Privacy Notice

1. Introduction

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

SurreyGP Ltd. is a limited company registered in England and Wales. Its registered number at Companies House is 06750720 and its registered office is Radius House, 51 Clarendon Road, Watford, Hertfordshire, WD17 1HP. We confirm when processing data on your behalf that we will comply with the relevant provisions of the Data Protection Legislation. You will also ensure that any disclosure of personal data to us complies with the Data Protection Legislation.

2. Information we collect and why we use it

Personal data is principally collected and processed when supplied by you in the course of our engagement with you. The personal information we collect from you will vary depending on services engaged. The personal information we collect might include your name, address, telephone number, email address, your NHS number, your National Insurance number, your medical insurance company details, bank account details, your IP address, which pages you may have visited on our website and when you accessed them. In general terms, and depending on which services you engage as part of providing our agreed services we may use your information to:

• contact you by post, portal, email or telephone
• verify your identity where this is required
• understand your needs and how they may be met
• maintain our records in accordance with applicable legal and regulatory obligations
• process financial transactions

In order to provide you with the best treatment possible we may have to collect personal information about you from other organisations. These may include:
a) Medical records from your GP
b) Medical records from your clinician (including their medical secretaries) c) Medical records from your dentist
d) Medical records from the NHS or any private healthcare organisation

Medical records include information about your diagnosis, clinic and hospital visits and medicines administered.

We would like to keep you informed with important updates, our related services, our opinions and essential reading. We’ll also make sure you get advance notice of our events and we will only do this when you have given your explicit consent.

The confidentiality of your medical information is important to SurreyGP. We make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health. In doing so, SurreyGP complies with UK data protection law, including the Data Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.


Our website uses Google Analytics to help analyse how users use the site. The tool uses “cookies,” which are text files placed on your computer, to collect standard Internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of the website (including IP address) is transmitted to Google. This information is then used to evaluate visitors’ use of the website and to compile statistical reports on website activity for SurreyGP.

We will never (and will not allow any third party to) use the statistical analytics tool to track or to collect any Personally Identifiable Information (PII) about visitors to our site. Google will not associate your IP address with any other data held by Google. Neither we nor Google will link, or seek to link, an IP address with the identity of a computer user. We will not associate any data gathered from this site with any Personally Identifiable Information from any source, unless you explicitly submit that information via a fill-in form on our website.

You may choose to accept or decline cookies. Most Web browsers automatically default to accept them, but you can usually modify your browser setting to decline cookies. If you reject cookies by changing your browser settings then be aware that this may disable some of the functionality on our website.

User’s Personal Information: Visitors to our website may be able to register to use our services, attend events, make a purchase, join a community or upload/download information. When you register, you will provide personal information such as name, address, email, telephone number or facsimile number and other relevant information. We will not disclose Personally Identifiable Information we collect from you to third parties without your permission except to the extent necessary, including: To fulfil your requests, to protect ourselves from liability, to comply with the terms and conditions of our internet host provider.

3rd Party Policies

Related services and offerings linked to or from this website have their own privacy statements that can be viewed by clicking on the corresponding links within each respective website. Since we do not have control over the policies or practices of participating merchants and other third parties, we are not responsible for the privacy practices or contents of those sites. We recommend you review their policies before you provide any personal information or complete any transaction with them.

3. Obligation on you when passing on personal data

If any of the details submitted for processing change, it is your responsibility to inform us so that we can update our records as soon as practically possible.

4. Your Rights

Access to your information: You have the right to request a copy of your personal information we hold.

Correcting your information: We want to make sure that your personal information is accurate, complete and up to date and you can ask us to correct any personal information about you that you believe does not meet these standards.

Deletion of your information: You have the right to ask us to delete personal information about you where:

• you consider that we no longer require the information for the purposes for which it was obtained
• you have validly objected to our use of your personal information
• our use of your personal information is contrary to law or our other legal obligations

• you have withdrawn your consent

Restricting how we may use your information: In some cases you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information but you do not want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Objecting to how we may use your information: Where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue. You have the right at any time to require us to stop using your personal information for direct marketing purposes.

Withdrawing consent to use your information: Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Requests must be made in writing via the Data Protection Manager at SurreyGP, 32-34 London Road, Guildford, GU1 2AB or via email

Alternatively, you can contact the Information Commissioner’s Office at

5. Disclosure of your information

We may share your personal data within the Firm for the purposes of performing the services contracted and, where consented, business updates and marketing activities. We will not sell or rent your information to third parties.

We may pass your information to our third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf, for example to process a referral letter. However, when we use third party service providers, we disclose only the information that is necessary to deliver the service. Contractually information is kept secure and used only for the purposes of delivering the required service.

We will not release your information to other third parties unless you have requested that we do so, or we are required to do so by law, for example, by a court order.

As detailed in the previous sections, it is often necessary to seek information from other healthcare organisations. We may also collect information about you from third parties when:
a) You are referred to us for the provision of services including healthcare services

b) We liaise with your current or former employer, health professional or other treatment or benefit provider
c) We liaise with your family
d) We liaise with your insurance policy provider

e) We deal with experts (including medical experts) and other service providers about services you have received or are receiving from us
f) We deal with NHS health service bodies about services you have received or are receiving from us
g) We liaise with credit reference agencies
h) We liaise with debt collection agencies
i) We liaise with Government agencies, including the Ministry of Defence, the Home Office and HMRC

How will we communicate with you?

In order to communicate with you, we are likely to do this by telephone, SMS, email, and / or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.


a) to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders)), we may communicate with you by SMS and/or unencrypted email (where you have provided us with your email address) in each case where you have expressed a preference in the patient registration form to be contacted by SMS and / or email.

b) to provide you with your medical information (including test results and other clinical updates) and/or invoicing information, we may communicate with you by email (which may be encrypted) where you have provided us with your email address and have expressed a preference in the patient registration form to be contacted by email. The first time we send you any important encrypted email e.g one that we are not also sending by post or which requires action to be taken, we will endeavour to contact you separately to ensure that you are able to access the encrypted email you are sent.
c) If we have your mobile number or your email address we may use this method of communication to contact you regarding patient surveys which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing.

Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare services

We are also developing a patient portal, called MySurreyGP. The portal is intended, in the first instance, to allow patients to book appointments, with additional features to be developed over time. As we develop the portal and understand the specific detail on how it will work, we will update this Privacy Notice before it goes live.

Purpose: Communicating with you and resolving any queries or complaints that you might have.

From time to time, patients may raise queries, or even complaints, with SurreyGP and we take those communications very seriously. It is important that we resolve such matters fully and properly, and so we will need to use your personal information in order to do so.

Disclosures to third parties:
We may disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:

a) A doctor, nurse, carer or any other healthcare professional involved in your treatment
b) Other members of support staff involved in the delivery of your care, like receptionists and porters
c) Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer
d) NHS organisations, including NHS Resolution, NHS England, Department of Health
e) Other private sector healthcare providers
f) Your GP
g) Your dentist
h) Your clinician (including their medical secretaries)
i) Third parties who assist in the administration of your healthcare, such as insurance companies
k) National and other professional research/audit programmes and registries l) Government bodies, including the Ministry of Defence, the Home Office and HMRC
m) Our regulators, like the Care Quality Commission, GMC, IDF.
n) The police and other third parties where reasonably necessary for the prevention or detection of crime
o) Our insurers
p) Debt collection agencies
q) Credit referencing agencies
r) Our third party services providers such as IT suppliers, actuaries, auditors, lawyers, document management providers and tax advisers
s) Selected third parties in connection with any sale, transfer or disposal of our business

t)Public Health England where required to do so by law (eg Covid test results)

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.


As detailed above, we may contact you to ask you to participate in surveys regarding your treatment with SurreyGP. The surveys will largely be sent post-treatment by email or SMS. This is not a form of marketing and the surveys do not try to sell you any further products or services; it is solely to gather information relating to your experience of SurreyGP, for the purposes of improving the quality and safety of the services we offer to future patients. It is necessary for us to process your personal data in order to contact you with these surveys, on the basis of our appropriate business needs and to improve the quality of the healthcare services we offer.

Participation in the surveys is entirely voluntary. You may decide not to complete the surveys and you will have the option to unsubscribe from receiving further survey invitations. You may also be given the opportunity to proactively opt into receiving a call back to further discuss your survey responses. These are all matters entirely for you.

We are also required by law to conduct audits of health records, including medical information, for quality assurance purposes. Your personal and medical information will be treated in accordance with guidance issued by the Care Quality Commission (England), Health Inspectorate Wales and Healthcare Improvement Scotland

Purpose: Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers) including conducting post treatment surveys

SurreyGP is a quality-conscious organisation, and always looking to learn from patients’ experiences in order to improve the experience for future patients. With that in mind, we will use your personal information to identify where such improvements can be made, such as reviewing recorded phone calls to assess whether anything can be learnt and contacting you to seek your valuable thoughts on the SurreyGP experience.

6. Security of data

We take the security of your data seriously. All of our systems have appropriate security in place that complies with all applicable legislative and regulatory requirements. Whilst we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Where we have given, or where you have chosen, a password which enables you to access information, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

7. Retention of records

We will retain your personal data for as long as necessary to achieve the purposes set out in this Privacy Notice. We have a legal responsibility to retain documents and records relevant to your medical affairs. Records for children must be retained until they reach the age of up to 26.

We will hold your records for the legal or regulatory minimum periods required. We also reserve the right to retain data for longer than this due to the possibility that it may be required to be provided to a regulator outside of these minimum periods.

Records held for the purpose of business updates are held until such time that notice of consent is revoked.

8. Changes to our privacy notice

We keep this privacy notice under regular review. This privacy notice was last updated on 24 March 2021