Full Medical Record Online Access

Please be aware that it can take up to 21 working days to process full access to your medical record.

We have received extra requests from patients to access their full medical record online, due to the ability to see your vaccination status online, and our Administration Team are working hard to process these requests.

To be able to view your Covid Vaccination record in the NHS App you require full online access to your medical record.


Privacy notice

The purpose of this notice is to inform you of the type of information that the surgery holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.

The surgery has a duty to ensure that your personal data is kept confidential, secure and used appropriately.

We are registered with the Information Commissioner’s Office as a Data Controller and our registration number is Z4729790.

What kind of information do we use?

There are different types of information collected and used across the NHS.  It should be noted that information which cannot identify an individual does not come under the Data Protection Act 2018.

We use the following types of information/data:

  1. Anonymised data, which is data about you but from which you cannot be personally identified
  2. De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified
  3. De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number
  4. Personal data which you can be personally identified from (this includes information such as your name and address)
  5. Special category data which tells us something about you (this includes information such as your ethnicity and health information)

We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.

What do we use your information for?

We hold your medical record so that we can provide you with safe care and treatment. We will also use your information so that our surgery can check and review the quality of care we provide, this helps us to improve the service we provide to you. We shall share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in hospital or your GP will send details about your prescription to your chosen pharmacy.

Aside from sharing information directly for your care, there are some other purposes that we may share data for, including:

Risk Stratification

Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes.  This is called risk stratification for case-finding. As part of this, our surgery uses a primary care software system called Eclipse.

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients. This surgery must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.

The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the Calculating Quality Reporting Service (CQRS) and GP clinical systems as part of the GP Collections service. Find out more here.

Care Quality Commission (CQC)

The CQC regulates health and social care services to ensure that safe care is provided. The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. For more information about the CQC see: http://www.cqc.org.uk/

Public Health

The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England.

Who do we share your information with?

We may share your information with other parties dealing with your care. When we do this we will inform you first unless we have a legal basis. We will not share your information with marketing organisations or other organisations that could cause you harm or lead to intrusive contact.

Some examples are:

  • Local Council
  • Hospital
  • Mental Health Trust
  • Ambulance Service
  • Care Homes
  • Social Care
  • Safeguarding
  • Suffolk and North East Essex Integrated Care Board (SNEEICB)
  • Clinical system providers
  • Police
  • Coroner
  • Confidential Waste removal company
  • Voluntary Sector Organisations

We will keep you informed of how your data is used through this privacy notice, however please note that there may be times when we may not notify you such as for the prevention and detection of crime, safeguarding purposes, or as requested by a Court Order. We will only do this when the law requires us to do so.

Primary Care Network

We are a member of Deben South Primary Care Network (PCN).  This means we will be working closely with a number of other Practices and health and care organisations to provide healthcare services to you.

During the course of our work we may share your information with these Practices and health care organisations/professionals.  We will only share this information where it relates to your direct healthcare needs. 

When we do this, we will always ensure that appropriate agreements are in place to protect your information and keep it safe and secure. This is also what the Law requires us to do.

If you would like to see the information the PCN holds about you please contact the Practice Manager. See also your rights as a patient listed below.

Multi-disciplinary Meetings

A multidisciplinary team (MDT) is a group of health and care staff who are members of different organisations and professions (e.g. GPs, social workers, nurses), that work together to make decisions regarding the treatment of individual patients and service users. MDTs are used in both health and care settings.

A list of MDT professionals could include the following:

Nurse Assessors, Social Care Practitioners, Physiotherapists, Occupational Therapist, Ward Nurses, Dieticians/Nutritionist, GPs/Consultants/Other Medical Practitioners, Community Psychiatric Nurses, Care Home/Support Provider Staff, Community Nurses, Specialist Nurses, Community Matrons and Discharge Nurses

MDT In Person vs Virtual

MDTs in their current format necessitate face-to-face contact between multiple clinical teams, they have the potential to act as potent accelerators of viral transmission. This created an urgent need to increase remote working across the health and care system. Teams are enabled to set Virtual MDTs using MS Teams which has given NHS staff a secure tool for instant messaging, video conferencing, sharing clinical information, images, and more

In an MDT, only information that is relevant and necessary for the patient or service user’s care will be shared.

Social Prescribing

Social Prescribing enables GPs, nurses and other primary care professionals to refer people to a range of local, non-clinical services. NHS England describes social prescribing as “enabling all local agencies to refer people to a link worker”. Link workers - known locally as Community Connectors - give people time and focus on what matters to the person. They connect people to community groups and agencies for practical and emotional support. If you have an appointment with a Community Connector, only limited information would be passed on. There are agreements in place to protect your data.

Diabetic Eye Screening

The Diabetic Eye Screening Programme in this area is provided by Health Intelligence after they were awarded the contract by NHS England Midlands and East to continue provision of the service from 1 April 2016. All patients aged 12 and over, with a diagnosis of diabetes will be referred by their GP surgery to the diabetic eye screening programme. You can find more information about this service as www.eadesp.co.uk

Text Messages

Please note that we will use your mobile number to text you with information regarding your care such as appointment reminders, flu vaccine booking etc. Please let us know if you would not like your mobile number used for this purpose.

Call Recording

Please note that this practice records its calls for training and quality purposes.


The ROSI (Record Once Share Insight) solution is being developed for use across Suffolk and North East Essex Integrated Care System.

ROSI is an Advance Care Plan Electronic Record and will replace current documentation such as My Care Wishes in Suffolk. The record holds key information about patients, including their cardiopulmonary resuscitation (CPR) decision, language, family carers, capacity, their end-of-life preferences.

Please find the privacy notice for ROSI here.

How do we keep your information safe?

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely. 

The surgery does not transfer personal confidential information overseas without adequate protection.

Under the Data Protection Act 2018, the surgery is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.

The surgery has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The surgery will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and or required to by law. The surgery is party to a number of information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation.

How long do we keep your information for?

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the NHS Records Management Code of Practice.

NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller. 

What rights do I have?

By law you have certain rights related to your information. These are:

The right to be informed

You have the right to know what information that we hold about you, what we do with it and why. We inform patients through this privacy notice.

The right of access

You have the right to have a copy of the information that we hold on you. We must provide this to you within one calendar month and free of charge unless an exemption applies. We may need you to prove your identity before we can release any information to you.

The right of rectification

You have the right to have your personal data corrected if inaccurate.

The right to erasure

You have the right to have your personal data erased in certain circumstances.

The right to restrict processing

You have the right to restrict the processing of your personal data in certain circumstances.

The right to data portability

You have the right allows you to obtain and reuse your information for your own purposes. You have the right to have your information in a digital format.

The right to object

You have the right to prevent processing of your information in certain circumstances.

Rights related to automated decision making and profiling

We must inform you if we do this kind of processing, and offer you a human based alternative.

If you wish to exercise any of your rights, you can make contact by using the information below:

The Peninsula Practice

Mill Hoo




IP12 3DA


Telephone – 01394 411641

Practice Manager – Kay Goodchild-Critchley

Caldicott Guardian – Dr Lindsey Crockett

Your Data Matters

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

The National Data Opt-Out programme is a service that allows patients to opt out of their confidential patient information being used for research and planning.

Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters.

Raising concerns

If you are concerned about the way we are handling your information or wish to make a complaint please contact the Practice Manager on 01394 411641.

If you still have further concerns then please contact the Data Protection Officer – Paul Cook – email: support@sneeicbdpo.freshdesk.com

The Data Protection Officer service is provided by Suffolk and North East Essex Integrated Care Board.

If the issue cannot be resolved by our organisation or the Data Protection Officer, you have the right to report it to the Information Commissioners Office (ICO). The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. You can contact them on the details below:



Phone – 0303 123 1113

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS England from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.

The ICB has agreed with NHS England s251 support for the NHS Number, as an identifier from both NHS England and GP Practice data, to be used to enable this work to take place. The Data is sent directly into a risk stratification tool called Eclipse from NHS England /GP Practices to enable the data to be linked and processed as described above. GPs can identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care. Your GP will use computer-based algorithms or calculations to identify their registered patients who are at most risk. Once the data is within the tool ICB staff only have access to anonymised or aggregated data.

Suffolk and North East Essex Integrated Care Board (SNEEICB) also uses risk stratified data with pseudonymised (non-identifiable) data to understand the health needs of the local population to plan and commission the right services. This is called risk stratification for commissioning.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the risk stratification tools used by the ICB:

  • Age
    • Gender
    • GP Practice and Hospital attendances and admissions
    • Medications prescribed
    • Medical conditions (in code form) and other things that affect your health.

Legal Basis Statutory requirement for NHS England to collect identifiable information.

A Section 251 support approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of identifiable information about patients included in the datasets.

Data Processing Activities

The practice processes this data internally. Data is also processed by Prescribing Services Ltd (Eclipse) on behalf of the practice. Data is processed by the North of England Commissioning Support Unit on behalf of the ICB.

Opt-out / object details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service you can choose to opt-out through the National Data Opt-Out process.

Where pseudonymised (non-identifiable) data is being used by the ICB, the National Data Opt-Out does not apply. The data is used in a format which does not directly identify you. You have the right to object to your information being used in this way; however, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Should you choose to opt-out, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.



leaflet developed by the Patient Participation Group (information sourced from NHS Digital) is available to download from the website or at The Peninsula Practice (Aldeburgh, Alderton, and Orford). Please read it carefully.

Type 1 Opt-out

If you wish to stop your GP data leaving The Peninsula Practice for purposes other than your direct care, you can do so by filling in and giving or posting the form to the Peninsula Practice

Fill in and give a ‘Type 1’ form to the Peninsula Practice – this form allows you to include details for your children and dependants as well. 

This is the most urgent step - the deadline to get your form to your GP practice is 17 August.

Type 2 Opt-out

If you wish to stop your non-GP data, such as hospital or clinic treatments, being used/sold for purposes other than your direct care, you must use this process:

If it’s just for yourselfuse NHS Digital’s online National Data Opt-out process – this process only works for individuals aged 13 and over.

If you have children under 13, you need to fill in this form and e-mail or post it back to NHS Digital – this form works for both you and your children.

If you have an adult dependant for whom you have legal responsibility, you must use this form and send it back to NHS Digital on their behalf.


Please note: there is no deadline for type 2, the National Data Opt-out (i.e. your non-GP data), but the sooner you do it, the sooner it takes effect. 


If you wish to opt out for both your GP data and National data, you must complete both Type 1 opt-out and type 2 opt-out forms.


If you don’t have a printer

If you don’t have access to a working printer for the type 2 National Opt-out, you can ask the NHS Digital Contact Centre to post you the forms you need. Their phone number is 0300 303 5678 and they are open Monday to Friday, 9am to 5pm (excluding bank holidays), or you can email enquiries@nhsdigital.nhs.uk any time.

Data Opt Out Leaflet Pg1
Data Opt Out Leaflet Pg2

Emergency Care Summary

There is a Central NHS Computer System called the Emergency Care Summary (ECS). The Emergency Care Summary is meant to help emergency doctors and nurses help you when you contact them when the surgery is closed. It will contain information on your medications and allergies.

Your information will be extracted from practices such as ours and held securely on central NHS databases.   

As with all systems there are pros and cons to think about. When you speak to an emergency doctor you might overlook something that is important and if they have access to your medical record it might avoid mistakes or problems, although even then, you should be asked to give your consent each time a member of NHS Staff wishes to access your record, unless you are medically unable to do so.

On the other hand, you may have strong views about sharing your personal information and wish to keep your information at the level of this practice. If you don’t want an Emergency Care Summary to be made for you, tell your GP surgery. Don’t forget that if you do have an Emergency Care Summary, you will be asked if staff can look at it every time they need to. You don’t have to agree to this.

a screenshot of a newspaper
a screenshot of a cell phone