Our Policies

Your personal data - General Data Protection Regulations

Ball Tree Surgery is a Data Controller

We hold personal medical information about all our patients.  We do so with a 'lawful basis'.  Full info is available via individual downloadable PDFs below.  We are required to have this detailed information available for our patients to see, however a summary of the key points is in plain English text for those that don't want to read the 'small print'.

We have a responsibility to protect your data under the General Data Protection Regulations.  Your information is treated confidentially.  All staff and contractors working at the surgery are subject to a confidentiality policy.  We are obliged to process your data fairly and responsibly. Keeping your medical records confidential is important as you need to know that you can trust us with our data. Leaflet [PDF]

We also have a responsible to let you know how you can expect your data will be used and shared.

We have limitations within our clinical systems, however for the majority of our uses and sharing of data we will aim to record your consent either verbally or in writing before we share any of your data where it is outside of the usual processing required for providing you with GP or Primary Care services.  The usual processes will include our standard practice to share (such as a hospital referral) or where it would be in your best interests for us to share (where there has been an emergency).  It is our responsibility to share only what is necessary.

To provide you with General Practice services we will collect, use and share your data in the following ways:

1) Personal data - So that we can know a bit about you and are able contact you by phone, email, text, Apps, and letters (address / data of birth / NHS Number / next of kin / family situation / communication needs)

2)  Sensitive personal data - As part of your registration with Ball Tree we imply that for your consent to collect and pass on relevant clinical information to other professional staff involved in your direct care. This means that you are consenting for us to send information about you and your medical history to external agencies to support clinical and social referrals and to help you access and benefit from external services.  (medical records / medical history / appointments and visits / details of treatments and medications / clinical results from tests and scans)  We can do this under the GDPR legislation to support your healthcare.

3) Send information about you and your medical history to other NHS organisations and pharmacies for clinical, research and statistical requirements (some of this may well be anonymous).  (Prescriptions go to pharmacies / samples are sent by courier to pathology laboratories / medical notes are sent via NHS England between surgeries and via courier to our secure storage facility / reports are sent to coroners offices / information is sent to hospitals to support care / information is shared with out of hours providers and ambulance service where appropriate to support your care)

4) Within the practice we process your data in order to provide information to NHS England and the CCG.  This is usually anonymised audit data to ensure quality of service and to evidence work for payments.  We also process data to 'case find' so that we can target people with various conditions to be invited to come in for regular reviews to support their health and well-being.  For example to come for a Diabetes review or to see if additional support is needed via the local pro-active care and frailty programmes.  

5) We take part in the NHS Adur Research Programme for Public Benefit and therefore, with your consent, your data may be included in research projects.  (You will always be asked about taking part in research projects).

6) NHS National Research including 'Clinical Practice Research Datalink' and 'QResearch' is also active at Ball Tree.  Data for this research is anonymous which means that no one knows which individuals are contributing.  We are governed by laws overseeing how data is used in this context for your protection.

7) We are also obliged to comply with various laws that require our computers to send data to the national Health and Social Care Information Centre (NHS Digital).  This is as directed by the Secretary of State for Health. Only when there is a legal basis for the transfer of data we may pass limited and relevant information to other NHS organisations to improve the efficient management of the NHS or to aid medical research.

Examples of organisations where we may need to send your information include:

  • Hospitals - to provide information to support 'Secondary Care'
  • County Council - to provide information to support access to their health and wellbeing  services
  • Sussex Community Foundation NHS Trust - to provide information to support District Nursing and Community Care - including Proactive Care
  • Sussex Partnership Trust - to provide information to help with mental health
  • Coastal West Sussex CCG and Emergency Services  - If there is a large scale emergency incident a list of vulnerable people may need to be identified (People that are housebound / nursing homes / significantly frail).  In this instance where harm could come otherwise - limited data will be shared for protection.
  • Sussex Ambulance - SECAMB
  • Out of Hours Services - IC24
  • Share My Care - who provide information to out of hours and emergency services
  • IBIS - who provide information to emergency services
  • Innovations in Primary Care - MIAMI appointments and clinical services - Extended Hours and specialist clinics
  • Other GP Practices - where you may be a temporary resident or receiving a particular service
  • Pharmacists - on your paper or electronic prescriptions and also if we have a phone query - this is part of your direct clinical care.

From the 25th May 2018 we will no longer be charging for access to medical records to comply with the new legislation - General Data Protection Regulations.  Please be aware however that it costs us far more than you would likely imagine to be able to provide you with your records.  You have access to your  Summary Care Record via Online Services already - for FREE.  If you complete the forms for FULL ACCESS you can also see more information - this is also FREE - however due to the complex and numerous rules that the NHS imposes upon us before we are allowed to give you access it will take us significant time to process your requests and make these available to you.  It costs us hundreds of pounds to process every request.

A better solution... quicker for you and for us
If you are concerned about any aspect of your records please do come and have a chat to us and we can answer specific questions to help you.  We can quickly search your records for the information you are looking for and print out the relevant parts for you.  This is likely to be a better solution for all - and we are very happy to be open with you and share information with you about your records within the NHS Guidance in which we are required to operate.  Under GDPR this is called a 'negotiated subject access request'.

To request your records you will need to complete a form - please talk to our reception team about this.

For your information:
Your DIGITAL records are held on the internet on a 'cloud-based' IT system called EMIS Web. https://www.emishealth.com/products/emis-web/ 
Your PAPER records are held in storage in Stanstead off-site in secure storage by a company called CAS Digital and Achive Document Storage https://cas.ltd/
Your PAPER records whilst in transit are processed by Primary Care Support England which is actually a private company called CAPITA https://pcse.england.nhs.uk/
MS text messages are sent via AccuRX https://www.accurx.com/privacy-policy
SMS text messages are sent via iPlato https://www.iplato.com/privacy/
SMS text messages are sent via EMIS Web https://www.emishealth.com/products/emis-web/ 
SMS text messages are sent via NHS Secure email https://digital.nhs.uk/services/nhsmail/nhsmail-policies
EMAIL message are sent via NHS Secure email https://digital.nhs.uk/services/nhsmail/nhsmail-policies

Our Data Protection Officer
Paul Anthony Data Protection (GDPR) – GP Information Governance (IG) Manager and Data Protection Officer (DPO) for East Surrey and Sussex area

Videos about Data and Information (on YouTube)

Keeping Records




What we do with your information


Your Rights


GDPR Privacy Notices - (the small print)

Click on any of the links below to download a PDF that has detailed information

Privacy Notice - June 2022 [PDF]

Privacy Notice - Appendix A - June 2022 [PDF]

COVID Supplement to Privacy Notice - April 2020 [PDF]

NHS England COVID information 

GDPR Statement of Accountability

Please download a copy of our Statement of Accountability [PDF]

Information Commissioner's Office Registration

Please download a copy of our ICO Certificate of Registration 2020-2021 [PDF]

Data Security

Click on any of the links below to download a PDF that has detailed information

  • We protect your information 
  • We have password protected computers and software
  • We have 'smart card secure access to records' in our clinical software (audit and security) - this ensures that access to records is on a controlled basis of 'need to know'
  • Our emails are all encrypted
  • Our data storage is encrypted

Data Security PolicyData Protection PolicyAcceptable Use PolicyInformation Security Policy
Password Policy

Data Retention

In line with the Department of Health Code, we will retain / store your health record for your lifetime.
When a patient dies, we will review the record and generally it will be destroyed 10 years later, unless there is a reason to keep it for longer.

If you move away or register with another practice, we will send your records to the new practice.

Our communications with you

Please note our communications disclaimer which applies to all letters, emails, texts and phone communications: 

DISCLAIMER 1: Unless expressly stated otherwise, the information contained in any letter, email or text sent by Ball Tree is confidential and is intended only for the named recipient(s). If anyone receiving a communication from Ball Tree is not the intended recipient , the content must not be copied, distributed, or used as the basis for any action or reliance upon it. If anyone has received an email or text in error, please notify the Ball Tree. Any unauthorised disclosure of the information contained in an email or text is strictly prohibited.

DISCLAIMER 2: If you have provided Ball Tree with a contact email or mobile number, we are implying your consent for Ball Tree to send information about you via email and text to anyone who can access your email or texts. If you share your email and mobile, you are responsible for who has access.  Ball Tree can take no responsibility for you sharing your devices, or passwords.  Ball Tree strongly recommends that every patient has a personal private individual email address and mobile number.  

Coming as soon as technology permits...

Control via text over your preferences on

EMAIL - On/Off | Email - Clinical Information | Email - Non-Clinical information (important service changes / research / news)

TEXT - On/Off | Text - Clinical Information | Text - Non-Clinical information (important service changes / research / news)

Ball Tree needs to cut non-essential costs - if you can help us switch from post to digital you are contributing to helping to keep us functioning. Please do say yes to everything digital.


If you would like to prevent NHS Digital from using any of your anonymised data for research or statistical purposes this must now be recorded at a national level.  This is known as a Type 2 Opt Out.  Ball Tree can no longer register this on its computer systems.  If you want to do this you have to visit www.nhs.uk/your-nhs-data-matters or you can telephone 0300 303 5678  This is a National Data Opt Out

You will need to have 

Your NHS Number + a valid mobile phone number or valid email address recorded into the Ball Tree Clinical System

General Practice Data for Planning and Research (GPDPR)

NHS Digital's daily collection of GP data will support vital health and care planning and research.
The data held in the GP medical records of patients is used every day to support health and care planning and research in England, helping to find better treatments and improve patient outcomes for everyone. NHS Digital has developed a new way to collect this data, called the General Practice Data for Planning and Research data collection

Opting out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

We will not collect data from GP practices about patients who have registered a Type 1 Opt-out with their practice. More information about Type 1 Opt-outs is in our GP Data for Planning and Research Transparency Notice, including a form that you can complete and send to your GP practice.

This collection will start on 1 July 2021 so if you do not want your data to be shared with NHS Digital please register your Type 1 Opt-out with your GP practice by 23 June 2021.

If you register a Type 1 Opt-out after this collection has started, no more of your data will be shared with us. We will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

National Data Opt-out (opting out of NHS Digital sharing your data)

We will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you - this includes GP data, or other data we hold, such as hospital data - with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read our GP Data for Planning and Research Transparency Notice.

Chaperone Policy

Please let us know if you would like to have someone with you whilst you are having an examination

The Ball Tree Surgery is committed to providing a safe, comfortable environment where patients and staff can be confident that best practice is being followed at all times and the safety of everyone is of paramount importance.

All patients are entitled to have a chaperone present for any consultation, examination or procedure where they feel one is required.  This chaperone may be a family member or friend.  On occasions you may prefer a formal chaperone to be present, i.e. a trained member of staff.

Wherever possible, we would ask you to make this request at the time of booking an appointment so that arrangements can be made and your appointment is not delayed in any way.  Where this is not possible, we will endeavour to provide a formal chaperone at the time of request.  However occasionally it may be necessary to reschedule your appointment.

Your healthcare professional may also require a chaperone to be present for certain consultations in accordance with our Chaperone Policy.

 Who can we talk to and about what...

We are bound by NHS rules about who we can talk to in relation to medical records.  
For example, we are not allowed to talk to parents about teenagers unless we have the clear permission of the teenager to do so in each particular instance.  The only exception to this would be in the case of any safeguarding issues where immediate danger or harm could be caused to the teenager.  Parents and teenagers should consider whose contact information is on our systems - whose email and mobile address do we have?  

There are forms about consent on our website that allow people to tell us that they are willing for their medical records to be discussed with particular individuals.  If these are completed, we will then be more able to talk to others about records.  However, there may be instances where confidentiality overrides these wishes. 

In addition, if we have not had a recent reaffirmation of the consent we may not pass on any information.  This is to protect our patients interests.  Relationships and wishes change over time - however we may not have been updated.  It is your responsibility to keep our information about you up to date. 

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website