GDPR & Practice Policies




Your information, your rights

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).  

The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system. 

This notice reflects how we use information for: 

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future. 


Data Controller

As your registered GP practice, we are the data controller for any personal data that we hold about you.

What information do we collect and use?

All personal data must be processed fairly and lawfully, whether received directly from you or from a third party in relation to your care. 

We will collect the following types of information from you directly, or about you from a third party (provider organisation) engaged in the delivery of your care: 

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data.  This includes, but is not limited to name, date of birth, full postcode, address, next of kin and [NHS number/HCN number/ CHI number]; 
  • ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.


How the NHS and care services use your information

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g., from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services).  These records may be electronic, a paper record or a mixture of both.  We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Aryan Medical Centre is one of many practices working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments 
  • preventing illness and diseases
  • monitoring safety
  • planning services


This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. 


National Data Opt-Out

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone 
  • See the situations where the opt-out will not apply


You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)


You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. 

Our organisation is currently compliant with the national data opt-out policy.

Why do we collect this information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.  To do this we will need to process your information in accordance with current data protection legislation to:

  • Protect your vital interests;
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult; 
  • Perform tasks in the public’s interest;
  • Deliver preventative medicine, medical diagnosis, medical research; and
  • Manage the health and social care system and services. 


Who will we share your information with? 

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

  • Local GP Practices, as part of a Primary Care Network (PCN), in order to deliver extended primary care services
  • NHS Secondary Care, i.e. Hospitals 
  • 111 and Out of Hours Service
  • Local Social Services and Community Care services
  • Voluntary Support Organisations commissioned to provide services by [Mid & South Integrated Care System]


Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations. 

Your information will not be transferred outside of the European Union. 

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care. 

In addition, we receive data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

My Care Record

Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.

My Care Record is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This will make it easier and faster for them to make the best decisions. For example, a doctor treating you in hospital or a nurse working in the community could view the information they need from your GP record.

Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed.

The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.

The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.

You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.

It is important to understand that not allowing access to your information may affect the quality of the care you receive.

In many situations it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.

There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety. Please see the My Care Record website for more information.

More information about the areas where your information may be used can be found on the My Care Record website My Care Record: Privacy Notice

Primary Care Networks

Many people are living with long term conditions such as diabetes and heart disease or suffer with mental health issues and may need to access their local health services more often.

To meet these needs, GP practices are working together with community, mental health, social care, pharmacy, hospital, and voluntary services in their local areas in groups of practices known as primary care networks (PCNs).

PCNs build on existing primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care for people close to home. Clinicians describe this as a change from reactively providing appointments to proactively caring for the people and communities they serve.

We are part of the East Basildon PCN (Primary Care Network) which is a network of GPs practices established to provide integrated services to the local population. Members of the network are:

  • Aryan Medical Centre
  • Matching Green Medical Centre
  • Felmores Medical Centre
  • Sr Sims and Partners

By operating as a network, we as the PCN are responsible for delivering the following services working collaboratively with other providers:

Social Prescribing; Covid Vaccination Programme; First Contact Physiotherapy; First Contact Psychological Wellbeing Practitioner

Where necessary and relevant to support your direct care, we will share your confidential patient information with members of our network and with our collaborative organisations to support safe, efficient and effective care and treatment.

If you are not happy for your health data to be shared with the organisations detailed above if you wish to access PCN services, then you can object to this. To do so you should contact your registered Practice so they can discuss the potential impact this could have on your care and treatment.

Data Processors

Data processors act on behalf of the Practice, as a data controller and under our authority. In doing so, they serve our interests rather than their own. A processor can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual, for example a consultant.

The following is a list of processors that the practice has engaged, and a description of the work they carry out on our behalf:

  • The Phoenix Partnership (TPP)
    • SystmOne (GP clinical system) – The practice uses a computer system to record and store patient’s clinical information, this is provided by TPP. All information recorded within the system is held on TPP servers, accessible to the practice over the secure Health and Social Care Network (HSCN). All data processed by TPP is used and stored within the UK.
  • Mid & South Essex Integrated Care Board (ICB)
    • Information Governance (IG) [& Data Protection Officer (DPO)] Services – The IG service supports the practice with GDPR and Data Protection compliance, including advice and assistance with breaches of legislation, data subjects’ rights and other data protection issues raised by patient’s or public, as well as helping with completion of the Data Security & Protection Toolkit, and data protection impact assessments. [The DPO service provides a named experienced IG professional within the team to act on behalf of the practice as their Data Protection Officer, to assist monitoring internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).]
  • Arden & GEM Commissioning Support Unit (CSU)
    • Primary Care Enabling Services (IT) – The IT service includes access to the secure network (including HSCN) and cyber security, including electronic storage of information on hosted servers.
    • Business Intelligence (BI) – The BI function within the CSU, receives pseudonymised patient data, combines this with other pseudonymised data sets provided by the ICB (including hospital, community, mental health and ambulance data), then supports practices with analysis of that information, in order for the practice to better target services to their population. This includes population health management and risk stratification (more detail on these programmes of work is available below).
  • NHS Digital
    • Data Services for Commissioners Regional Office (DSCRO) – Hosted within Arden & GEM CSU, but contracted to work for NHS Digital, the DSCRO receives clear patient identifiable information and applies a key to scramble this information, this is called pseudonymisation and renders the data essentially anonymous although still linkable across other datasets pseudonymised using the same key. This data is then shared with the CSU BI Team for linkage and analysis.
    • NHSmail – Provides the practice with a secure email service, common across much of the NHS. This includes access to Microsoft Teams and other software.
  • E-Consult
    • E-Consult provides a text-based clinical consultation service which guides patients through a consultation algorithm to assess their symptoms and recommend appropriate next steps, which may include arranging a GP appointment, self-care advice or signposting to other services (e.g. NHS111, pharmacies, etc.) It does not facilitate real-time consultations between patients and GPs but does make GPs aware of all assessments undertaken on their patients.

You have the right to object to data processors handling your personal information, though bear in mind that this is not an absolute right, the practices legitimate grounds can override objections raised. Please raise any issues with the practice manager who will arrange for a discussion and consideration of any objections. Further information on this right is available here: 

How do we maintain the confidentiality of your records? 

We are committed to protecting your privacy and will only use information that has been collected lawfully.  Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Information is not held for longer than is necessary.   We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Consent and Objections

Do I need to give my consent?

The GDPR sets a high standard for consent.  Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation.  However, consent is only one potential lawful basis for processing information.  Therefore, your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.  Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice.  Your consent will be documented within your electronic patient record. 

What will happen if I withhold my consent or raise an objection?

You have the right to write to withdraw your consent at any time for any particular instance of processing, provided consent is the legal basis for the processing.  Please contact your GP Practice for further information and to raise your objection. 

Population Health Management


Population Health Management (PHM) – is helping us understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services and make better use of public resources.

We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.

This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.

In order to carry out this data linkage, your pseudonymised data will be passed to Arden & GEM Commissioning Support Unit, part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses. 

PHM is a partnership approach across the NHS and other public services, the outputs of the PHM programme will be shared across these organisations. All have a role to play in addressing the interdependent issues that affect people’s health and wellbeing.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the population health management tools used by the ICB include:

  • Age
  • Gender
  • GP Practice, Community and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.


Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

Section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidence, if the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations such as the Data Protection Act 2018 and the Human Rights Act 1998.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data Processing Activities

The practice processes this data internally. 

Data is also processed by Arden & GEM Commissioning Support Unit and Mid and South Essex ICB.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the PHM service (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform the practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.


Integrated Care Systems (ICSs) are partnerships that bring together providers and commissioners of NHS services across a geographical area with local authorities and other local partners to collectively plan health and care services to meet the needs of their population. The central aim of the ICS is to integrate care across different organisations and settings, joining up hospital and community-based services, physical and mental health, and health and social care. All parts of England are now covered by one of 42 ICSs.

The new Health and Care act 2022 established 42 Integrated Care Boards (ICBs) across England as statutory bodies and abolished the 106 Clinical Commissioning Groups (CCGs). The ICB will take on the NHS commissioning functions of the former CCGs as well as some of NHS England’s commissioning functions. It will also be accountable for NHS spend and performance within the system. The Board of the ICB will, as a minimum, include a chair, the CEO and representatives from NHS providers, general practice and local authorities.

In order to assure a smooth transition to the new commissioning landscape, the ICB need to be able to share data with providers and local authorities within their ICS so they are fully able to contribute to commissioning decisions. 

The ICS Sub-License approach will allow the ICB to share data they receive from NHS Digital via their commissioning agreements with members of their ICS. This will be limited to pseudonymised commissioning data without the provider unique local patient id included.

Re-identification - This is permitted but the ICB will be responsible for determining which users will have this ability. They must be a health or social care professional with a legitimate (direct care) relationship to the patient. 

It is important to note that direct care relies on the “implied consent” legal basis. Therefore, the patient must be aware of this relationship through clear communication.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information used by the ICS Partners include:

  • Age
  • Gender
  • GP Practice, Community and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.


Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

The legal basis for sharing the data with ICS members is:

Article 6 (1) (e) – processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

and Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Data Processing Activities

The ICB processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit.

The ICS Partners currently involved in the Sub-Licensing process are: 

  • Essex County Council
  • Southend City Council
  • Thurrock Council
  • Mid and South Essex NHS Foundation Trust
  • East of England Ambulance
  • Essex Partnership University NHS Foundation Trust
  • North East London NHS Foundation Trust
  • Provide CiC


The ICS Partners will become Data Controllers in their own right for the data received under the sub-licensing, however certain rules will apply to this:

  • Onward sharing of the data by ICS members is not permitted. 
  • Data must be segregated from other datasets and additional linkage is not permitted.


Opt out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Health Risk Screening / Risk Stratification 

Health Risk Screening or Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding. 

The ICB also uses risk stratified data to understand the health needs of the local population to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score. 

There is currently s251 support in place for the ICB to be able to receive data with the NHS Number as an identifier from both NHS Digital and the GP Practice to enable this work to take place.  The Data is sent directly into a risk stratification tool from NHS Digital /GP Practices to enable the data to be linked and processed as described above.  Once the data is within the tool ICB staff only have access to anonymised or aggregated data.

GPs can identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care.

Your GP will use computer-based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third-party accredited Risk Stratification provider.  The risk stratification contracts are arranged by Mid and South Essex Integrated Care Board in accordance with the current Section 251 Agreement. Neither the CSU nor your local Integrated Cared Board (ICB) will at any time have access to your personal or confidential data.  They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment.  This process is conducted electronically and without human intervention.  The resulting report is then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the risk stratification tools used by the ICB:

  • Age
  • Gender
  • GP Practice and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.


Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

Data Processing Activities

The practice processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit and Prescribing Services Ltd on behalf of the practice.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service you can choose to opt-out by contacting the ICB who will then inform your GP practice and ask them to apply an opt-out code to your record to ensure that your information is not included in the programme. 


You can contact the ICB by email, phone or post:



Unit 10 Phoenix Court

Christopher Martin road



SS14 3HG


As mentioned above, you have the right to object to your information being used in this way.  However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care.  

Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where you receive healthcare.  Our local electronic systems (such as SystmOne, EMIS and Eclipse) enables your record to be shared with organisations involved in your direct care, such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services. 
  • Child health services that undertake routine treatment or health screening 
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies


In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past. 

In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, considering all aspects of a person’s physical and mental health.  Many patients are understandably not able to provide a full account of their care or may not be able to do so.  The shared record means patients do not have to repeat their medical history at every care setting. 

Your record will be automatically set up to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record.  This will mean that the information recorded by your GP will not be visible at any other care setting.  

You can also reinstate your consent at any time by giving your permission to override your previous dissent.  

Your Right of Access to Your Records 

The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format.  This is known as the “right of access”.  If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information.  This can be your GP, or a provider that is or has delivered your treatment and care.  You should however be aware that some details within your health records may be exempt from disclosure, however this will be in the interests of your wellbeing or to protect the identity of a third party.  If you would like access to your GP record, please submit your request in writing to:

The Practice Manager

Aryan Medical Centre

Email address:

Right of Rectification and Erasure

Following a Subject Access Request, or in other circumstances, should you notice anything in your records that you consider to be incorrect, please get in touch with the practice manager (details above) to discuss how this could be reviewed and potentially rectified.

In most circumstances, information would not be able to be removed, as decisions may have been taken with that information in mind, but a note can be added to records to indicate alternative situations.

Data Protection Officer

A Data Protection Officer (DPO) is a role appointed within by public bodies, to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

The practices Data Protection Officer (DPO) is Jane Marley, Head of IG at the ICB.

To contact the DPO, please use the following email address: 


In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at:

Information Commissioners Office

The Information Commissioners Office (ICO) is the national authority overseeing Data Protection and Freedom of Information in the UK.

You are able to raise complaints and concerns directly with them, and information on how to do so is available here: 

Parliamentary Health Service Ombudsman

The Ombudsman is independent of government and the NHS.  The service is confidential and free of charge.  There are time limits for taking a complaint to the Ombudsman although this can be waived if there is good reason to do so.  If you have questions about whether the Ombudsman will be able to help you, or about how to make a complaint, you can contact:


Further information about the ombudsman is available at 

You can write to the Ombudsman at:

The Parliamentary and Health Service Ombudsman, 

Millbank Tower, Millbank, London, SW1P 4QP

Confidentiality & Medical Records

Locked blue folderThe practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances:

  • To provide further medical treatment for you e.g. from district nurses and hospital services.
  • To help you get other services e.g. from the social work department. This requires your consent.
  • When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Freedom of Information

Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

Access to Records

In accordance with the Data Protection Act 2018 and Access to Health Records Act, patients may request to see their medical records. Such requests should be made through the practice manager . No information will be released without the patient consent unless we are legally obliged to do so.


Customer service formWe make every effort to give the best service possible to everyone who attends our practice.

However, we are aware that things can go wrong resulting in a patient feeling that they have a genuine cause for complaint. If this is so, we would wish for the matter to be settled as quickly, and as amicably, as possible.

To pursue a complaint please contact the practice manager who will deal with your concerns appropriately. Further written information is available regarding the complaints procedure from reception.

Violence Policy

The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.

“This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. For more information about this see: 

Did Not Attend Policy


‘Did Not Attend’ (DNA) appointments are when the patient does not turn up for the appointment and does not contact the surgery in advance to cancel/change appointment. The affect of these are:


  • An increase in the waiting time for appointments
  • Frustration for both staff and patients
  • A waste of resources
  • A potential risk to the health of the patient

If a patient fails to attend a pre-booked appointment on more than one occasion in the last 12 months, an informal warning letter will be sent to the patient. If non- attendance continues a formal warning letter will then be sent to the patient advising them that a further occurrence could risk removal from the Practice.


If the patient fails to attend another appointment, the matter will be discussed at a Practice Meeting and a majority agreement will be reached as to whether the patient will be removed from the Practice list. In which case, a formal warning letter will be issued.


Warning letters are valid for a period of 12 months. Removal based on warnings greater than 12 months old will be invalid – in this case a further formal warning and period of grace will be required. 

Chaperone Policy

Aryan Medical Centre is committed to providing a safe, comfortable environment where patients and staff can be confident that best practice is being followed at all times and the safety of everyone is of paramount importance. 

This Chaperone Policy adheres to local and national guidance and policy

‘NCGST Guidance on the role and effective use of chaperones in Primary and Community Care settings’.

All patients are entitled to have a chaperone present for any consultation, examination or procedure where they consider one is required. The chaperone may be a family member or friend, but on occasions a formal chaperone may be preferred.

Patients are advised to ask for a chaperone if required, at the time of booking an appointment, if possible, so that arrangements can be made and the appointment is not delayed in any way. The Healthcare Professional may also require a chaperone to be present for certain consultations.  

All staff are aware of and have received appropriate information in relation to this Chaperone Policy. 

All trained chaperones understand their role and responsibilities and are competent to perform that role.

There is no common definition of a chaperone and their role varies considerably depending on the needs of the patient, the healthcare professional and the examination being carried out. 

Their role can be considered in any of the following areas: 

  • Emotional comfort and reassurance to patients
  • Assist in examination (e.g. during IUCD insertion)
  • Assist in undressing
  • Act as interpreter
  • Protection to the healthcare professional against allegations / attack
Privacy Notice

Data Protection Privacy Notice for Patients


Aryan Medical Centre has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this Practice, maintain records about your health and the treatment you receive in electronic and paper format.  



What information do we collect about you?


We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.



How we will use your information


Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.


In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.


Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.

Maintaining confidentiality and accessing your records


We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.


Risk stratification


Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including Matching Green Surgery; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.



Invoice validation


Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.


 National Opt-Out Facility

You can choose whether your confidential patient information is used for research and planning.

Who can use your confidential patient information for research and planning?

It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

Making your data opt-out choice

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Will choosing this opt-out affect your care and treatment?

No, your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What should you do next?

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your choice at any time. To find out more or to make your choice visit or call 0300 303 5678

 Retention periods


In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.


What to do if you have any questions


Should you have any questions about our privacy policy or the information we hold about you, you can:


  1. Contact the practice’s data controller via email at GP practices are data controllers for the data they hold about their patients[1]  
  2. Write to the data controller at - Aryan Medical Centre
  3. Ask to speak to the practice manager


The Data Protection Officer (DPO) for Aryan Medical Centre is Jane Marley at BBCCG.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the practice as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.



In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit and select ‘Raising a concern’.


Changes to our privacy policy


We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.



 Privacy Notice

Children Privacy policy Safeguarding Children and Young people policy statement

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website