Renfrew Health & Social Work Centre, 10 Ferry Road, Renfrew, PA4 8RU

Telephone: 0141 207 7730
Out of hours: 111

National Health Service Scotland Logo

Data Protection, Privacy and Confidentiality

Access to your Health Records

Under the Data Protection Law, you have a legal right to access your health records. If you want to see your health records you can write to the Practice Manager to request a time to come in and read them. You don’t have to give a reason for wanting to see your records.

It's a good idea to state the dates of the records that you want to see – for example, from 2009 to 2012 - and to send the letter by recorded delivery. You should also keep a copy of your letter for your records. You will usually receive a response to your request within 21 days, although the law states that your hospital, or the Practice, has up to 40 days to respond.

Hospital Records

As well as having a copy of your health records the Practice will also have a summary of any hospital tests, or treatment, that you have had. Any hospitals where you have had treatment, or tests, will also hold records.

To see your hospital health records, you will have to contact your local Hospital. Your request to see your records will be forwarded to the health records manager. The manager will decide whether your request will be approved. Your request will usually only be refused if your records manager, GP, or other health professional believes that information in the records is likely to cause you, or another person, serious harm.

Power of Attorney

Your health records are confidential, and members of your family are not allowed to see them, unless you give them written permission, or they have power of attorney. A lasting power of attorney is a legal document that allows you to appoint someone to make decisions for you, should you become incapable of making decisions yourself.

The person you appoint is known as your attorney. An attorney can make decisions about your finances, property, and welfare. It is very important that you trust the person you appoint so that they do not abuse their responsibility. A legal power of attorney must be registered with the Office of the Public Guardian before it can be used.

If you wish to see the health records of someone who has died, you will have to apply under the Access to Medical Records Act 1990. You can only apply if you: are that person’s next of kin, are their legal executor (the person named in a will who is in charge of dealing with the property and finances of the deceased person), have the permission of the next of kin, or have obtained written permission from the deceased person before they died. To access the records of a deceased person, you must go through the same process as a living patient. This means either contacting the Practice or the hospital where the records are stored.

Top of Page

Data Protection

We are obliged to comply with Data Protection Law and other guidance on privacy and data confidentiality, which we take very seriously. In order to provide care we are obliged to keep records of all medical information, which is kept either in paper form or stored on computer. In order to manage services and improve the quality of patient care we proved we are sometimes asked to share information on practice activity with the CHP pharmacist, Health Board, Common Service
Agency and the Scottish Executive. Whenever possible this information is anonymised. Information is not shared with any third party outside the Health Service without your written consent. We are obliged by law to provide certain information e.g. notification of certain infectious diseases. If you require further information regarding Data Protection please contact the Practice Manager.

Top of Page

Freedom of Information (Scotland) Act 2002

FREEDOM OF INFORMATION ACT (Scotland) 2002. The practice has adopted the model publication scheme prepared by SGPC. Copies can be obtained by contacting the General Practice Manager.

Top of Page

Information Sharing

The practice complies with Data Protection and Access to Medical Records legislation. Identifiable information about you will be shared with others in the following circumstances:

  • To provide further medical treatment for you e.g. from district nurses and hospital services.
  • To help you get other services e.g. from the social work department. This requires your consent.
  • When we have a duty to others e.g. in child protection case.

Anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care. If you do not wish anonymous information about you to be used in such a way please let us know.

Top of Page

Scottish Primary Care Information Resource (SPIRE)

NHS Scotland is improving the way it uses information from your GP patient record – this information sheet explains what it means for you.

The improved service is called Scottish Primary Care Information Resource (SPIRE) and has been developed to help GPs, the NHS in Scotland and researchers plan for Scotland’s health and care needs. This will be introduced in phases across Scotland from January 2017.

Find out more in this Information Leaflet.

Top of Page

Subject Access Requests


Under the terms of the data protection act, we as the “data controller” have a responsibility to ensure the confidentiality and integrity of the information we hold about you. Furthermore, as your doctor we have a responsibility to ensure the confidentiality of matters of a sensitive medical, psychological, and emotional nature. A subject access request requires us as data controller to give you as the “subject” access to all data we hold about you. This includes every recorded encounter you have had with any GP or nurse in the surgery as well as copies of all hospital letters, test results and prescriptions issued.

Insurance Companies

Insurance companies require medical information from yourself and ourselves to assess your risk of illness, death and disability. There is a system in place for GPs to give a pertinent summary of all relevant medical information (excluding information of a sensitive or irrelevant nature) by way of an industry approved General Practitioner’s Report (GPR). The format of this report was agreed by the Association of British Insurers and the British Medical Association. This system has been in place since then and a fee is paid by the insurance company to ourselves to ensure a prompt efficient service.

Lately some companies have been using the SAR system to obtain patients’ full medical records. We have reason to believe that this may be done to reduce costs to the insurance company. More worryingly, we are concerned that our patients may not have received adequate explanation that their full record will be given to the insurance company, or that there is a simpler system in place whereby we can provide a GP report (or GPR) which releases only the relevant information.

Once we release a medical record to a third party we are no longer the data controller for that information, and we have no control over how that information is stored, used, or shared. As a result, we no longer respond to subject access requests by insurance companies. We have written to your insurance company to suggest that they submit a request to us for a GP report.

Should you wish to submit a subject access request to have copies of your full medical record under the terms of the data protection act, you may do so. Your medical records are held on a combination of paper (for older records) and computer (for new records). We will be able to liaise with you directly to provide this information within forty days. If however, you wish us to provide a standard report, we recommend that you contact your insurance company directly to express your preference for a General Practitioner’s Report (GPR).


The Information Commissioner’s Office (ICO) has recently ruled on the use of SARs by insurance companies to obtain full copies of patient medical records.  In brief the ICO determined that the use of SARs in this way was inappropriate and has written to the Association of British Insurers (ABI) to advise them of this.  In light of the ICO ruling, the BMA and GPC produced a Focus On’ Subject Access Requests for Insurance Purposes guidance document

As a result we will no longer supply insurance companies with full copies of your medical records.

Top of Page

Your Personal Health Information

To provide you with the care you need, we hold the details of your consultations, illnesses, tests, prescriptions and other treatments that have been recorded by everyone involved in your care e.g. GP, health visitor, practice nurse. This information may be stored on paper or electronically on computer files by practice staff.

We sometimes disclose some of your personal health information to other organisations involved in your care. For example, when your GP refers you to a specialist at the hospital we will send relevant details about you in the referral letter and receive information about you from them.

Our practice also participates in regional and national programmes such as the cervical cytology screening service and your name and address, date of birth and health number will be given to them in order to send an invitation to you.

We need to use some of your personal health information for administrative purposes. In order to receive payment for services provided to you, we have to disclose basic details about you to the NHS Board responsible for this area and to the Common Services Agency for the Scottish Health Service. These organisations have a role in protecting public funds and are authorised to check that payments are being properly made. We are required to co-operate with these checks and disclosure of your data is a necessary part of our provision of healthcare services. Sometimes we may participate in studies that are designed to improve the way services are provided to you or to check that our performance meets required standards. Whenever we take part in activities such as these we will ensure as far as possible any details that may identify you are not disclosed.

Where you need a service provided jointly with a local authority we will seek your permission before giving them your details.

Sometimes we are required by law to pass on information e.g. the notification to the government of births and deaths and certain diseases or crimes is a legal requirement.Our use of your personal health information is covered by a duty of confidentiality, and is regulated by the Data Protection Law. Data Protection Law gives you a number of rights in relation to how your personal information is used including a right to access the information we hold about you.

Everyone working for the NHS has a legal duty to keep information about you confidential and adheres to a Code of Practice on protecting patient confidentiality. Anyone who receives information from us is also under a legal duty to keep it confidential.