GDPR & Privacy for Children & Young Adults

Fair Processing Notice Privacy Policy

GDPR for Childred & Young Adults

Privacy Policy - Children & Young Adults (Applies to children 13 – 16 years)

How we use your personal information

This notice explains why the practice collects information about you and how that information may be used.

The health care professionals, who provide you with care will keep records about your health and any treatment or care you have received (e.g. Hospital, GP Surgery, Walk-in Centre etc.). These records help to give you the best possible healthcare.

From the age of 13 years, the ICO (Information Commissioner’s Office) regards you as having the competence to consent to your own health care and the processing of the information that we hold about you at this practice which form what is known as your ‘Health Record’.

This is in line with what is called the ‘Gillick Competence’ which is a medical law that decides whether a child under 16 years is able to consent to his/her own medical treatment without the need for consent from a parent/carer/legal guardian.

These records may be electronic (information kept on our computers), on paper (letters that we may have or that we receive) or a mixture of both, and we take every care to make sure that your information is kept confidential and secure. Records which this GP Practice holds about you may include the following:

  • Details about you, such as your address, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about any treatment you have had or are having.
  • Results of any tests that you may have such as blood tests, x-rays etc.
  • Important information from other health professionals, relatives or those who care for you
  • Important information from your school that may be to do with your health or wellbeing (eg. behaviour reports, concerns from teachers, vaccinations you have had)
  • Information from Child Health about any Health assessments or vaccinations you have had, you have missed or you may need.

Your records will be stored in line with the NHS Code of Practice for Records Management

It is our job to give you the best care possible and so your records are used to make sure that this happens.  We may sometimes need to share your information with other people in the NHS to help us to make things in the NHS better.  Most of the time, this information will not have your personal details (name. date of birth) so you cannot be identified.  In cases where we do need to give your personal details, we will always ask if this is okay with you.  Information may be used within the GP practice for clinical audits to help us monitor the quality of the care that you receive.

Sometimes your information may be requested to be used for research purposes – the surgery will always ask you before giving any information for this purpose.

How we keep your records confidential

We have to keep your personal information and records private so we will only use or share your information in line with the following guidelines and laws:

General Data Protection Regulation 2018

Human Rights Act 1998

Common Law Duty of Confidentiality

Health and Social Care Act 2012

NHS Codes of Confidentiality and Information Security

Information: To Share or Not to Share Review

Every member of staff who works for the Practice or another NHS organisation has a legal obligation to keep information about you confidential.  Staff at this practice have to sign a ‘Confidentiality Agreement’.

We will only ever use or pass on information about you if others involved in your care if this is important for your treatment. We will not give your information to anyone else without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on, for example Child Protection and Serious Criminal Activity.

Organisations that we may share your information with

We may also have to share or receive your information, under strict agreements on how it will be used, with the following organisations:-

  • NHS Organisations
  • Doctor, Dentist, Optician or Pharmacist
  • Ambulance Service
  • Social Care & Safeguarding Services
  • Child Health
  • County Council
  • Schools
  • Fire and Rescue Services
  • Police & Court Services (if we are asked by law)

We will always tell you who we are sharing your information with and may even have to ask for your consent to do this (ask if it is okay with you) and you may be asked to sign a form for this.

Access to your information

Under the new General Data Protection Regulation (GDPR) you have the right to ask to see your medical records whenever you like and this is free.  Also, if you think that any of the information you see is not correct, you can ask for this information to be taken out.  This can only be done if we are 100% sure that the information is NOT correct.  To be able to see your records, this is what you will need to do:

  • Write a letter to the doctor here to ask to look at your records. You will need to include your full name, date of birth, NHS number (if you know it) and your address. This is so that we can make sure that we are giving this information to the right person.
  • The doctor will use the Gillick Competence rules (that we talked about above) to make sure that you are able to have that consent
  • We will not charge for this (unless you ask a lot of times then we may put on a charge)
  • If the doctor agrees that it is okay for you to have access, we will give you the information within 30 days

Data Processor

This is the person/people or organisation that is responsible for using and recording your information. All staff at Howard Medical Practice are individual Data Processors

Data Controller

The Data Controller is the person/organisation responsible for keeping your information secure and confidential.  Howard Medical Practice is your Data Controller

Data Protection Officer (DPO)

The Data Protection Officer has overall responsibility for GDPR within this area.  Our designated DPO is: Ms Jane Hill                                                  She can be contacted by email:

Objections / Complaints

If you need to know anything else about how we use or keep your information, you can ask to speak to our Practice Manager and she will be happy to explain.  If you have access to the internet, you can also read more about this on the ICO website ( )

Change of Details 

It is important that you tell us or any other person treating you if any of your details such as your name, address or contact details have changed.

You should also know that at 13 years old you are able to use your own mobile telephone number instead of your parents’ numbers for when we need to contact you.  At 13 years we will now take out all mobile numbers from our records and will write to you to ask what number you would like us to have.  If you are still happy for us to put in one of your parents’ mobile numbers then you can let us know.


Under the General Data Protection Regulations we have to register this surgery with the Information Commissioner to describe the purposes for which we process personal and sensitive information.  

This information is available for everyone on the Information Commissioners Office website

This practice is registered with the Information Commissioners Office (ICO).