Data Privacy Notice

Why we collect your data

Stansted Surgery collects personal data of its registered patients in order to provide the best possible health care to those patients.

  • We collect data about your NHS number, name, address and date of birth details so that we can verify your identity when we provide you with health care.
  • We collect data about your contact details so that we can contact you regarding your direct health care.
  • We collect medical information about you in order to inform decisions about your health care.
  • We collect medical information so we can contact you for the purpose of taking part in clinical research studies

What data we collect about you

When you register at Stansted Surgery, you will sign an NHS registration form. This gives your consent to your previous GP surgery to send any medical records held about you to us. 

We add to these medical records every time you interact with the surgery regarding your direct health care, including booking appointments, issuing medication, attending the surgery for a consultation, or making a referral on your behalf.

Your medical records held at Stansted Surgery consist of:

  • Your medication, past and present
  • A history of medical consultations and the problems addressed in those consultations
  • A history of medical diagnoses
  • A history of diagnostics and test results
  • A history of immunisations and allergies
  • A history of referrals
  • Clinical letters and discharges sent to your GP by hospitals and other health care institutions
  • A history of appointments

We only collect information relevant to your health care on your medical record.   However, this does sometimes include details of social support and care packages where these are relevant to your health care.     


How we use your data




We respect the confidentiality of our patients’ data, and understand that confidential information is provided by patients to an individual clinician within the confines of a consultation. 

Our clinicians work as a team to provide the best possible care to our patients.  Patients may see different doctors, nurses and healthcare assistants in Stansted Surgery over time, and those doctors and nurses will access records of previous consultations in order to provide continuity in your care.   

Clinicians also consult each other about individual patients on occasion, in order to check their thinking and ensure the patient is given the best possible advice.   The clinician will normally tell you that they are going to do this. When you need to be referred to Secondary Care, a summary of your medical records may be shared with the hospital, to enable them to provide you with the best possible care.


Allied Health Professionals


We have a number of allied health professionals who, while not employed by Stansted Surgery, work closely as part of the clinical team at Stansted to provide direct patient care.  This includes District Nurses; Health visitors; School Nurses; Midwifes; Cambridge University Medical Students, Visiting Paramedics, and Dietician (for diabetic clinics). These individuals sign a confidentiality agreement with Stansted Surgery, and may access aspects of your medical record where relevant to providing you with direct patient care. 


Non-Clinical Staff


Our administrative staff accesses your medical records in order to support the doctors and nurses providing your care.  For example, the medical secretaries will access your records to process a referral made by the doctor on your behalf.  Receptionists will access your records to provide you with test results once the doctor has reviewed those test results.


Using your data for purposes other than direct patient care


We use your contact details to send text messages like appointment reminders, and to e-mail newsletters and similar bulk e-mail communications.  New patients are asked to opt in or out of this.  Once opted in, you can opt out at any time.


How we protect your data

Medical records access is controlled by NHS “Smartcards” individual to each staff member or allied health professional. Smartcards are issued following identity checks conducted by the local NHS Smartcard Team. All staff have annual training in information governance, and all staff have confidentiality clauses written into their employment contracts.  In addition, each time someone accesses your medical record, be it a doctor or a member of staff, an audit trail is created.  Any inappropriate access by staff, or any misuse of confidential information, would potentially constitute gross misconduct.   Your medical records are stored electronically on our clinical system, EMIS.  EMIS is a national supplier of clinical systems for GPs, and is accredited by the NHS.  We also have paper copies of medical records that pre-date automated transfer of medical records between surgeries.  These are stored in an area not accessible by patients, and locked overnight.


Sharing your data for direct patient care

We share your data with other health care providers for the purposes of direct patient care.  Except in exceptional circumstances (see below), this will always be with your consent.  For example, you and your GP may agree that it is appropriate to refer you to a hospital consultant.  Your consent to the referral implies that you are consenting to your GP sharing relevant parts of your medical record with the consultant and his team.  We share your data with Stellar Health Care who are contracted by West Essex CCG to provide extended hours GP and nursing appointments in evenings and weekends at Saffron Walden and Great Dunmow. The clinician who sees you at these appointments should always ask for your consent prior to accessing your data on EMIS.  Unless you have opted out, we share your “Summary Care Record” on the NHS Spine, where it can be accessed by hospitals and other NHS organisations, for example, A&E.  The clinician who sees you should always ask for your consent prior to accessing your data.  For diabetic patients, we share your data with Health Intelligence who are contracted to run the Diabetic Retinal Screening for North and West Essex.  New diabetic patients will be asked to opt into this.  You can opt out at any time.  


Sharing data for direct patient care without your consent.

We will share data about you for the purpose of direct patient care but without your consent where:

  1. We are required to do so by law
  2. There is an immediate and significant risk to your, or somebody else’s safety. 
  3. A doctor takes the view that it is in your best interests to do so, and that you do not have the mental capacity to take the decision yourself.

 Sharing Data for Research and to comply with legal obligation


Stansted Surgery is active in medical research to support the effectiveness and safety of medicines and medical devices.  Participation in most research projects is with your explicit consent – which must be freely given, specific, informed and unambiguous.  However, there are also some research projects where we contribute anonymised data.  You can opt in or out of these. From time to time, this practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.  Currently, we participate in the National Diabetes audit.  New patients are asked to opt in or out of this.  Once opted in, you can opt out at any time.  In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.


Your rights

You have a right to access your medical record.  We can provide you with secure on-line access, or we can e-mail electronic copies, with your consent and understanding that you are responsible for the security of your e-mail account. Any information concerning third parties (e.g. other family members) will be removed from your record before we provide access. 

You have a right to have inaccurate data corrected.  We will investigate any reported inaccuracies, and where appropriate make a correction, with an audit trail of what was corrected and why.

Your medical records will be retained until death, at which point they are sent from the surgery to a central NHS body, from where they can be retrieved by individuals with a legal right to do so.


You have the right to lodge a complaint with the Information Commissioner’s Office (ICO).