opt-out, or want to find out how this might affect your care, visit the Connect Care web page. If you do not have access to the website, you can call 020 8836 4592 and leave your name and number for someone to contact you.

Our Healthier South East London (OHSEL)

Our Healthier South East London (OHSEL) is a partnership of health and social care providers and professionals who provide health and care services for people living in South East London, London, nationally and internationally. More information about the services provided and the can be found on the OHSEL website, along with details of their privacy notice.

Ways we may communicate with you

Our practice may need to contact you for a variety of reasons including to:

  • discuss your care and treatment
  • Offer you a new appointment or alter an existing one
  • Send you a reminder of an existing appointment
  • Ask your opinion of our services
  • Tell you about other care services (such as flu jabs)
  • Arrange for a home visit
  • If you are a member of the patient participation group

It is important to confirm with your GP practice your communication preferences at the time of registering.

Our standard way to contact you is by letter or telephone. We may also use SMS text messaging.

When our practice uses text messaging services, no confidential information will be contained in the message; it will generally be a reminder for an appointment or care service message.

It is important that you advise your GP practice of any change of details in relation to your phone and contact details as soon as possible.

You can change your communication preferences or opt out of the SMS text service at any time by contacting the surgery. (Please note: Changes of address must be done in writing or in person at the surgery and will not be taken over the telephone).

Access to Personal Information

You have a right under the Data Protection Act 1998 to request access to view or to obtain copies of information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the GP. For information regarding the hospital, please contact them directly
  • No fee will be charged for this service, unless a request is manifestly unfounded, excessive or repetitive.
  • We are required to respond to you within 30 days
  • You will need to give adequate information (e.g. full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located. You must also provide signed consent.

GP patient on-line service

Patients with access to internet or a personal computer can register for ‘Patient On-line service’. Patients can sign up and register with the practice to view parts of your GP record, including information about medication, allergies, vaccinations, previous illnesses and test results. This service also offers booking and cancelling appointments on-line and ordering repeat prescriptions. For more information see GP Online services.

Other additional information rights

As well as the right to have access to your personal information, under the data protection laws of 2018, individuals also have;

  • the right to be informed (Through this privacy notice and other methods of communication)
  • the right for information to be rectified
  • the right to erasure (subject to conditions, and does not include information relating to your care)
  • the right to restrict processing
  • the right to portability
  • the right to object
  • rights in relation to automated decision making and profiling

There are various exception and circumstances where your request may be refused and therefore individuals should always consult with their GP when making a request under your individual rights.

Can I access the records of my children?

You may be able to access the records of your child/children. However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child/children.

As above, there may be legal exceptions when it will not be appropriate or possible to obtain information, such as safeguarding or a court order.

To apply for access, please use the procedure above.

To carry out your rights or request a copy of your information please contact:

Data Controller Lead
Name: Dr Jonathan Kingston
Address Manor Brook Medical Practice, 117 Brook Lane, London, SE3 0EN
Contact: 020 8856-5678

How long do we keep your information?

GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:

Transfer of information outside the European Union to third countries or international organisations.

There are legal restrictions imposed on health and care organisations regarding the transfer of personal data outside the European Union, to third countries or international organisations. Our GP practice does not share or transfer information outside of the European Union, to third countries or international organisations.

Automated individual decision-making (Profiling)

Automated individual decision-making is defined as making decisions or evaluating things about an individual solely by automated means without any human involvement.

Most GP practices in Bexley provide an on-line healthcare consultation process which provides self-care advice. This on-line consultation service may use automated clinical decision making tools.

Personal data breaches

All organisations that process personal data have a duty to report certain types of personal data breach to the Information Commissioners Office within 72 hours of an incident occurring.

Use of Cookies

We use Google Analytics software on this site to anonymously track how visitors interact with our website, This includes identifying:

  • the pages visited on the site
  • how long the visitor spends on each page
  • how visitors got to the site
  • what visitors click on while visiting the site

We do this to make sure the site is meeting the needs of visitors and to help us make improvements.

We do not use cookies to track the identity of visitors or the information they have entered into the site.

Consent to Use Cookies

You give us consent to using cookies for analytic purposes if you continue to use the site. Alternatively, you can switch off cookies in your browser and the site will still work normally.

Change of Details

You have a responsibility to inform us of any changes, e.g address, contact numbers or change of name (you would have to provide legal proof for the latter), so our records are accurate and up to date for you.


The GDPR requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The practice is registered with the Information Commissioners Office. Our Registration number is A8309658

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  • This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  • More information about NHS Digital and how it uses information can be found at:

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
  • For more information about the CQC see:

Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England.
  • For more information about Public Health England and disease reporting see:

What to do if you have any questions?

Should you have any concerns about how your information is managed at the practice, please contact the practice.

If you are still unhappy following a review by the GP practice, you can contact NHS England or the Information Commissioners Office.

NHS England leads the National Health Service (NHS) in England and set the priorities and direction of the NHS and encourages and informs the national debate to improve healthcare. The NHS England website provides information on how to provide your feedback or make a complaint.

The Information Commissioners Office is a UK independent body which has been established to uphold information rights for individuals.


Data Controller contact details

Name: Dr. Jonathan Kingston
Telephone: 020 8856 5678

Data Protection Officer contact details

Name: Dr. Shikha Singh
Telephone: 020 8856 5678

Purpose of the processing

  • To give direct health or social care to individual patients.
  • For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
  • To check and review the quality of care. (This is called audit and clinical governance).

Retention period

GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: or speak to the practice.

Lawful basis for processing

These purposes are supported under the following sections of the GDPR: 

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Right to access and correct

  • You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff.
  • We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Rights to object

  • You have the right to object to information being shared between those who are providing you with direct care.
  • This may affect the care you receive – please speak to the practice.
  • You are not able to object to your name, address and other demographic information being sent to NHS Digital.
  • This is necessary if you wish to be registered to receive NHS care.
  • You are not able to object when information is legitimately shared for safeguarding reasons.
  • In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.

Right to complain

Should you have any concerns about how your information is managed by the Practice, please contact the Office Manager. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website, e-mail:, telephone: 0303 123 1113
If you have any concerns about how your data is shared then please contact the Office Manager