What is GDPR and what does it mean for patients?

GDPR  How the NHS handles your data

Privacy Notice

Lochgilphead Medical Centre

Practice Privacy Notice

 

 

Lochgilphead Medical Centre has a legal duty to explain how we use any personal information we collect about you, as a registered patient at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.   

 

What information do we collect about you?

 

We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

 

How we will use your information

 

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases when the law allows.

 

In order to comply with its legal obligations, this practice may send data to SPIRE (Scottish Primary Care Information Resources)  when directed by the Scottish Ministers under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS National Services Scotland when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

 

Certain information from your GP patient records will be used, such as your date of birth, gender, vaccinations, diagnoses and prescribed medicines. SPIRE will only use the information that is needed for the purpose of the analysis. No notes your doctor or nurse has made from discussions you have had with them will be used and no information leaving your GP practice will have names or personal details on it.

To protect your confidentiality, these details will be encrypted before they leave the GP practice so you can be confident that your information is secure at all times.

SPIRE has committed to safeguard the confidentiality of information in patients' records. SPIRE has also been assessed to be compliant with the new GDPR requirements.

 

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR. 

 

 

 

Maintaining confidentiality and accessing your records

 

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.

 

Risk stratification

 

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of

sources, including Lochgilphead Medical Centre, this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

 

Invoice validation

 

Your information may be shared if you have received treatment to determine which Health Board is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

 

Opt-outs

 

You have a right to object to your information being shared.  Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information; this is done by registering a Type 1 opt-out, preventing your information from being shared outside this practice.

 

Retention periods

 

Within NHS Highland we keep personal information as set out in the Scottish Government Records Management:  NHS Code of Practice (Scotland) Version 2.1 January 2012.  The NHS Code of Practice sets out minimum retention periods for information, including personal health records and administrative records.  As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule.  Details of this code of practice can be found at Scottish Government Records Management detailing the minimum retention period for the information and procedures for the safe disposal of personal information.

 

 

What to do if you have any questions

 

Should you have any questions about our privacy policy or the information we hold about you, you can:

 

1.    Contact the practice’s data controller via email at lochgilphead.surgery@nhs.net GP practices are data controllers for the data they hold about their patients[1]   

2.    Write to the data controller at The Data Controller at Lochgilphead Medical Centre, Mid Argyll Community Hospital & Integrated Care Centre, Blarbuie Road, Lochgilphead, Argyll, PA31 8JZ

3.    Ask to speak to the practice manager or business manager.

4.    The Data Protection Officer (DPO) for Lochgilphead Medical Centre is Mrs. Julie Brown and he is based at the Mid Argyll Community Hospital.

 

Complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.

 

Changes to our privacy policy

 

We regularly review our privacy policy and any updates will be published on our website and on posters to reflect the changes. This policy is to be reviewed November 2026. 

Privacy Notice Direct Care and Emergencies

Confidentiality & Medical Records

The practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances:

To provide further medical treatment for you e.g. from district nurses and hospital services.

• To help you get other services e.g. from the social work department. This requires your consent.
• When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Freedom of Information

Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the Practice Manager.

Access to Records - Subject Access Requests

In accordance with the Data Protection Act 1998 and Access to Health Records Act (GDPR will supersede this from 25th May 2018), patients may request to see their medical records. Such requests should be made through the Practice Manager and may be subject to a reasonable fee if the request is manifestly unfounded or excessive, particularly if repetitive. No information will be released without the patient consent unless we are legally obliged to do so. We will take reasonable steps to verify the individual's identity prior to granting access to information.

Complaints

We make every effort to give the best service possible to everyone who attends our practice.

However, we are aware that things can go wrong resulting in a patient feeling that they have a genuine cause for complaint. If this is so, we would wish for the matter to be settled as quickly, and as amicably, as possible.

To pursue a complaint please contact the practice manager who will deal with your concerns appropriately. Further written information is available regarding the complaints procedure from reception.

Violence Policy

The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.