Privacy Notice
Privacy Notice
How Wonersh Surgery Uses Your Information to Provide You With Healthcare
Wonersh Surgery is committed to protecting your personal data. We keep your medical records confidential and process your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We hold your medical record to provide you with safe, effective care and treatment. We may also use your information to review and improve the quality of services we provide.
We will share relevant information from your medical record with other health and social care providers involved in your care. For example, information may be shared when:
- Your GP refers you to a specialist
- Your GP issues a prescription to a pharmacy
- You attend A&E or out-of-hours services
- Emergency staff need to know important details such as allergies
This may include the use of your Summary Care Record. For more information, visit:
https://digital.nhs.uk/summary-care-records.
You have the right to object to information being shared for your care. Please speak to the practice if you wish to object. You also have the right to request that errors in your record are corrected.
Use of a Third Party for Processing Registrations
We use a third party to help process your registration quickly and to ensure the highest chance of locating your existing medical records.
Accordingly, we have instructed Healthtech‑1 to process certain personal and sensitive data solely for the purpose of improving the speed and accuracy of your registration.
- Wonersh Surgery is the Data Controller
- Healthtech‑1 is the Data Processor
This means the practice determines what data is processed and how it is used. Healthtech‑1 acts strictly under our instructions, in line with the UK GDPR and the Data Protection Act 2018.
For all requests relating to the control of your data, please contact the practice directly.
Other Important Information About How Your Data Is Used
Registering for NHS Care
- All patients receiving NHS care are registered on a national database held by NHS Digital.
- This database includes your name, address, date of birth and NHS Number, but not details of your care.
- More information is available at https://digital.nhs.uk/data or on 0300 303 5678.
Identifying Patients at Risk of Certain Conditions
- Your record may be searched using secure computer programmes to identify patients who may be at risk of conditions such as heart disease or unplanned hospital admissions.
- This allows the practice to offer additional care or support at an early stage.
- This may involve linking information from your GP record with information from other services you have used.
- Identifiable information will only be viewed by this practice.
Safeguarding
- We may need to share information without consent to protect individuals at risk, including children or vulnerable adults.
- These circumstances are rare, but required by law and necessary to prevent harm.
- Information may be shared with the local safeguarding team or the Multi‑Agency Safeguarding Hub (MASH).
Data Controller
Dr T Rinttila
Wonersh Surgery
The Street
Wonersh
GU5 0PE
Data Protection Officer
· Name: Dan Clement
· Role: Associate Director ICS Information Governance / Data Protection Officer (NHS Kent & Medway Integrated Care Board)
· Email address: kmicb.ig@nhs.net
· Telephone: 01634 335095
· Postal Adress: NHS Kent and Medway, 2nd floor, Gail House, Lower Stone Street, Maidstone, ME15 6NB
Purpose of Processing
Your information is used to:
- Provide direct health or social care
- Support referrals for investigations, treatment or specialist care
- Review and improve the quality of care (audit and clinical governance)
Lawful Basis for Processing
Processing is supported under:
- Article 6(1)(e) – performance of a task in the public interest
- Article 9(2)(h) – provision and management of health or social care services
Healthcare staff also comply with the common law duty of confidentiality.
Recipients of Your Data
Your data may be shared with:
- Healthcare professionals and staff at this surgery
- Local hospitals
- Out‑of‑hours services
- Diagnostic and treatment centres
- Other organisations involved in providing you with direct care
Right to Object
You may object to information being shared for your care. This may affect the care you receive, and the practice will discuss implications with you.
You cannot object to:
- Your demographic data being sent to NHS Digital (necessary for NHS registration)
- Sharing information for safeguarding purposes when required by law
Right to Access and Correct
You have the right to:
- Access your medical record
- Request correction of any errors
Please speak to a member of staff or see our Subject Access Request information on the practice website.
Records cannot usually be deleted, but you may seek independent legal advice if you believe information is held unlawfully.
Retention Period
We retain GP medical records in accordance with legal and national guidance. Details can be found at:
https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
Right to Complain
You may complain to the Information Commissioner’s Office (ICO):
https://ico.org.uk/global/contact-us/
Helpline: 0303 123 1113
Data Received From Other Organisations
We receive relevant information from organisations involved in your care, such as hospital consultants. This keeps your GP record accurate and up to date.
SUMMARY CARE RECORD (SCR)
NHS England have implemented the SCR which contains information about you; including your name, address, data of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system. Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be in a position to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. The SCR can only be viewed within the NHS-on-NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS. As well as this basic record, additional information can be added to include further information. However, any additional data will only be uploaded of you specifically request it and with your consent. You can find out more about the SCR here: https://digital.nhs.uk/services/summary-care records-scr
GP CONNECT
We share your record using GP Connect to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to local providers who are involved in your care. This includes the sharing of: personal contact details, diagnosis, medications, allergies and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service. Please note that if you have previously dissented (opted-out) to sharing your records, this decision will be upheld. Should you wish to opt-out of this, please contact our reception team who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.
PCN Privacy Notice
We are part of the East Waverley PCN which is a network of GPs and health and care organisations established to provide integrated services to the local population. Members of the network are;
- Binscombe Medical Practice
- Cranleigh Medical Practice
- Springfield Surgery
- The Mill Medical Practice
- Wonersh Surgery
By operating as a network, we are able to provide a more comprehensive set of services, provided by local clinicians and health and care providers.
Where necessary and relevant to support your direct care, we will share your confidential patient information with members of our network to support safe, efficient and effective care and treatment.
We will use data which you cannot be identified from when we are undertaking the planning and commissioning of local health and care services. This ‘de-identified data’ is effectively anonymised in accordance with the Information Commissioner’s Office Code of Practice, a summary of which is available at link.
If you are not happy for your health data to be shared with the organisations detailed above if you access PCN services then you can object to this. To do so you should contact your registered Practice so they can discuss the potential impact this could have on your care and treatment.
If you do not wish for your de-identified data to be used for planning and commissioning of PCN services you are able to opt-out of this via the National Opt-Out – please see link below for further details: https://www.nhs.uk/your-nhs-data-matters/
Use of a Third Parties
Healthtech-1
We use a third party to process your registration quickly and to ensure we have the greatest chance of locating your medical record.
Accordingly, we have instructed Healthtech‑1 to process your personal and sensitive data solely for the purpose of improving the speed and accuracy of your registration.
We are the Data Controller, and Healthtech‑1 is the Data Processor. This means the practice instructs what data is processed and how this is done, in line with the UK GDPR and the Data Protection Act 2018.
iGPR
We use iGPR Technologies Ltd to assist with processing report requests, including:
- Subject Access Requests
- Insurance reports under the Access to Medical Records Act 1988
iGPR acts strictly under the practice’s instructions and UK data protection law.
OpenSAFELY
NHS England operates the OpenSAFELY COVID‑19 Service and OpenSAFELY Data Analytics Service, which allow approved users to run queries on pseudonymised GP data for research, audit, service evaluation and surveillance.
- GP practices remain controllers of their patient data
- Data is pseudonymised
- Approved users cannot identify individuals
- Patients may opt out by registering a Type 1 opt‑out with their GP
For all requests regarding the control of your data, please contact the GP practice.
Updated April 2026