Yardley Green Medical Centre

Yardley Green Medical Centre

77 Yardley Green Road, Birmingham, B9 5PU

Current time is 11:30 - We're open


Telephone: 0121 773 3737

Fax: 0121 772 2392


General Data Protection Regulation (GDPR)

What is GDPR?

The EU General Data Protection Regulation (GDPR) applies to all EU member states and will come into force on 25th May 2018. The GDPR is to be read in conjunction with the Data Protection Bill published in September 2017. The overall aim of the GDPR is to protect individuals from data and privacy breaches in an environment that is driven by technological advances.

The GDPR is based on the 1980 ‘Protection of Privacy and Transborder Flows or Personal Data Guidelines’ which outlined the following eight principles:

  1. Collection limitation
  2. Security safeguards
  3. Data quality
  4. Openness
  5. Purpose specification
  6. Individual Participation
  7. Use limitation
  8. Accountability

The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of ‘Practice Privacy Notices PPN)’.

YGMC – Practice Privacy Notice

There are four key themes that the PPN discusses. Please see below links for further detail:

  1.          Provision of direct care;
  2.          Medical research and clinical audit;
  3.          Legal requirements to share;
  4.         National screening programmes.

How we handle your information

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

Data Controller contact details PCIG Consulting Limited,

Primary Care Development Centre Ltd, Office 25, NBV Enterprise Centre, 6 David Lane, Nottingham, NG8 6BA.

Data Protection Officer contact details Dr Monisha Kurian based at Yardley Green Medical Centre
Purpose of the processing Compliance with legal obligations or court order.
Lawful basis for processing The following sections of the GDPR mean that we can share information when the law tells us to.


Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’


Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

Recipient or categories of recipients of the processed data The data will be shared with NHS Digital.The data will be shared with the Care Quality Commission. The data will be shared with our local health protection team or Public Health England.The data will be shared with the court if ordered.
Rights to object and the national data opt-out There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.


NHS Digital

  • You have the right to object to information being shared with NHS Digital for reasons other than your own direct care.
  • This is called a ‘Type 1’ objection – you can ask your practice to apply this code to your record (Please note: The ‘Type 1’ objection, however, will no longer be available after 2020).
  • This means you will not be able to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012.

NHS Digital sharing with the Home Office

  • There is no right of objection to NHS Digital sharing names and addresses of patients who are suspected of having committed an immigration offence.


Public health

  • Legally information must be shared under public health legislation. This means that you are unable to object.


Care Quality Commission (CQC)

  • Legally information must be shared when the Care Quality Commission [or name of equivalent body] needs it for their regulatory functions. This means that you are unable to object.


Court order

Your information must be shared if it ordered by a court. This means that you are unable to object.

Right to access and correct You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website Share link


We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
Right to complain You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link  https://ico.org.uk/global/contact-us/  or call the helpline on

0303 123 1113

Privacy Information Leaflet – Adults

Privacy Information Leaflet – Children

GDPR childrens poster

GDPR Adults poster