The Health Centre staff and regulated third parties have access to patient records, but said access is strictly governed by clinical governance and confidentiality guidelines.

  • Patient information may be used by the Health Centre to help us identify specific patients who may be at risk of certain events (e.g. admission to hospital, or developing a disease) and in order for us to try to prevent such events where possible
  • Patient information in anonymised form (where it is not possible to identify any individual patient) may be used by the Health Centre to help us plan services for our patients and for the wider health community.

image depicting confidentiality

We regularly update the information we have for patients as to how their personal data is protected. This information can be found within our Privacy Notice

You may view our Confidentiality Protocol below

Please note that the Health Centre employs Closed Circuit Television (CCTV) throughout the premisies, both internally and externally. This system is in place to protect both your safety as patients and the safety of Oak Tree staff, guarding against criminal activity. Please be assured that images are not used for any other purpose, are retained solely within the Health Centre premises unless requested by the Police, and are captured only in public access areas i.e. there is no CCTV recording in consulting or treatment rooms.


Confidentiality Protocol


This protocol details the approach of Oak Tree Health Centre to the handling of confidential information held about patients. The protocol applies to all employees of Oak Tree Health Centre including both clinical and non-clinical staff, and to those individuals not employed by but based at the Health Centre who have access to patient information as a necessary part of their role. It will be reviewed annually to ensure that it remains effective and relevant.

Our protocol enshrines both the NHS Constitution and the Care Record Guarantee.


Importance of confidentiality

Confidentiality is a fundamental part of healthcare and crucial to the trust between doctors and patients. Our patients entrust us with sensitive information relating to their health and other matters in order to receive the treatment and services they need. They should be able to expect that this information will remain confidential unless there is a compelling reason why it should not be. All members of staff in the NHS have legal, ethical and contractual obligations for confidentiality and must ensure that they act appropriately to protect patient information against improper disclosure or use.

Some patients may lack the capacity to give or withhold their consent for the disclosure of confidential information, but this does not diminish the duty of confidentiality. The duty of confidentiality applies to all patients regardless of race, gender, social class, age, religion, sexual orientation, appearance, disability or medical condition.

Information that can identify individual patients must not be used or disclosed for purposes other than healthcare unless the patient (or their appointed representative) has given explicit consent. The only cases in which such information will be supplied without explicit consent are those where the law requires disclosure or there is an overriding public interest to disclose. All patient identifiable health information must be treated as confidential information, regardless of the format in which it is held.

Information which is effectively anonymised can be used with fewer constraints.

The confidentiality of other sensitive information held about the Health Centre and its staff will also be respected.

Obligations of staff - all of Oak Tree’s staff will: 

  • endeavour to maintain patient confidentiality at all times;
  • not discuss confidential information with colleagues without patient consent (unless it is part of the provision of care);
  • not discuss confidential information in a location or manner that allows it to be overheard;
  • handle patient information received from another provider sensitively and confidentially;
  • not allow confidential information to be visible in public places;
  • store and dispose of confidential information in accordance with the Data Protection Act 1998 and the Department of Health’s Records Management Code of Practice (Part 2);
  • not access confidential information about a patient unless it is necessary as part of their work;
  • not remove confidential information from the premises unless it is necessary to do so to provide treatment to a patient and the appropriate technical safeguards are in place;
  • contact the Business Manager (in his capacity as the information governance lead and Caldicott Guardian) if there are barriers to maintaining confidentiality;
  • report any loss, inappropriate storage or incorrect disclosure of confidential information to the Business Manager (in his capacity as the information governance lead and Caldicott Guardian);
  • for other providers, document, copy, store or transfer information only via the methods agreed and documented with said providers

All members of staff will comply with the law and the guidance or codes of conduct laid down by their respective regulatory and professional bodies.


Information disclosure

When a decision is taken to disclose information about a patient to a third party due to safeguarding concerns or because it is in the public interest, the patient should always be told and asked for consent before the disclosure unless it would be unsafe or impractical to do so.

In the case that consent can not be sought, then there must be clear reasons and necessity for sharing the information.

Disclosures of confidential information about patients to a third party must be made to the appropriate person or organisation and in accordance with the principles of the Data Protection Act 1998 (Annex 1), the NHS Confidentiality Code of Practice and the GMC’s Good Medical Practice. 


Obligations of the employer

As an employer Oak Tree Health Centre must:

  • ensure that confidential information is stored securely on the premises and that there are processes in place to guarantee confidentiality;
  • make sure that this protocol is available to all individuals within the Health Centre and that its content is fully understood;
  • review and update this protocol on a regular basis

Information for patients

How we use your information

This Confidentiality Protocol explains why we collect your information and how that information may be used.

Under the Data Protection Act 1998 we must ensure that your personal confidential data (PCD) is handled in ways that are transparent and that you would reasonably expect. The Health and Social Care Act 2012 has altered the way that personal confidential data are processed. Consequently, you should be aware of these changes and that you have the opportunity to object, and understand how to exercise that right.

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both and through established working procedures and best practice coupled with technology we ensure your personal data is kept confidential and secure. Records held by us may include the following:

Your personal data, such as address and next of kin

  • Your history with us, such as appointments, vaccinations, clinic visits etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations and referrals such as blood tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you

We obtain and hold data for the sole purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. We can disclose your personal information if:

(a) It is required by law
(b) You consent – either implicitly or for the sake of your own care or explicitly for
other purposes
(c) It is justified in the public interest

Some of this information is held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the Health Centre will always endeavour to gain your consent before releasing the information.

The Health and Social Care Information Centre (HSCIC), under the powers of the Health and Social Care Act 2012 (HSCA), can request Personal Confidential Data (PCD) from GP Practices without seeking patient consent. The Care.Data Programme allows PCD to be collected by the HSCIC to ensure that the quality and safety of services is consistent across the country. Improvements in information technology are also making it possible
 or us to share data with other healthcare providers with the objective of providing you with better care.

You may choose to withdraw your consent to personal data being used in this way. When we are about to participate in a new data-sharing project we will make patients aware by displaying prominent notices in the Health Centre and on our website at least four weeks before the scheme is due to start. Instructions will be provided to explain what you have to do to opt out of each new scheme.


Risk Stratification

Risk Stratification is a process that helps your family doctor (GP) to help you manage your health. Many GP Practices have opted to use a secure Risk Stratification system run by the NHS Central Southern CSU DSCRO (the regional processing centre); this requires your PCD to be shared, securely, for which you would have the right to opt out.

Oak Tree Health Centre has taken a different approach and undertakes the risk stratification of its patients in-house via a toolkit available within its clinical system; there is therefore no sharing of PCD outside of the Health Centre with this approach.


Invoice validation

We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF) approved by NHS England. Where possible we will strive to use the NHS number as a quasi-identifier to preserve your confidentiality.


Our partner organisations

We may need to share your information, subject to agreement on how it will be used, with the following organisations:

  • NHS Trusts
  • Health & Social Care Information Centre (HSCIC)
  • Specialist Trusts
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Commissioning Support Units
  • Social Care Services
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘data processors’

Access to personal information held about you

Under the Data Protection Act 1998, you have a right to access/view information we hold about you via a “subject access request”, and to have it amended or removed should it be inaccurate. If we do hold information about you we will:

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form

If you would like to make a subject access request, please contact the Business Manager in writing; there may be a charge for this service.

We are registered as a data controller under the Data Protection Act 1998. Our registration Z5074181 can be viewed online in the public register via the Information Commissioner's Office website


How we keep your personal information confidential

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), the Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security