Privacy Notice

How We Use Your Information

Rowlands Castle Surgery


(Fair Processing Notice)

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way, and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

Who we are and what we do

Rowlands Castle Surgery is responsible for providing Primary Care Medical services for the local population of Rowlands Castle and the surrounding area.

Using your information



In order to support your care, health professionals maintain records about you.  We take great care to ensure your information is kept securely, that it is up to date, it is accurate and used appropriately.  All of our Practice staff are fully trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to.  They will only access what they need to in order to book you an appointment, give general health advice, provide you with care and if necessary, refer you to other services.



We collect staff personal confidential information for personnel purposes. This may include, name, date of birth, address, health related information, bank details, other correspondence.


What kind of information do we use?


As a General Practice we hold information about our patients and staff including medical records, complaints and concerns, and personnel records.  The information they contain may include;


  1. Your contact details (such as your name, address, telephone numbers and email address, which may include your place of work and work contact details);


  1. Details and contact numbers of your next of kin;


  1. Your age range, gender, ethnicity, language, disability status, information we need to allow us to provide information in a more accessible format to you;


  1. Details in relation to your medical history (such as appointments, clinic visits, immunisations, emergency appointments etc.);


  1. The reason for your visit to the Surgery;


  1. Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Surgery involved in your direct healthcare including GP registrars and medical students, when appropriate.




Our CCTV covers the car park and reception area immediately in front of the front desk.  These recordings are held securely in the surgery.  They will only be accessed by the GP Partners, the Practice Manager or her Deputy in the event of a crime or a serious incident where the camera footage could act as evidence.  The footage will only be shared with those that have a specific, legitimate reason for viewing the data in accordance with GDPR and data protection regulations.


What do we use your Personal Confidential Data for?


The areas where we regularly use your personal confidential information include:


  • For your direct care needs
  • Responding to your queries, compliments or concerns
    • For the purposes of complying with the law e.g. Public Health, Police, Solicitors or Insurance companies
  • Anyone you have given your consent  to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give permission to be disclosed.   
  • Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.



The key Hub practices are as follows:

Rowlands Castle Surgery, Horndean Surgery, Clanfield Surgery

The Grange Surgery, Riverside Surgery,

Badgerswood Surgery and Pinehill Surgery


We may share your information with other organisations


We may share pseudonymised, anonymised and aggregated statistical information with other organisations for the purpose of improving local services, research, audit and public health;  for example understanding how health conditions spread across our local area compared against other areas.


We do not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission; consented
  • We need to act to protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
  • To check the quality and efficiency of the health services we provide
  • Prepare performance reports on the services we provide
  • Work out what illnesses people may have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future


The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) with ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

A full list of details including the legal basis, any Data Processor involvement and the purposes for processing information can be found in Appendix A.


What safeguards are in place to ensure data that identifies you, our patient, is secure?


We only use information that may identify you in accordance with the Data Protection Act 2018. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.


Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. 


Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.


The    Confidentiality: NHS Code of Practice applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.  All staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice.


We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).


We ensure external organisations that process data and support us are legally and contractually bound to operate and proven security arrangements are in place where data that could or does identify a person are processed.


The practice has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian.  The contact details of our Caldicott Guardian are as follows:


Caldicott Guardian – Dr   Brendon Hayes


How long do we hold information for?


All records held by the practice will be kept for the duration specified by  the NHS Records Management Code of Practice 2021.  Available from




The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

  1. Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information, we hold about you please contact the surgery.  We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require. 

  1. Online Access

You may ask us if you wish to have online access to your medical record.  However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

For further information please see

  1. Correction

 We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

  1. Removal

You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

  1. Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

  1. Transfer

 You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.



Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members. 


You have a right to opt out of data sharing and processing


The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’. 

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.  To support NHS constitutional rights, patients within England are able to opt out of their personal confidential information being shared by NHS Digital for purposes other than their own direct care. 

For further information please visit:


If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.  Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.

Patients should be aware that opting out of sharing information for your direct care may result in you being unable to access some services which require this consent.




Your GP surgery and NHS Digital takes the responsibility for looking after care information very seriously. Please follow the NHS Digital links on how we look after information for more detailed documentation.


NHS England recognises the importance of protecting personal and confidential information in all that they do, all they direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.




Freedom of Information


The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.  You can request any information that the practice holds, that does not fall under an exemption.  You may not ask for information that is covered by the Data Protection Act under FOIA. 


Personal information cannot be provided under the FOI Act.

Your request must be in writing and can be either posted to: Rowlands Castle Surgery, 12 The Green, Rowlands Castle PO9 6BN or emailed to


For independent advice about data protection, privacy, data sharing issues and your rights you can contact:


Information Commissioner’s Office

Wycliffe House,

Water Lane,


Cheshire, SK9 5AF


Telephone: 0303 123 1113 (local rate) or 01625 545 745


Email: or Visit the ICO website. 


Complaints or questions


We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.  The practice Complaints Procedure can be found on our website.


Please direct all complaints to the Practice Manager, Janine Leake.


Links to other websites


This privacy notice does not cover the links within this site linking to other websites.  We encourage you to read the privacy statements on the other websites you visit.


Changes to this privacy notice


We keep our privacy notice under regular review. 


Definitions of information/data:


  • Data Processor – An organisation or body that processes, reviews, updates or amends, or stores information about individuals.


  • Data Controller – An organisation or body that determines the purposes for which and the manner in which any personal data are processed.


  • Personal Confidential Information – this term describes personal information or data about identified or identifiable individuals, which should be kept private or secret. For the purposes of this notice ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.


  • Pseudonymised – this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.


  • Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified


  • Aggregated – anonymised information that is grouped together so that it doesn’t identify individuals


We are required by law to provide you with the following information about how we handle your information.

Data Controllers contact details


Dr B Hayes

Rowlands Castle Surgery, 12 The Green, Rowlands Castle PO9 6BN

Data Protection Officer contact details


Caroline Sims – You can contact Caroline at the Surgery email address:

Purpose of the processing


·         To give direct health or social care to individual patients.


·         For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.


·         To check and review the quality of care. (This is called audit and clinical governance).

Lawful basis for processing


These purposes are supported under the following sections of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and


Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 


Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data


The data will be shared with:

·         healthcare professionals and staff in this surgery;

·         local hospitals;

·         out of hours services;

·         diagnostic and treatment centres;

·         or other organisations involved in the provision of direct care to individual patients.


Rights to object


·         You have the right to object to information being shared between those who are providing you with direct care.


·         This may affect the care you receive – please speak to the practice.


·         You are not able to object to your name, address and other demographic information being sent to NHS Digital.


·         This is necessary if you wish to be registered to receive NHS care.


·         You are not able to object when information is legitimately shared for safeguarding reasons.


·         In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.




Right to access and correct

·         You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website –


Retention period


GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:


or speak to the practice.


Right to complain


In the event that you feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance to in writing to the Practice Manager at Rowland Castle Surgery.

Information about our complaints process is available at:


If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by going to or call the helpline 0303 123 1113


Data we get from other organisations

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.










Appendix A

Who we share your information with and why



Clinical Commissioning Group

Purpose – Anonymous information is shared to plan and design care services within the locality

Legal Basis – non identifiable data only


Data Processor – Hampshire, Southampton and Isle of Wight CCG

Individual Funding Requests – The CSU

Purpose – We may need to share your information with the Individual Funding Request (IFR) team for the funding of treatment that is not normally covered in the standard contract


Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this.


Data processor – We ask NHS South, Central and West Commissioning Support Unit (CSU) to do this on our behalf.

Summary Care Records


Purpose – limited Personal identifiable data is shared with the Summary Care Record to help with emergency doctors and nurses help you when you contact them when the surgery is closed.


Legal Basis – This is for your direct care and in an emergency – you can opt out of your record being shared


Data Processor – Central NHS database

In practice –text messages

Purpose – To keep you informed of appointments and include you in any health campaigns or services applicable to you.


Legal Basis – data is maintained and stored in practice.


Data Processor – GP Surgery

Care and Health Information Exchange (CHIE)

(Previously known as the Hampshire Health Record (HHR))

Purpose – The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton. GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems. It brings together information in your health records from different parts of the NHS to assist with your direct care – you may opt out of having your information shared on this system.  This record contains more information than the SCR, but is only available to organisations in Hampshire. For more information Visit


Legal Basis – This service is for your direct care


Data Processor – Local NHS organisation


Purpose – Is a database used for analysing trends in population health in order to identify better ways of treating patients.   CHIA is a physically separate database, which receives some data from CHIE.  Prior to this transfer from CHIE to CHIA patient identifiers are removed from the data.  This includes names, initials, addresses, dates of birth and postcodes.  NHS numbers are encrypted in the extract and cannot be read.  This process is called ‘pseudonymisation’.  This subset of data does not include information typed in by hand, so there is no possibility of it containing references to family members or other people.  It contains only coded entries for things like allergies and prescribed drugs.  It is not possible to identify any patient by looking at the ‘pseudonymised’ data on the CHIA database.  People who have access to CHIA do not have access to CHIE.  Data in CHIA is used  to plan how health and care services will be delivered in  future, based on what types of diseases are being recorded and how many are being referred to hospital etc.  Data is also used to help research into new treatments for diseases.


Legal basis – You can opt out of this service


Data processor – NHS SCW

General Practice Extraction Service (GPES)

Covid-19 Planning and Research data

Purpose : Personal confidential and Special Category data will be extracted at source from GP systems for the use of planning and research for the Covid-19 pandemic emergency period. Requests for data will be required from NHS Digital via their secure NHSX SPOC Covid-19 request process.  


Legal Basis : NHS Digital has been directed by the Secretary of State under section 254 of the 2012 Act under the COVID-19 Direction to establish and operate a system for the collection and analysis of the information specified for this service: GPES Data for Pandemic Planning and Research (COVID-19). A copy of the COVID-19 Direction is published here:


Patients can register an opt out from their data being used for research  and future planning by NHS England by visiting

or calling by 0300 303 5678

Patients who have expressed an opt out preference via Type 1 objections with their GP surgery not to have their data extracted for anything other than their direct care will not be party to this data extraction.


Processor : NHS Digital

Community Nursing -

Complex Care Team

Diabetes Team

Home Visiting Service

Leg Ulcer Service

Heart Failure Service

Multi-Disciplinary Team

District Nurses



Purpose - We will enable the Community Nursing Team to have access to your medical record to allow you to receive care from the community nurses for the services listed.


Legal Basis – these services are for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service


Data processor – Your registered surgery will continue to be responsible for your full medical record



Pharmacists from the CCG

Purpose – to provide monitoring and advice in line with the national directive for prescribing.  Anonymous data is collected by the CCG.


Legal Basis – direct care


Data Processor – Hampshire, Southampton and Isle of Wight CCG

MASH – Multi Agency Safeguarding Board - Safeguarding Children

Safeguarding Adults

Purpose – We share information with health and social care authorities for safeguarding issues


Legal Basis - Because of public Interest issues, e.g. to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use.


Data Processor –Multi Agency Safeguarding Authorities.

Risk Stratification

Purpose – Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.


Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP practice record systems.


GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.


Legal Basis - Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority


NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions and to promote quality improvement in GP practices.


Data Processors – NHS South, Central and West Commissioning Support Unit (CSU) to assist us with providing Risk Stratification tools.


Data Processing activities for Risk Stratification – The GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number. 


Opting Out - If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice.  They can add a code to your records that will stop your information from being used for this purpose.  Further information about risk stratification is available from:

Quality monitoring, concerns and serious incidents

Purpose – We need to ensure that the health services you receive are safe, effective and of excellent quality.  Sometimes concerns are raised about the care provided or an incident has happened that we need to investigate.  You may not have made a complaint to us directly but the health care professional looking after you may decide that we need to know in order to help make improvements.


Legal Basis – The health care professional raising the concern or reporting the incident should make every attempt to talk to you about this and gain your consent to share information about you with us.  Sometimes they can do this without telling us who you are.  We have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.


Data processor – We share your information with health care professionals that may include details of the care you have received and any concerns about that care.  In order to look into these concerns we may need to talk to other organisations such as Hampshire, Southampton and Isle of Wight CCG as well as other Public bodies and Government agencies such as NHS Improvement, the Care Quality Commission, NHS England as well as the Providers of your care.

Commissioning, planning, contract monitoring and evaluation

Purpose – We share aggregated, anonymous, patient data about services we have provided. 


Legal Basis - Our legal basis for collecting and processing information for this purpose is statutory.  We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you. 


If patient level data was required for clarity and extensive evaluation of a service, consent will be gained for the surgery to share this information.


Data Processor – Various organisations, CCG, third party organisations commissioned by the NHS to perform actuarial services, NHS England


eConsult –  anonymised aggregated numbers of contacts are shared for the online consultation tool

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Surveys and asking for your feedback

Sometimes we may offer you the opportunity to take part in a survey that the practice is running. We will not generally ask you to give us any personal confidential information as part of any survey. 


Legal Basis – you are under no obligation to take part and where you do, we consider your participation as consent to hold and use the responses you give us.


Data Processor – GP Surgery

Care Quality Commission

CQC has powers under the Health and Social Care Act 2008 to access and use information where they consider it is necessary to carry out their functions as a regulator.

CQC relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised.

CQC Privacy Notice is available on the CQC website



Purpose - To support research oriented proposals and activities in our commissioning system


Legal Basis - Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. 


Purpose - To support disease monitoring and health prevention for specific patients


Legal Basis - Your consent is sought either implicitly or explicitly.  You are invited to be screened either by the practice or the screening provider directly.  You can choose to consent or dissent at any point in the screening.

Hampshire County Council

Purpose - To support disease monitoring and health prevention for specific patients


Legal Basis - Your consent is sought either implicitly or explicitly.  You are invited to be screened either by the practice or the screening provider directly.  You can choose to consent or dissent at any point in the screening.

Other organisations who provide support services for us



Purpose - The Practice may use the services of additional organisations (other than those listed above), who will provide additional expertise to support the Practice.  This will only be with your express consent


Legal Basis - We have entered into contracts with other organisations to provide some services for us or on our behalf. 


Continence & Stoma Service – for direct care in providing continence products and monitoring.


i-Talk - Counselling service


Dementia Friendly


Health Visitors

Palliative Nurses

Clinical Waste

GP Connect: We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.
The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services. 
GP Connect is not used for any purpose other than direct care.

Legal basis - 6.1.e - NHS Contract authority
                    9.2.h - delivery of direct health care