This information explains:

  • Who we are
  • Why information is collected about you
  • The way in which this information may be used
  • Who it is shared with and
  • How we keep it safe.

It also explains how the practice uses the information we hold about you, how you go about accessing this information if you wish to see it and to have any inaccuracies corrected or erased.


Testvale Surgery is a well-established GP surgery based in Totton on the outskirts of Hampshire. Our General Practitioners and Nurses provides primary medical care services to our practice population of 13,150 patients and our administrative and managerial staff support the team in providing care for patients.

GP Records are stored electronically and on paper and include personal details about you such as your address, carers, legal representatives, emergency contact details, as well as:

  • Any appointments, visits, emergency appointments and telephone calls
  • Notes and reports about your health
  • Details about your treatment and care
  • Details about any medication you are taking
  • Results of investigations such as laboratory tests, x-rays
  • Relevant information from health professionals, relatives or carers

Your records are used to ensure you receive the best possible care from our nurses and doctors. It enables the staff to see previous treatments, medications and enables them to make informed decisions about future decisions about your care. It helps the doctors to see lists of previous treatments and any special considerations which need to be taken into account when care is provided.

Important information is also collected to help us to remind you about specific treatment which you might need, such as health checks, or reminders for screening appointments such as cytology reminders.

Information held about you may be used to help protect the health of the public and to help us to improve NHS services. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Staff at the practice use your information to help deliver more effective treatment to you and to help us to provide you with proactive advice and guidance.

The healthcare professionals who provide your care maintain records about your health.  This is a record of your care history and allows health care professionals to review your care to help inform future decisions about your treatment. Sharing this information helps to improve the treatment you receive, such as a hospital consultant writing to your GP.   We follow strict data sharing guidelines to keep your information safe and secure.

The following information details how we share your information, how we keep your information securely and how you can access your primary care medical record should you wish to.

Patient referrals

With your agreement, your GP or Nurse may refer you to other services and healthcare providers not provided by the practice, or they may work with other services to provide your care in the practice. Once you have been seen for your referral, the other health care provider will normally tell us about the treatment they have provided for you and any follow up which the GPs need to provide. This information is then included in your GP record.

Local Hospital, Community or Social Care Services

Sometimes the clinicians caring for you need to share some of your information with others who are also supporting you. This could include hospital or community based specialists, nurses, health visitors, therapists or social care services.

Summary Care Record (SCR)

A Summary Care Record is an electronic record of important patient information, created from the GP medical records. It contains information about medication you are taking, any allergies you suffer from and any bad reactions to medications you have previously had. It can be seen and used by authorised staff in other areas of the health and care system involved in your direct care. Giving healthcare staff access to this information can prevent mistakes being made when caring for you in an emergency or when your GP practice is closed. Your Summary Care Record also includes your name, address, date of birth and your unique NHS Number to help identify you correctly. If you and your GP decide to include more information it can be added to the Summary Care Record, but only with your express permission.

For more information visit

Care and Health Information Exchange (CHIE)

The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton. GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems. The Care and Health Information Exchange stores summary information from these organisations in one place so that – with your consent – professionals can view it to deliver better care to you. This record contains more information than the SCR, but is only available to organisations in Hampshire.

For more information visit:

National Screening Services

There are some national services like the National Cancer Screening Programme that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cervical, breast or bowel cancer screening. Often you have the right to not allow these organisations to have your information.

You can find out more about how the NHS holds and shares your information for national programmes on the NHS Choices website.

Other NHS organisations

Sometimes the practice shares information with other organisations that do not directly treat you, for example, Clinical Commissioning Groups. Normally, it will not be possible to identify you from this information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication. However, this information is anonymous and does not include anything written as notes by the GP and cannot be linked to you.

Telephone Calls

All our incoming telephone calls are recorded for training and monitoring purposes for a period of 6 months. These are held on a secure, password encrypted hard drive and are deleted at the end of the retention period.

General Practice Data for Planning and Research

Patients personal confidential data will be extracted and shared with NHS Digital in order to support vital health and care planning and research. Further information can be found here

Patients may opt out of having their information shared for Planning or Research by applying a National Data Opt Out or a Type 1 Opt Out.  Details of how to Opt Out can be found on our Privacy Notice.  For the National Data Opt Out patients are required to register their preference below.

For Type 1 Opt Out patients can complete the form and return it to their registered practice for action by the 23rd June 2021.

The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice - NHS Digital

Legal Basis : The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice - NHS Digital

Local Data Sharing Arrangements

The practice currently has three data sharing agreements which are in place:

  1. Southern Health NHS Foundation Trust, our community services provider;

This agreement allows the Integrated Care Teams (community nurses, physiotherapists and occupational therapists) being able to access GP information about people on their caseload who have recently been discharged from hospital or who are housebound, or who require longer term rehabilitation from the GP record. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record.

2. Totton Primary Care Network

An agreement is under development between Testvale Surgery and New Horizons Medical Partnership (Totton Health Centre and Forestgate Surgery) to allow sharing patient information for our social prescriber and clinical pharmacist which will be shared between the organisations. This will also make it easier for patients to be seen at any GP practice in Totton should it be necessary, for example, during extended hours periods. Data may also be shared to ensure effective call and recall programmes, for example for the coronavirus vaccination programme.

3. Frailty Support Team

The SHFT Frailty Team have access to the patient records at the practice to enable them to review the clinical information to provide support to appropriate patients.  They will also maintain a record within the SHFT clinical record. The legal basis for this sharing falls under 6.1.e – under authority of a contract to deliver NHS services and 9.2.h – delivery and management of direct health care. Common Law Duty of Confidence – explicit consent

Other local agreements

Testvale Surgery has an agreement to allow the medicines management team at West Hampshire CCG to access the clinical system to view prescribing data for the practice and to undertake medication reviews on specific patients. The medicines optimisation team also undertakes prescribing audit on behalf of the practice. This information is used to help improve quality, safety and cost effectiveness of prescribing.

Testvale Surgery has agreed a memorandum of understanding with West Hampshire CCG in regard to the Referral Support Service. This service assists the practice in improving the quality and accuracy of referrals made by our clinical team. All referrals (excluding urgent cancer referrals) are made through the service, which co-ordinates the most appropriate clinic for the patient to be seen in to enable the patient to be seen in the right place, first time. Additionally feedback is provided to the referring clinician where required to help improvements in future referrals.

Solent Mind. All patients with Serious Mental Illness are required to have a physical health check each year, this ensures their general health is managed which otherwise could deteriorate as a result of their mental illness. Solent Mind carry out some of the health checks on behalf of our practice. Legal basis – 6.1.e under the NHS Contract. Lawful basis – 9.2.h to manage patient health care.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. 

From May 2018, a new European regulation called the General Data Protection Regulation came into force and the practice also has a legal responsibility to ensure that we will also comply with these new regulations about personal data.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation 2017
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as a life or death situation, or where the law requires information to be passed, or where it is in the best interest of the patient to share the information.

You have a right to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. From May 2018, there will usually be no charge to see the information that the practice holds about you unless the file is particularly large.

In order to request this, you need to make a request to the practice. 

You may find it helpful (though it is not mandatory) to use the Subject Access Request form available from reception or at the following link which provides the practice with the relevant information needed to be able to grant the request. Subject Access Request Form

The practice will respond to you within one month of receipt of your request. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

For information on your hospital records you should write direct to them.

If you feel that the personal data that the practice holds about you is inaccurate or incomplete then please let us know and we will update your records within one month of notification. If this incorrect information has been sent onwards, we will also inform any other organisations of this. If it is not possible to correct the information then we will write to you to let you know the reason behind the decision and inform you how you can complain about this.

In specific circumstances, as an individual you also have the right to request the deletion or removal of information the practice keeps about you. This may be where you withdraw your consent for the practice to hold the information, if it is no longer relevant, or where there is a legal obligation to remove the data.

As a patient, you have the right to object to personal data about you being used or shared.

You also have the right to restrict the use of data the practice holds about you. If you do wish to object, please contact the practice. This will prevent your confidential information being used other than where necessary by law.

If you are a carer and have a Lasting Power of Attorney for health and welfare then you can also object to personal data being used or shared on behalf of the patient who lacks capacity.

If you do not hold a Lasting Power of Attorney then you can raise your specific concerns with the patient’s GP. If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then this must be their decision.

National Data Opt Out Programme

The national data opt-out is a new service that allows patients to choose whether or not to allow their confidential patient information being used for research and planning. All NHS organisations must be compliant by September 2021. 

If you don't want your confidential patient information to be used for research and planning, you can opt out of this. If you do opt out, there are some specific situations where your data may still be used. Data that does not identify you may still also be used.

Your confidential patient information will still be used to support your individual care. Any preference you set using this service will not change this.

If you opt out, your decision will only apply within the health and care system in England. Your opt-out will not apply to your health data where you have accessed health or care services outside of England, such as in Scotland and Wales.

You can manage your choice by using the online service at the following address: Your NHS Data Matters or you can or request a print-and-post form to make or change your choice at any time. 

A useful video outlining the National Data Opt Out Programme can be seen here:


As part of the NHS Digital response to the Covid 19 Pandemic, arrangements have been made for GP Practices in England to access the GP Connect functionality.  Confidential patient information can be processed for the purposes as set out in Regulation 3(1) of the Control of Patient Information (COPI) to support the Secretary of State’s response to Covid 19 (Covid 19 purpose).  This notice will remain in place until 31 October 2022.  Information can be shared under the regulations by GPs, NHS Digital and NHS England.

Further information on the COPI notice and the Covid-19 purpose can be obtained at:


GP Data for Research and Planning 

Secretary of State for Health and Social Care has asked NHS Digital to establish and operate an information system for the collection and analysis of General Practice data for health and social care purposes. The original launch date was 23 June 2021 but this has now been pushed back until 1 September 2021.

NHS Digital has been directed to collect, process, analyse and disseminate general practice data. The data collection process is moving from the existing GP Extraction Service (GPES) to a new service, the General Practice Data for Planning and Research. The BMA, RCGP and National Data Guardian have been involved in this process.

This is a legal process. GP practices cannot opt out of this data extraction. The data will be used for:

  1. Research the long term impacts of coronavirus on the population;
  2. Analyse health care inequalities – for example to understand how people of different ethnicities access healthcare and how health outcomes in these groups compare to the rest of the population; and
  3. Research and develop cures for serious illnesses

Patient identifiable information will be pseudonomised before it leaves the practice. This is a process which takes personally identifiable data and changes it so that it cannot be attributed back to a specific person without additional processing.

Data collected will include NHS number, local patient ID, postcode, date of birth and date of death. Additional coded special category data will also be collected including Physical / Mental Health or Condition, Sexual Life / Orientation, Family / Lifestyle / Social Circumstance, Religion or Other Beliefs and Racial / Ethnic Origin.

Some data will not be collected. This data includes Name and Address, Written notes (free text), Images, letters and documents and Legally restricted codes for Gender Recognition, Human Fertilisation and Embryology. None of these items will be collected. 

There are two types of opting out:

  1. Type 1 Opt Out – this is a patient opting out of NHS Digital Collecting your data. Patients can follow this link and print out a form to pass back to their GP Surgery:

2. National Data Opt Out – opting out of NHS Digital Sharing your confidential data including GP data and Hospital data. To Opt Out a patient needs to follow the link below: and do this online themselves. They must be over 13 years of age, have access to email/mobile phone and have their NHS number to do this.

For further information, please follow this link:

Should you have any concerns about how your information is managed at the practice please contact Renee Persone, Practice Manager. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website:

If you wish to access all of this information in a PDF format, you can download and print it here:

Privacy Notice February 2023