Privacy Policy

Data Protection Privacy Notice

General Practices are usually the first point of contact if you have a health problem.  They can treat many conditions and give health advice.  They also refer patients to hospitals and other medical services for urgent and specialist treatments.

The data we hold may also be used to shape the way we work together to plan service improvements, improve the health and wellbeing of our communities, and take action to prevent illness and disease for individuals as well as wider communities.

The categories of personal information

Dependent on the purpose of processing, different categories of data may be used by the Practice.  Data can be categorised using the following terms:

Anonymised data – data where personal identifiable identifiers have been removed. Data protection laws and the Common Law of Confidentiality to do not apply to anonymised data.  
Pseudonymised data – data where any information which could be used to identify an individual has been replaced with a fake identifier.  Pseudonymised data remains personal data and as such the Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.
Person identifiable information (or personal data) – any information about an individual from which, either on its own or together with other information, that person may be identified. The Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.


To find out more about the data processed for each purpose, please click on the links below (The Purpose(s) of Processing).

In addition to the above types of data, some information is considered protected regardless of the purpose of processing; this information does not form part of your shared care record and is not disclosed to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on such information.

The purpose(s) of processing personal data

The Sellindge Surgery processes data for the following purposes:


What is the lawful basis for the sharing?

Each purpose of sharing has its own lawful basis, and these can be found in detail on the associated Privacy Notices above.

Organisations we share your personal information with

Personal Data (including special category data) will only be shared between the general Practice and health and social care organisations that have signed a Joint Controller or Data Processing Agreement. These currently include:

  • Dartford and Gravesham NHS Trust (D&G)
  • East Kent Hospitals University NHS Foundation Trust (EKHUFT)
  • Medway Maritime Hospital - Medway NHS Foundation Trust (MFT)
  • Maidstone and Tunbridge Wells NHS Trust (MTW)
  • Kent and Medway Partnership NHS and Social Care Partnership Trust (KMPT)
  • North East London Foundation Trust (NELFT)
  • Kent Community Health NHS Foundation Trust (KCHFT)
  • HCRG Care Group Limited
  • Medway Community Healthcare (MCH)
  • South East Coast Ambulance Service (SECAmb)
  • Integrated Care 24 (IC24)
  • Out of hours providers (currently IC24, SECAmb, MCH and KCC Children’s Services)
  • NHS Kent and Medway
  • Kent County Council (children and adults social care departments) (KCC)
  • Medway Council (children and adults social care departments) (MWC)
  • GP federations.
  • Other Practice’s that form the Tunbridge Wells Primary Care Network
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Health care partnerships
  • Other Primary Care networks that we work in partnership with Tonbridge
  • Mental Health providers
  • Community trusts
  • Kent County Council/Medway council Social Care Services
  • NHS England
  • Local Authorities
  • School Nurse
  • Police & Judicial Services

How long do we keep your record?

The Practice maintains your records in accordance with the NHS Records Management Code of Practice 2021



How we keep your personal information safe and secure

To protect personal and special category data, we make sure the information we hold is kept in secure locations and access to information is restricted to authorised personnel only.

Our appropriate technical and security measures include:

  • all employees and contractors who are involved in the processing of personal data are suitably trained, on an annual basis, in maintaining the confidentiality and security of the personal data and are under contractual or statutory obligations of confidentiality concerning the personal data.
  • robust policies and procedures for example password protection
  • technical security measures to prevent unauthorised access
  • use of ‘user access authentication’ mechanisms to make sure all instances of access to any personal data held on clinical systems are auditable against an individual, such as role-based access and Smartcard use to make sure appropriate and authorised access reminding staff of their responsibilities in complying with data protection legislation
  • encrypting information transmitted between partners
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • completion of the Data Security and Protection Toolkit (DSPT) an annual self-assessment requirement that ensure organisation are compliant with the latest data protection and cyber requirements.
  • regular audit of policies and procedures to ensure adherence against these criteria


The NHS Digital Code of Practice on Confidential Information applies to all staff who access clinical systems. They are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. 


What are your rights?

Under data protection legislation, you have the right:

  • to be informed of the uses of your data: this enables you to be informed how your data is processed
  • of access: this enables you to have sight of or receive a copy of the personal information held about you and to check the lawful processing of it
  • to rectification: this enables you to have any incomplete or inaccurate information held about you corrected
  • to erasure: this enables you to request we erase personal data about you we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding lawful grounds to continue to process your data
  • to restrict processing: this enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it
  • to data portability: this enables you to transfer your electronic personal information to another party, where appropriate.
  • to object: this enables you to object to processing of personal data about you on grounds relating to your situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
  • in relation to automated decision making and profiling: this enables you to be told if your data is being processed using automated software in relation to automated decision making and profiling note: No automated decision making or profiling is undertaken by the Practice.


Please note not all these rights are absolute, please see our ROPA for more details

If you wish to exercise your rights in any of the ways described above, you should in the first instance contact Kingswood surgery,

Right to complain

You can get further advice or report a concern directly to


Our Data Protection Officer function is provided by NHS Kent and Medway who can be contacted via email

You also have the right to contact the UK’s data protection supervisory authority (Information Commissioner’s Office) by:

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Phone: 0303 123 1113 (local rate) or 01625 545745 (national rate)

Information about the way in which the NHS uses personal information and your rights is published by NHS Digital.

The NHS Constitution

The constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you will receive, the treatments and programmes available to you, confidentiality, information and your right to complain, if things go wrong.


NHS England

NHS England collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.


Reviews of and changes to this privacy notice

We will review the information contained within this notice regularly and update it as required. We therefore recommend you check this webpage regularly to remain informed about the way in which we use your information.



Same Day Access Hub (SDAH) - to support the winter pressures and increase capacity within primary care enabling more face to face appointments to be made available to meet demand.

Same Day Access Hub (SDAH) – the purpose of SDAH is to support the winter pressures and increase capacity within primary care enabling more face to face appointments to be made available to meet demand.


The source of the information shared in this way is your electronic GP record that is accessed at a central or hub level. A constituent GP practice completes a cross organisational appointment booking from their clinical system within which the patient is registered to the central Clinical Service appointment book. Although this central clinical system will not hold patients’ healthcare information, it will contain the appointment booking itself which will include the patient’s full name, date of birth, age, NHS number and the reason for the appointment booking.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Any data (booking information) held by the hub will also be retained for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following UK GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;


The processing of special categories of personal data concerning health is permitted under the following UK GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;


In accordance with DPA Schedule 1, Part 1, (2) -health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

 You have the right to:

  • To access, view or request copies of your personal information;
  • request rectification of any inaccuracy in your personal information;
  • restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.


Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.


If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.


Right to complain: If you are dissatisfied with the way your GP Practice process your data, please contact your GP practice directly in the first instance via the ‘Contact Us’ section on our website.

Related Legislations:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

You can also contact the Ashford GP Federation via for strictly Federation related enquiries.

You also have the right to appeal/complain to the Information Commissioner’s Office (IC0). The IC0 can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane



Tel: 0303 123 1113 or 01625 545 745