GDPR- General Data Protection Regulation

The UK General Data Protection Regulation (UK GDPR herein) came into force on 1 January 2021 and is incorporated in the Data Protection Act 2018 (DPA18) at part 2. The UK GDPR applies to all organisations in the UK (with the exception of law enforcement and intelligence agencies) and Lockfield Surgery (LS) must be able to demonstrate compliance at all times. Understanding the requirements of the UK GDPR will ensure that the personal data of both staff and patients is protected accordingly.

At LS, the role of the data controller is to ensure that data is processed in accordance with Article 5 of the UK GDPR. He/she should be able to demonstrate compliance and is responsible for making sure that data is:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data, which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Additional Information

Additional Information in the SCR, such as details of long-term conditions, significant medical history or specific communications needs, is now included by default for patients with an SCR unless they have previously told the NHS that they do not want this information to be shared.

Should a patient not wish to have any additional information shared, they can complete the SCR patient consent preference form.

Further reading can be sought from NHS Digital Additional information on the SCR and a patient information for additional or enhanced summary care records can be found in this poster.

Access to Medical Records

The law states that organisations must, when requested by an individual, give that person access to their personal health information and, occasionally, certain relevant information pertaining to others. In order to do this, they must have procedures in place that allow for easy retrieval and assimilation of this information.

The purpose of this document is to ensure appropriate procedures are in place at Lockfield Surgery (LS)to enable individuals to apply for access to health records (commonly referred to as a medical record), whether online or by requesting a copy, and to enable authorised individuals to apply for access to information held about other people.

Access to medical records can be provided via:

  • An online portal linked to the organisation’s webpage
  • A variety of NHS approved apps
  • A verbal subject access request (SAR)
  • A written SAR including email and/or through social media

Sending Text Messages

Convenience allows patients to receive text messages that contain non-sensitive information as part of the routine advice or reminder service at Lockfield surgery.

Whilst this method of communication is time-efficient, improves communication and is particularly beneficial to patients with impaired hearing, the potential to breach patient confidentiality must also be a consideration.

Lockfield surgery uses Accurx to communicate with patients.  All SMS messages are recorded within patients’ healthcare records.

When sending a text message to a patient, staff members must consider the following:

  • Consent
  • Confidentiality
  • Child/age of the recipient
  • Content

At Lockfield surgery, consent to communicate via text message is obtained from each patient by means of registration paperwork.

The consent given is noted on the patient’s healthcare record.


Patients may actively and consistently use email as their preferred method of communication. It is imperative that the patient confirms their email address with Lockfield Surgery enabling LS to verify the accuracy of the information held.

It is the responsibility of the patient to ensure that they provide an up to date email address and all patients must be advised that LS is not responsible for the protection of the information once it has been received by the patient. It is also to be recommended to the patient that they do not use a shared email address for the purpose of communicating with LS so that confidential information will not be seen by family members.

Additionally, patients are to be advised that internet email accounts are not secure and that there is a risk of their email being hacked (albeit a small risk). Again, LS will not accept any responsibility for the loss of confidential information should a patient’s email account be hacked.

Generic Email Address

Will only communicate with patients from the following email address:

[email protected]

Staff are not to communicate with patients from their individual email account. This provides reassurance to patients that the email they have received is legitimate.

LS will ensure it sends an automated response indicating that the email has been received. The following response will be sent:

“This email address is for GENERAL ENQUIRIES and PRESCRIPTIONS and PATIENT PARTICIPATION ENQUIRIES ONLY Many Thanks Lockfield Surgery.

This is not for same day response or enquiries, ring 01902639000 if same day response is needed”.