Privacy notice

Use of your personal information

Dorking Healthcare Limited (DHC) is registered with the Information Commissioner’s Office as a Data Controller, and our registration number can be found by searching the ICO Register using this Link.

We aim to provide you with the highest quality health care. To do this, we must keep records about you, your health and the care we have provided or plan to provide to you. This Privacy Notice sets out how we will use your information.

The information which we collect about you

We will collect information which identifies you and information pertaining to your physical, mental health or condition, including your;

• Name, date of birth, contact information

• Emergency contact details including next of kin

• Gender, nationality, race and/or ethnicity and religion

• Sex life and/or sexual orientation

• Background referral details, diagnoses and appointments

• Referrals to other specialists and healthcare providers

• Tests carried out here and in other places

• Investigations and scans

• Allergies, medication, treatments and outcomes

• Previousillnesses and current health including details of any diagnoses, consultations and investigations

• Notes made during consultations

• Correspondence between health professionals such as referrals and discharge letters

• Results of tests and their interpretation

• Videotapes, audiotapes and photographs

• Reports written for third parties such as solicitors and insurance companies

We will collect information directly from you, for example, if you are referred to one of ourservices and attend any appointments. We also receive information about you from other organisations who are involved in providing you with health and social care services.

Purposes for which your information will be used


All health and social care providers have a legal ‘duty to share’ under the Health and Social Care (Safety and Quality) Act 2015. This requires health and adult social care bodies to share information with others where this will facilitate care for an individual. It makes it clear that, unless you object, information can be lawfully shared for purposes likely to facilitate the provision of health services or adult social care and are in an individual’s best interests.

DHC routinely shares confidential personal data with other health and social care providers when they are involved in your care or treatment. We will also share information with your GP. Sharing information in this way is considered to facilitate care for individuals, and we rely on implied consent.

We will ask for your explicit consent before we use information which identifies you for purposes that do not directly contribute to, or support the delivery of your care.

We will respect your decisions to restrict disclosure or use of information, unless in the case of exceptional circumstances (see Objecting to Sharing section below)

Direct Care

All health care professionals who provide you with medical care will maintain a record of your health and any treatment provided. We use relevant information about you, including information about your health, to support the delivery of your care and treatment.

Some components of direct care may be delivered by non-registered and non-regulated health and social care staff, for example a ‘system administrator’ scanning a report onto our electronic record keeping system.

If you provide us with your mobile phone number, with your consent, we will use your mobile phone number to send you text messages in relation to appointment reminders & information about direct patient care. Please let a member of staff know if you do not wish to receive text messages.

Where you have provided us with your email address, with your consent, we will use this to send you information relating to your health and the services we provide. If you do not wish to receive communications by email, please let us know.

If you are seen by a healthcare professional as part of the Extended Access Service, we will share relevant information relating to your Extended Access appointment with your GP.

In certain circumstances, we may be able to offer you a video consultation. We will always obtain your permission before using remote consultation.

To reduce the chances ofspreading infectious diseases and reduce pressure on our services at busy times, we may carry out consultations with you over the phone or through video consultation, unless there is a clinical need for you to come in. This will help minimise risk while continuing to ensure people get the care and advice they need.

If you require a referral, for example to a specialist or to secondary care, we will share relevant information about you with these organisations. We can do this electronically through our IT systems, secure email or by post.

There may be situations where the clinician treating you believes that your clinical circumstances are exceptional and that you may receive benefit from a treatment or service that isn’t routinely offered by the NHS. The clinician may, therefore, make an Individual Funding Request to NHS England.

We undertake risk stratification for preventative care purposes. This process enables the identification and subsequent management of patients who have or may be at risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’srisk ofsuffering a particular condition and enable us to focus on preventing ill health before it develops. Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health. If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

Vital Interests

There may be situations in which you are unable to provide your consent, for example, you become seriously unwell, require emergency treatment or have an accident requiring emergency treatment. In these situations, if you are unable to give your consent, then we may use or share your information in order to protect your vital interests.

Where appropriate, we will share information about your health needs with the Ambulance Service and 111 Service. Information will only be shared with your consent or where sharing information is considered to be in your best interests. The information will be used to ensure clinicians have accessto the required information to help make the best decision about your care needs as a result of a call to 999 or 111.

Recording Consultations

With your explicit consent, our Talking Therapies service may record consultations which you have with our therapists or clinicians. This may be to support your care or treatment or for supervision, quality assurance and development purposes.

All recordings will be held securely and will be securely destroyed when they are no longer needed. We will always seek your permission before recording consultations and your decision will not impact your individual care or treatment.

Complaints, Data Subject Rights Requests and other similar requests

If you wish to exercise your rights under data protection law, we will process the information to be able to consider the request and provide an appropriate response. If you have instructed an individual or organisation to act on your behalf, we will respond to them, providing we have your explicit consent.

In the unlikely event that DHC is subject to legal action or a complaint, we will need to access relevant information in order to investigate and respond. We may also need to share information with ourinsurance company and solicitorsto manage and defend any claims.

Our lawful basis for processing your personal data for these purposes are;

• the processing is necessary to perform a task in the public interest or for official function

• The processing is necessary for compliance with a legal obligation

• The processing is necessary for the establishment, exercise or defense of legal claims

• The processing is necessary reasons ofsubstantial public interest

• The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Recipients of your information

Other healthcare organisations

We share information about your health with other organisations who are involved in providing you with health and social care. For example, if you require further investigation, treatment or surgery, we will send a referral to the relevant organisation that can support your needs.

The data will be shared with healthcare professionals and support staff in this organisation and at other hospitals, diagnostic and treatment centres who contribute to your personal care. Acute trusts include but are not exclusive to: Surrey and Sussex Healthcare NHS Trust, Epsom and St Helier Healthcare NHS Trust, St George’s Hospital, Queen Victoria Hospital. Sub-contractors include but are not exclusive to: Ramsay Healthcare Ashtead Hospital, Ramsay Healthcare North Downs Hospital, Alliance Medical UK, Epsomedical Cobham Day Surgery, Global Diagnostics, Spire Gatwick Park Hospital, Spire St. Anthony’s Hospital, Medical Imaging Partnership, Wimbledon Neurocare and BMI Mount Alvernia Hospital. If you are referred to any of these organisations, they will hold their own record of the care and treatment which they provide to you.

Where required, we can arrange interpretation and translation services to ensure we meet your language and communication requirements. We use a third party to provide this service who are subject to contractual obligations of security and confidentiality.

The Summary Care Record (SCR) is an electronic record which contains information about the medicines you take, allergies you suffer from and any reactions to medicines you have had. It is held on a national database by NHS England. The SCR may be shared with other healthcare professionals and organisations involved with your care. These professionals and organisations may also be able to update the record in order to ensure you are provided with the best possible care.

Our lawful basis for processing your personal data for these purposes are;

• the processing is necessary for you to perform a task in the public interest or for official function

• The processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Sharing partners

We use SystmOne as the clinical records system for Outpatients. This provides a shared record with GP practices who also use SystmOne. If you have not consented for your GP record to be shared with other organisations, no information recorded at your GP will be visible. If you have given consent for your GP record to be shared with other organisations we will be able to see this information. Likewise, information inputted directly into the system at DHC will be immediately visible to your GP.

Visibility of your GP record provides our Outpatient clinicians with a more comprehensive picture of your general health which assists with diagnosis and treatment as an outpatient.

We have recently enabled integration between SystmOne and practices (including Pondtail) that use a different medical record system, EMIS. This provides limited information from your GP record including:

• Current conditions

• Current Medication

• Current Allergies and Adverse Reactions

• Last 3 Consultations conducting within the practice

This ensures that those involved in your care or treatment can quickly, easily and securely access the information they need, when they need it.

Friends, Families and carers

We will share relevant information about you with these individuals where you have provided your consent or where they are acting as your attorney, deputy or guardian.

We will retain certain information about these individuals such as their name and contact details so that we can share information about your care, in ways that you have agreed.

Local Authority Safeguarding Team

There may be legal situations in which we have to share your information in order to maintain the safety of the individuals concerned. This includes both adult and child safeguarding and in these situations identifiable information will be shared. There is often a legal requirement to share this information without obtaining consent first.

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies.

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.

It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients and allow our organisation to receive payment for the services which we deliver.

DHC must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.

More information about NHS Digital and how it uses information can be found at:

National Data Collections

DHC is contractually required to submit data to national data collections where the collection is relevant to the services which we deliver. A list of approved collections can be found at:

Secondary Use Services+

The Secondary Uses Services (SUS+) is a collection of health care data which is used for planning health care, supporting payments, commissioning policy development and research.

We are legally required under Section 259 of the Health and Social Care Act 2012 to provide datasets as specified by NHS Digital.

Regulatory bodies

We are legally required to support organisations with regulatory functions such as the CQC and the ICO. Where appropriate, we may share information about you with these organisations to evidence compliance or to report an adverse or unexpected incident.

Public Health

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever. The law requires us to share data for national public health reasons, to prevent the spread of infectious diseases or other diseases which threaten the health of the population.

We will report the relevant information to local health protection teams or Public Health England.

For more information about Public Health England and disease reporting see:

Third party service providers

In order to deliver the best possible service, DHC will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure and that they do not use or share the information other than in accordance with our instructions.

Examples of functions that may be carried out by third parties include companies that provide;

• IT services and support, including our clinicalsystems;

• Systems which manage patient facing services (e.g. our website);

• Data hosting service providers;

• Systems which facilitate appointment bookings, electronic prescription services;

• Document management service; and

• Interpretation services.

Objecting to Sharing

You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive so please speak to a member of the team if you have any concerns about the ways in which your information is shared.

Sharing without your consent

There are exceptions to the duty of confidence that may make the use or disclosure of confidential information without consent appropriate. These situations are rare but could include:

• Sharing your name, address and other demographic information with NHS Digital as this is necessary if you wish to be registered to receive NHS care;

• Sharing required in the public interest or to protect the public in order to prevent and support detection, investigation and punishment of a serious crime or to prevent abuse/serious harm;

• Legal disclosures for example where we have received a court order;

• Where we are required to support organisations with regulatory functions such as the CQC or the ICO.

National data opt-out

The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. To find out more or to register your choice to opt out, please visit

On this web page you will:

• See what is meant by confidential patient information

• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care

• Find out more about the benefits of sharing data

• Understand more about who uses the data

• Find out how your data is protected

• Be able to access the system to view, set or change your opt-out setting

• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

• See the situations where the opt-out will not apply


All records held by DHC will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way forthe type of information it is. Personal confidential and commercially confidential information will be disposed of by approved and secure confidential waste procedures.

Securing your information

We use various companies and sub-contractors to support our services. These organisations are trusted partners and whom we authorise to use your information in line with our specific instructions.

We require these third parties to provide assurance that they meet the requirements of data protection law and we ensure written contracts are in place where access is provided to your personal data.

We use technical and organisational controlsto protect yourinformation. We will only use information that identifies you where it is necessary and then only the minimum amount of information that is necessary to achieve the purpose will be collected and used.

Access to your information is restricted to individuals on a strict “need-to-know” basis i.e. only individuals supporting the provision of your healthcare can view your information.

Anyone we share your information with, and all DHC staff, are legally, contractually and/or professionally bound to keep your information confidential and secure. We undertake regular auditing to check that information is being handled to the necessary standard.

Our staff receive regular training to ensure they understand how to comply with data protection and confidentiality requirements.

We use secure electronic systems to store your information and where we hold paper records, they will be protected from unauthorised access and confidentially destroyed where appropriate.

Your Rights

You have various rights available to you under data protection law. These are set out below;

Your right of access: You have the right to ask us for copies of your personal information

Your right to rectification: You have the right to ask usto rectify information you think is inaccurate or complete information which you think is incomplete

Your right to be informed: you have the right to be told about the collection and use of your information

Your right to restriction of processing: In certain circumstances, you have the right to ask us to restrict the processing of your information

Your right to object to processing: In certain circumstances, you have the right to object to the processing of your personal data

Your right to object: Article 21 of the UK GDPR, you have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent an organisation from processing your personal data. For more information on ‘Your right to object’, click here.

Your right to erasure: In certain circumstances, you have the right to request that we erase your personal data. This does not apply to records regarding your medical care as we are required by law to keep these records.

Requests can be made verbally or in writing although we may ask you to complete a form in order that we can ensure that you have the correct information that you require. You will also need to confirm your identity.

Please be aware that in certain situations, we are able to charge a reasonable fee for responding to your request. We will inform you where this applies.

For more information on the ICO guidelines, click here.

When does the right to erasure not apply?

For more information on the ICO guidelines, click here.

Change of Details

It is important that you tell us if any of your contact details such as your name or address have changed, especially if any of your other contact details are incorrect. It is important that we are made aware of any changes immediately in order that no information is shared in error.

Data Protection Officer

You can contact our DPO as follows:

Saba Anjum, Governance and Compliance Manager

By email:

By post:

Dorking Healthcare Limited

Holmhurst Medical Centre

12 Thornton Side



Please mark all correspondence “Private and Confidential - For the Attention of Dorking Healthcare’s Data Protection Officer”.

Complaining to the ICO

You have the right to complain to the Information Commissioner’s Office, you can use this link or call their helpline Tel: 0303 123 1113

As a partner within the East Surrey Place Partnership and Surrey Downs Health and Care Partnership, the place privacy notices relevant to Dorking Healthcare Ltd are now available via the following links

We will keep our Privacy Notice underregular review. This notice was last reviewed in September 2023.