Privacy Policy – Dr Potter

April 2020

Dr Potter abides by the Data Protection Act 1998 and has a duty to look after all confidential patient information and to be clear about how Dr Potter uses such information.  To provide a service to patients it is necessary that both doctors and non-medical staff working with Dr Potter have access to patient medical records and this access is kept to a necessary minimum. 

This privacy notice details how we collect and process data through the website, registration forms and email.

By providing us with data you warrant to us you are over 18 years old.

We take information about you in order to respond to your queries and tailor our support to suit your needs. 

We do not provide this information to any third parties.

How long health records are retained

All patient records are maintained digitally on a cloud-based Patient Management System. Each user of the PMS has an individual login.

If any member of staff leaves then Dr Potter will disable the login.

All pathology results and scans are emailed onto the patient record and then destroyed.

When a patient registers they complete an online Patient Registration Form

Patients who have a concern about any aspect of their care or treatment, or about the way their records have been managed, should contact Dr Potter.

Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way Dr Potter has handled or shared their personal information:

The Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane

Tel: 0303 123 1113 or 01625 545745
Information Commissioner’s Office website (

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.


It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at


This is a Privacy Notice – also known as a Fair Processing Notice and is in accordance with the General Data Protection Regulation (GDPR) which came into force in May 2018 and replaces the Data Protection Act 1998.

This notice describes how Dr Potter uses and manages the information held about  patients, including how the information may be shared with other organisations and how the confidentiality of patient information is maintained.

Personal data is information that relates to a living individual who can be identified from that data.

Dr Potter holds personal data about  patients for the purposes of providing them with appropriate care and treatment.

Dr Potter keeps records about the health care and treatment  provided to her patients.

This helps to ensure that patients receive the best possible care.


It helps patients because:

  • Accurate, up-to-date information is important for providing the right care;

Patient information may be shared, for the purposes of providing direct patient care, with NHS organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc. should the patient provide consent.

In such cases, the shared data must always identify the patient for safety reasons.

For the benefit of the patient, Dr Potter may also need to share patient health information with other private organisations.

However, Dr Potter will not disclose confidential health information to third parties without the patient’s explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.

Dr Potter may also be asked to share basic information about her patients, such as names and addresses, which does not include sensitive health information.

Generally, Dr Potter would do this where it is necessary to assist an organisation to carry out its statutory duties.

As it may not be practicable in such circumstances to obtain patients’ explicit consent, Dr Potter is informing its patients through this notice, which is referred to as a Fair Processing Notice, under the General Data Protection Regulation 2018.

  • When the patient has implicitly consented to the sharing for direct care purposes;

Where patient information is shared with other organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

Refusing or withdrawing consent

The possible consequences of refusing consent will be fully explained to the patient at the time,  and could include delays in receiving care.

In those instances where the legal basis for sharing of confidential personal information relies on the patient’s explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.

In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.

Dr Potter is registered with the Information Commissioner’s Office as a Data Controller reference ZA554223 , as required by the Data Protection Act 1998.

Patients have the right to access personal information about them held by Dr Potter, either to view the information in person, or to be provided with a copy.

Patient wanting to access their health records should request via e-mail

What kind of information Dr Potter holds about patients

  • Identity details – name, date of birth,
  • Contact details – address, telephone, email address
  • Next of kin – the contact details of a close relative or friend
  • Details of any outpatient appointments and/or GP appointments
  • Results of any scans, X-rays and pathology tests
  • Details of any diagnosis and treatment given
  • Information about any allergies and health conditions
  • By providing Dr Potter with their contact details, patients are agreeing to Dr Potter using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).


Direct Marketing

All patient are asked to complete a registration form to confirm existing details. By completing this form, Dr Potter will assume that you wish to hear from her regarding news and clinic updates. Should you no longer wish to hear from her there is an unsubscribe button on  the email.

Any e-mails sent will be blind copied .

 All e-mail addresses are held by a secure cloud based online company.

How patient records are kept confidential

Everyone working for Dr Potter has to sign a Confidentiality Agreement.

Information provided in confidence will only be used for the purposes advised and consented to by the patient, except in circumstances where the law requires or allows Dr Potter to act otherwise.

Under the Confidentiality Agreement, all staff working for Dr Potter are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.

How patient records are shared

Dr Potter shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to GPs, Consultants and healthcare practitioners for the purposes of providing direct care and treatment to the patient, including administration;  There is the option to opt out of sharing information with the GP at registration.
  • Communication with medical insurance companies to assist in the processing of insurance claims
  • Communication with a company we engage to invoice medical insurance companies for reimbursement.
  • Disclosure to bodies with statutory investigative powers – e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman;
  • Disclosure to solicitors, to the police, to the Courts (including a Coroner’s Court), and to tribunals and enquiries;

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

  • When there is a Court Order or a statutory duty to share patient data;
  • When there is a statutory power to share patient data;
  • When the patient has given his/her explicit consent to the sharing;