Privacy Notice


Your Information and Rights

A key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR) is transparency and providing accessible information to patients about how we use personal information.

The following notice reminds patients of their rights in respect of the above legislation and how Tal-Y-Bont Surgery will use patient information for lawful purposes to deliver care and the effective management of the local NHS system.

This notice reflects how we use the information for:

  • The management of patient records
  • Communication concerning clinical, social and supported care
  • Ensuring the quality of care and the best clinical outcomes are achieved through clinical audit and retrospective review
  • Participation in health and social care research
  • The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future

Data Controller

Tal-Y-Bont Surgery, as your registered GP Practice, is the data controller for any personal data that we hold.

What information do we collect and use?

All personal data must be processed fairly and lawfully, whether is it received directly from a patient or from a third party in relation to patient care. We will collect the following types of information from or about patients from a third party (provider organisation) engaged in the delivery of care:

  • Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, address, next of kin and NHS number
  • Special category and sensitive data’ such as medical history including details of appointments and contact with patients, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Patient healthcare records contain information about health and any treatment or care patients have previously received. This could be from the hospital, another GP surgery, community care provider, mental health care provider, walk-in centre or social services (this list is not exhaustive and provides examples only). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep information secure and confidential.


Why do we collect this information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in Wales, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process patient information in accordance with current data protection legislation to:

  • Protect vital interests
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult
  • Perform tasks in the public’s interest
  • Deliver preventative medicine, medical diagnosis, medical research
  • Manage the health and social care system and services

How is the information collected?

Patient information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition, physical information will be sent between GP practices. This information will be retained within the GP’s electronic patient record or within physical medical records.


Who will we share information with?

To deliver and coordinate patient health and social care, we may share information with the following organisations:

  • Local GP Practices to deliver extended primary care services
  • NHS (Swansea Bay University Health Board or Hywel Dda depending on address)
  • 111 and Out of Hours Service
  • Local Social Services and Community Care services
  • Voluntary Support Organisations commissioned to provide services by Swansea Bay University Health Board or Hywel Dda

Patient information will only be shared if it is appropriate for the provision of care or required to satisfy our statutory function and legal obligations. Whilst we might share information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that the GP can provide the appropriate care.

How do we maintain the confidentiality of patient records?

We are committed to protecting privacy and will only use information that has been collected lawfully. Every member of staff who works for an NHS organisation has a legal obligation to keep patient information confidential. We maintain our duty of confidentiality by conducting training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access. We have a strict confidentiality policy in place which all staff must adhere to.

Information is not held for longer than is necessary. We will hold information in accordance with the Records Management Code of Practice for Health and Social Care 2016.


Consent and Objections

Do I need to give my consent?

The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However, consent is only one potential lawful basis for processing information.

Therefore, the GP practice may not need to seek your explicit consent for every instance of processing and sharing information, on the condition that the processing is carried out in accordance with this notice. The GP Practice will contact patients if they are required to share information for any other purpose which is not mentioned within this notice. Patient consent will be documented within the electronic patient record.

What will happen if I withhold my consent or raise an objection?

You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact the GP Practice for further information and to raise your objection.

Please be aware that there are some cases in which the decision to withhold information may be overruled to provide potentially life-saving care. If the decision is overruled, a full explanation as to why will be provided.


Health Risk Screening / Risk Stratification

Health Risk Screening or Risk Stratification is a process that helps the GP to determine whether a patient is at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care, the GP will be able to judge if patients are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

To summarise Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition
  • Prevent an emergency admission
  • Identify if a patient needs medical help to prevent a health condition from getting worse
  • Review and amend provision of current health and social care services.

The GP will routinely conduct the risk stratification process outside of any GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with patients if alterations to the provision of care are identified.

As mentioned above, patients have the right to object to information being used in this way. However, patients should be aware that any objection may have a negative impact on the timely and proactive provision of direct care. Please contact the Practice Manager to discuss how disclosure of personal data can be limited.


Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where healthcare is received. Our local electronic systems (Vision) enable records to be shared with organisations involved in direct care, such as:

  • GP practices
  • Community services such as district nurses and rehabilitation services
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units, out of hours services or accident and emergency
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

In addition, NHS Wales have implemented the Individual Health Record which contains information including medication patients are taking and any history of bad reactions to medication.

In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, considering all aspects of a person’s physical and mental health. Many patients are understandably not able to provide a full account of their care or may not be in a position to do so. The shared record means patients do not have to repeat their medical history at every care setting.

The record will be automatically setup to be shared with the organisations listed above, however patients have the right to ask your GP to disable this function or restrict access to specific elements of the record. This will mean that the information recorded by the GP will not be visible at any other care setting.

Patients can also reinstate your consent at any time by giving permission to override the previous dissent.


Your Right of Access to Your Records

The Data Protection Act and General Data Protection Regulations allows patients to find out what information is held about them including information held within medical records, either in electronic or physical format.

This is known as the “right of subject access”. Patients are able to request to see all or part of their medical records. The request should be in writing, and we have a form of consent to be filled in if the request is for records held by us as the GP Surgery. The reception team will be able to provide the consent form needed.

Requests can also be made to any provider that has delivered treatment and care. Please be aware that some details within the health records may be exempt from disclosure, however this will in the interests of patient wellbeing or to protect the identity of a third party.



If it is felt that the GP Practice has not complied with the current data protection legislation, either in responding to a request or in our general processing of personal information, concerns should initially be raised in writing to the Practice Manager at:

Tal-Y-Bont Surgery
Station Road
Swansea  SA4 8TJ

Should our response not meet expectation and further action is required, Public Services Ombudsman for Wales can be contacted at:

Public Services Ombudsman Wales
1 Ffordd yr Hen Gae
CF35 5LJ

Telephone: 0845 601 0987 / 0300 790 0203