GDPR for Patients

The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.

The regulation applies from 25 May 2018, and will apply even after the UK leaves the EU.

What will GDPR mean for Patients?

The GDPR sets out the key principles about processing data, for staff or patients;

  • Data must be processed lawfully, fairly and transparently
  • It must be collected for specific, explicit and legitimate purposes
  • It must be limited to what is necessary for the purposes for which it is processed
  • Information must be accurate
  • Data must be held securely
  • It can only be retained for as long as is necessary for the reasons it was collected

There are also stronger rights for the patients regarding the information that practices hold about them. These include;

  • Being informed about how their data is used
  • Patients to have access to their own data
  • Patients can ask to have incorrect information changed
  • Restrict how their data is used
  • Move their patient data from one health organisation to another
  • The right to object to their patient information

GDPR and Crickhowell Group Practice

In accordance to the new GDPR regulations, Crickhowell Group Practice is in the process of updating its Privacy Policy to make it easier for you to understand:

  • what information we collect
  • why we need to collect it
  • how long we collect it for
  • who has access to it
  • how we use it

We are doing this to ensure we follow the European GDPR legislation, which is designed to harmonise privacy laws across the EU. As soon as this new Privacy Policy is in place you will be informed within the practice and via the website.

Confidentiality & Medical Records

Locked blue folderThe practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances:

  • To provide further medical treatment for you e.g. from district nurses and hospital services.
  • To help you get other services e.g. from the social work department. This requires your consent.
  • When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Freedom of Information

Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

Access to Records

In accordance with the Data Protection Act 1998 and Access to Health Records Act, patients may request to see their medical records. Such requests should be made through the practice manager and may be subject to an administration charge. No information will be released without the patient consent unless we are legally obliged to do so.

your information your rights

Your Information Your Rights Leaflet


Customer service formWe make every effort to give the best service possible to everyone who attends our practice.

However, we are aware that things can go wrong resulting in a patient feeling that they have a genuine cause for complaint. If this is so, we would wish for the matter to be settled as quickly, and as amicably, as possible.

To pursue a complaint please contact the practice manager who will deal with your concerns appropriately. Further written information is available regarding the complaints procedure from reception.

Putting Things Right Leaflet

Please click here: Putting Things Right to view the information leaflet avaiable from NHS Wales.

For futher links to other formats for this information, please click here.

Violence Policy

The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.

Guidance on the use of email

At Crickhowell Group Practice we allow patients to contact us via email for any non-urgent communication. We endeavour to reply to all emails within 24 working hours.

As a practice we are limited to what information we can share through email and any personal information required we will have to follow our GDPR guidelines. Alternative methods are available and we would advise you to contact our main reception for more details.  To comply with data protection we recommend that you use a private email account and not a family or shared account.

Please note it is the patient’s responsibility to ensure they have correct email settings, to enable a reply to be received in their email inbox. Please be advised that internet email accounts, such as those commonly used by individuals for private purposes, are not secure. Therefore please be aware that there is a risk (however small) of the email being intercepted or ‘hacked’.


Information governance is very important to us and all emails sent to our generic email account are accessed by our trained practice administration team and stored on our secure NHS Wales IT portal

We advise patients that we limit two-way dialogue via email which risks becoming a ‘virtual consultation’ instead we advise you make an appointment to seek further health advice


NHS WalesThis site is brought to you by My Surgery Website