Privacy Docs

Your Rights as a Patient

  • Be registered with a General Practitioner
  • Change doctor if desired
  • Be offered a health check on joining the Practice
  • Receive emergency care from the Practice
  • Receive appropriate drugs and medicines
  • Be referred for specialist or second opinion if they and the GP agrees
  • You are entitled to the same treatment regardless of age, race or religion.
  • You have the right to access your medical records and those who wish to do so must make their requests in writing and address them to Mrs Beverley Williams, our Practice Manager. A fee will be charged for this service.
  • The Practice adheres to a strict code of confidentiality. Any medical information can only be disclosed to another party (e.g. a Solicitor) with your written consent (with the exception of a few rare circumstances). Thus we are not at liberty to disclose information regarding relatives unless you are the parent or guardian of a minor.
  • If you prefer to have a chaperone present during an intimate examination please inform the Doctor. You can either ask a member of staff or a friend/family member to be present.
  • Your medical records are held in the strictest confidence. Information is not passed on without your consent unless it is within the confines of the NHS, via the legal framework, or is in the public interest.
  • Certain anonymised patient data may be shared for the purposes of public health and audit, research, teaching and training. This practice is registered under The Data Protection Act. It is a practice and legal requirement that all staff maintain confidentiality of patient’s records. If you require a copy of our Freedom of Information Act Model Publication scheme write to Mrs Beverley Williams, Practice Manager.


Sharing your GP medical record with other healthcare professionals involved in your care

In Wales, 64 groups of GP practices have been established and these are known as “Primary Care Clusters”. Their job is to ensure that the health and social care needs of all of their patients are met, in the best possible way. Within each cluster, GPs will work alongside Nurse Practitioners, Pharmacists and other Allied Health Professionals, such as Physiotherapists, to share information and resources between them. Some of the benefits of this way of working are:

  • continuation of the existing patient-doctor relationship in the absence of your usual GP
  • improved access to consultations across different sites
  • a wider range of services

Who will be able to access my medical record and what will they use it for?

A qualified healthcare professional will be able to access your GP medical record. This will usually be for the specific problem you are presenting with, and will allow the professional assessing you to have quicker, easier access to relevant information about you.

Cluster Pharmacists may access your records when, for example, undertaking prescription reviews or answering any queries about your medication. This is to ensure that medicines are prescribed safely, efficiently and effectively.

Other staff within the practice, such as receptionists, will also have access to your medical record to carry out tasks such as processing prescriptions, delivering test results and directing you to the most appropriate healthcare professional.

All healthcare professionals accessing your records will normally be employed by either one of the GP Practices within the cluster or by the Local Health Board. For details of which practices are in your cluster, please refer to

What information can be accessed?

Information which can be accessed, where there is a need, includes:

  • personal information, such as name, date of birth, gender;
  • allergies;
  • medication;
  • hospital admission, attendances and referral dates;
  • vaccinations and immunisations;
  • test results, including measurements such as blood pressure;
  • diagnoses (current and post problems);
  • treatment and medical procedures.

What information will be blocked from viewing?

No information will routinely be blocked from viewing unless you specifically ask for information to be hidden. For example, it may be possible to hide particularly sensitive information such as sexually transmitted diseases, termination of pregnancy, etc. from certain individuals. If you have any questions, please discuss this initially with your Practice Manager.

How will my information be kept secure and confidential?

Your GP medical record is stored on a secure computer system and access to it is strictly controlled. All of the practices within the cluster, and the local health board, will have signed an agreement to confirm that they will follow the strict controls in place around the computer system itself, and around any staff who are allowed to access the system. Everyone working within the cluster has a legal, contractual and professional duty to keep information about you secure and confidential.

Can I find out who has viewed my medical record?

Every time your electronic GP medical record is accessed an audit log is created. These audit logs are retained so if you are concerned that someone has inappropriately accessed your record, please discuss this initially with the Practice Manager.

Is there a danger someone else could hack into my record or that my information could be lost?

Contracts are in place with the supplier of the clinical computer systems to ensure that they have robust security measures installed. These measures will prevent any information from being accessed without permission, lost or accessed inappropriately by a third party.

For further information

If you would like additional information you can discuss the sharing of your medical records with the Practice Manager, GP or any other member of the healthcare team.

Tywyn Health Centre’s Policy on Email Governance & the Use of Email for Patient Contact

General Principles

Tywyn Health Centre recognises the use of email as a method for patients to make non-urgent contact with the practice. We offer a range of methods for patients to contact the practice, including:
• Telephone
• Contact form via website (
• Email (
In adherence to professional standards of conduct and communication with patients (including GDPR & the NHS Records Management Code of Practice 2020), we are required to explain the purpose of patient email correspondence, how we store emails and how any information contained within the email may be used or retained.

The Purpose of Patient Email Communication

Patients may choose to send information pertaining to non-urgent medical enquiries, observations, suggestions or complaints via email. In all instances this information will be treated as confidential and governed by the appropriate professional standards.
Email is not a suitable method of contact if you have an urgent medical query so please telephone our reception team on 03000 843 200 and you will be triaged by our practice nurses. We would also encourage patients to make an appointment, via the triage system, if they wish to discuss a medical issue that requires further investigation or diagnosis.
The practice email system should not replace an appointment so responses to emails will be concise and where possible confidential information will be limited. The practice does not want to encourage a “virtual conversation” as this would be inappropriate.

Email Responses

When contact is initiated by email it is assumed that consent has been given for a response from the practice to be sent via email. Our email account is monitored during working hours only. All responses are governed by data protection and confidentiality guidelines. Our staff will:

• Only be able to discuss any information pertaining to a patient with the patient concerned.
• Respond within the capabilities of their role.
• Respond using the “enquiries” account rather than their own email accounts.
• Refer to the appropriate clinician or colleague for advice when required.
• Respond to all emails within 3 working days (NB: weekends are not working days).

If we have reason to suspect that we have received an email that is not from the patient themselves then we will not be able to respond to the email. If you are contacting the practice via email on behalf of someone else, please state this clearly in the email.
It is the patient’s responsibility to ensure their own email account settings are configured to receive all email responses from Tywyn Health Centre.
The practice cannot be held accountable if an email response is blocked by a patient’s email account.

Access to Emails

Emails sent to the practice address: are initially processed by our reception team. If further advice is required or the query refers to a request relating to a different department, the reception team may refer to colleagues in the other practice departments. Therefore, the following members of staff may have access to emails sent by patients to the above address:
• Practice Manager
• Members of the Administration Department
• Members of the Dispensary Department
• Clinicians and Nurses
• Other Health Centre Users & Primary Health Care Team (i.e. Counsellor, Physiotherapist)

Storage of Emails

Emails are stored in a folder for a maximum of 1 year. The contents of this email folder are deleted annually on 1st April by the Reception Manager.
To improve ease of access and provide an audit trail, all emails are copied and pasted, in their entirety or stored as a complete document in the records system in order to preserve context. Information stored in this way is declared as a record and is subject to the professional standards laid out in the NHS Records Management Code of Practice 2020.
Email content stored as part of the digital patient record will be stored under the continual retention guidelines specified in the NHS Records Management Code of Practice 2020.

Email Safety

Our practice email is a designated NHS Wales account and as such is subject to security protection put in place by our NHS Wales. Every effort is made to ensure email content is protected but we cannot be held responsible for individual patient email accounts.
When an email is sent from a private account, containing confidential information it is the patient’s responsibility to ensure they have made every effort to reduce the risk (albeit small) of that information being hacked or intercepted.

We recommend that patients use a private email account rather than a shared family account for the purposes of communication with the practice.

We are a GP practice working within the area of the Betsi Cadwaladr Health Board. We serve a permanent practice population of approximately 5,500 patients on one site and employ a number staff which include GPs, nurses, healthcare assistants and administrative staff. Tywyn Health Centre, Practice aims to ensure the highest standard of medical care for our patients. To do this we keep records about you, your health and the care we have provided or plan to provide to you.

Why issue a privacy notice?

Tywyn Health Centre Practice recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties. This notice is one of the ways in which we can demonstrate our commitment to our values and being transparent and open.

This notice also explains what rights you have to control how we use your information.

What are we governed by?

The key pieces of legislation/guidance are:

  • General Data Protection Regulations
  • Human Rights Act 1998 (Article 8)
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health & Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • The Re-use of Public Sector Information Regulations 2015
  • The Environmental Information Regulations 2004
  • Computer Misuse Act 1990
  • The Common Law Duty of Confidentiality
  • Information Security Management – NHS Code of Practice

Who are we governed by?

  • Department of Health
  • Information Commissioners Office
  • Health Inspectorate Wales
  • NHS Wales
  • General Medical Council (GMC)

Why and how we collect information

Information which can be accessed, where there is a need, includes:

  • personal information, such as name, date of birth, gender;
  • allergies;
  • medication;
  • hospital admission, attendances and referral dates;
  • vaccinations and immunisations;
  • test results, including measurements such as blood pressure;
  • diagnoses (current and previous problems);
  • treatment and medical procedures.

How we use information

  • To help inform decisions that we make about your care
  • To ensure your treatment is safe and effective
  • To work effectively with other organisations who may be involved in your care
  • To support the health of the general public
  • To ensure our services can meet future needs
  • To review care provided to ensure it is of the highest standard possible
  • To train healthcare professionals
  • For research and audit
  • To prepare statistics on performance
  • To monitor how we spend public money

There is a huge potential to use your information to deliver care and improve health and care services across the NHS and social care. The information can be used to help:

  • Improve individual care
  • Understand more about disease risks and causes
  • Improve diagnosis
  • Develop new services
  • Improve patient safety
  • Evaluation of policy/procedures/pathways

It helps because:

  • Accurate and up to date information assists us in providing you with the best possible care
  • If you see another healthcare professional, specialist from another part of the NHS, they can readily access the information they need to provide you with the best care possible.
  • Where possible, when using information to inform future services and provision, non-identifiable information will be used.

Disclosure of Information to Other Health and Social Professionals

We work with a number of other NHS and partner agencies to provide healthcare services to you, for example:

  • Other NHS hospitals
  • Relevant GP Practices
  • Dentists, Opticians and Pharmacies
  • Private Sector Providers (private hospitals, care homes, hospices, contractors providing services to the NHS)
  • Voluntary Sector Providers who are directly involved in your care
  • Ambulance Service
  • Specialist Services
  • Associated healthcare and social care staff working within Arfon Cluster
  • Out of Hours Medical Service
  • NHS Wales

We may also share your information with your consent, and subject to strict sharing protocols, about how it will be used, with other Health and Social Care departments and the Police and Fire Services.

Risk Prediction

Risk prediction data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive information. Information about you is collected from a number of sources in NHS Wales including this GP Practice.

A risk score is then arrived at through an analysis of your de-identifiable information by the NHS Informatics Service and is only provided back to your GP’s Data Controller in an identifiable form. Risk prediction enables your GP to focus on preventing ill health and not just the treatment of illness. If necessary, your GP may be able to offer you additional services.

My Health Online (MHOL) – Online Registration for Booking Appointments and Ordering Repeat Prescriptions

Registering for My Health Online allows you to book a routine GP appointment 24 hours a day, cancel appointments no longer needed, check your repeat medication, order repeat prescriptions and make changes to your email and mobile contact number where appropriate. Patients aged 16 years and over can register to use this service and can de-register at any time. Please enquire at Reception if you need information.

Mail to Patients

We sometimes use a printing company to send letters to our patients, for example to remind you about flu vaccination campaigns. Data sent is encrypted and the Company puts it in a format to print the letter, despatch via Royal Mail or courier, and then delete the information we send.

Text messages to Patients

If we have your current mobile telephone number, we will send you appointment reminder text notifications, information about flu clinics, health promotion information, cancellation of clinics and changes in service provision. Please ensure that we have your most up to date mobile telephone number for this to continue. (You can opt out of the text notification service at any time by contacting the practice).

Emergency Care Summary (ECS)

Emergency care information such as your name, date of birth, the name of your GP, any medicines which your GP has prescribed, any medicines you are allergic to or react badly to, is shared with Out of Hours as this might be important if you need urgent medical care when the GP surgery is closed.

NHS staff (Doctors, Nurses, Accident and Emergency, Ambulance control and crews) can look at your ECS if they need to treat you when the surgery is closed. They will ask for your consent before they look at your records. In an emergency and if you are unconscious, staff may look at your ECS without your agreement to let them give you the best possible care. Whenever NHS staff looks at your ECS, a record will be kept so we can always check who has looked at your information.
Medicine Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided by our clinicians and Pharmacists provided by the local Health Board.

Computer System

This Practice operates a Clinical Computer System on which NHS Staff record information securely. This information can then be shared with other Clinicians so that everyone caring for you is fully informed about your relevant medical history.

How We Keep Your Information Confidential and Secure

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998, Article 8 of the Human Rights Act, the Common Law of Confidentiality, The General Data Protection Regulation and the NHS Codes of Confidentiality and Security. Everyone working in or for the NHS must use personal information in a secure and confidential way.

Please be aware that your information will be accessed by non-clinical Practice staff in order to perform tasks enabling the functioning of the Practice. These are, but not limited to:

  • Typing referral letters to Hospital Consultants or allied Health Professionals
  • Opening letters from hospitals and Consultants
  • Scanning clinical letters, reports and any other documents not available electronically
  • Photocopying or printing documents for referral to Consultants
  • Handling, printing, photocopying and postage of medico legal and life assurance reports and other associated documents
  • When you register with the Practice we may ask for proof of ID – this is to ensure that no one tries to register you at the Practice using your identity but without your knowledge. Please be assured that any copies of ID that we take at that point are destroyed once we have confirmation of your registration by NHS Wales. This takes 2-3 days maximum.

To protect your confidentiality, we will not normally disclose any medical information about you over the telephone, or by fax, unless we are sure that we are talking to you. This means that we will not disclose information to your family, friends, and colleagues about any medical matters at all, unless we know that we have your consent to do so.

We will only ever use or pass on your information if there is a genuine need to do so. We will not disclose information about you to third parties without your permission unless there are exceptional circumstances, such as when the law requires.

All persons in the Practice (whether employed by the Doctors, or for the Local Health Board) sign a confidentiality agreement that explicitly makes clear, their duties in relation to personal health information and the consequences of breaching that duty.

Right of Access to Your Health Information

The General Data Protection Regulation allows you to find out what information about you is held on computer and in manual records. This is known as “right of subject access” and applies to personal information held about you. If you want to see or receive information that the Practice holds about you:

  • You will need to make a request to the practice manager.
  • We may ask you to complete a request form to establish exactly what parts of your record you need.
  • You will need to give us adequate information for us to be sure that your request is legitimate (ess, date of birth, NHS number etc) plus two forms of identification to enable us to confirm your identity – with a large practice list size
  • There may be a charge for excessive requests for information held about you
  • We are required to respond to you within one month

Who Else May Ask to Access Your Information

  • The Court can insist that we disclose medical records to them;
  • Solicitors often ask for medical reports. We will require your signed consent for us to  disclose information. We will not normally release details about other people that are contained in your records (e.g. wife, children parents etc.) unless we also have their consent;
  • Social Services – The Benefits Agency and others may require medical reports on you from  time to time. We will need your signed consent to provide information to them.
  • Life Assurance Companies/Employers/Occupational Health Doctors frequently ask for medical reports on individuals. These are always accompanied by your signed consent form.

We will only disclose the relevant medical information as per your consent. You have the right, should you request it, to see reports prepared for Insurance Companies, employers or occupational Health doctors before they are sent.

Sharing Your Information without Consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is a serious risk of harm or abuse to you or other people
  • Where a serious crime, such as assault, is being investigated or where it could be prevented
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not sensitive information such as HIV/AIDS)
  • Where a formal Court Order has been issued
  • Where there is a legal requirement, e.g. if you had committed a Road Traffic Offence

The practice is committed to ensuring that your privacy is protected.

Change of Details

It is important that you tell us if any of your details such as your name, address, home telephone number or mobile telephone number has changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are kept accurate and up to date at all times.

Your NHS Number

Every person registered with the NHS in England and Wales has their own unique NHS number. It is made up of 10 digits – for example 123 456 7890.

Your NHS number is used by healthcare staff to identify you correctly. It is an important step towards improving the safety of your healthcare. To improve safety and accuracy always check your NHS number on correspondence the NHS sends to you.

If you don’t know your NHS number, ask at the Practice. You may be asked for proof of identify for example a passport of other form of identity. This is to protect your privacy.

This Privacy Notice does not provide exhaustive details of all aspect of the collection and use of personal information by Tywyn Health Centre. However, we are happy to provide any additional information or explanation needed. If you wish to request further information please contact:

Practice Manager:
Mrs B Williams, Tywyn Health Centre, Aberdovey Road, Tywyn, Gwynedd, LL36 9HL
Telephone: 03000 843200


Should you have a complaint about how your information is managed at the practice, please contact the Practice Manager. If you remain unhappy with the Practice’s response, you can complain to the Information Commissioner Office

Changes to This Privacy Notice

We keep our Privacy Notice under regular review. This Privacy Notice will next be reviewed in May 2019.

What is a privacy statement?

A privacy notice helps your doctor’s surgery tell you how it uses information it has about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your healthcare record.

Why do we need one?

Your doctor’s surgery needs a privacy notice to make sure it meets the legal requirements which are written in a new document called the General Data Protection Regulation (or GDPR for short).

What is the GDPR?

What a great question! The GDPR is a new document that helps your doctor’s surgery keep the information about you secure. It’s new and will be introduced on the 25th May 2018, making sure that your doctor, nurse and any other staff at the practice follow the rules and keep your information safe.

At the surgery, we have posters in our waiting room and leaflets to give to children and adults and we also have information about privacy on our website, telling you how we use the information we have about you.

What information do we collect about you?

Don’t worry; we only collect the information we need to help us keep you healthy – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.

How do we use your information?

Another great question! Your information is taken to help us provide your care. But we might need to share this information with other medical teams, such as hospitals, if you need to been seen by a special doctor or sent for an X-ray. Your doctor’s surgery may be asked to help with exciting medical research; but don’t worry, we will always ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.

How do we keep your information private?

Well, your doctor’s surgery knows that it is very important to protect the information we have about you. We make sure we follow the rules that are written in the GDPR and other important rule books.

What if I have got a long-term medical problem?

If you have a long-term medical problem then we know it is important to make sure your information is shared with other healthcare workers to help them help you, making sure you get the care you need when you need it!

Don’t want to share?

All of our patients, no matter what their age, can say that they don’t want to share their information. If you’re under 16 this is something which your parents or adults with parental responsibility will have to decide. They can get more information from a member of staff at the surgery, who can also explain what this means to you.

How do I access my records?

Remember we told you about the GDPR? Well, if you want to see what is written about you, you have a right to access the information we hold about you, but you will need to complete a Subject Access Request (SAR). Your parents or adults with parental responsibility will do this on your behalf if you’re under 16.

What do I do if I have a question?

If you have any questions, ask a member of the surgery team or your parents or adults with parental responsibility. You can ask to speak to the practice manager or her deputy

What to do if you’re not happy about how we manage your information?

We really want to make sure you’re happy, but we understand that sometimes things can go wrong. If you or your parents or adults with parental responsibility are unhappy with any part of our data-processing methods, you can firstly speak to the practice manager. Should you still not be happy, you can complain. For more information, visit and select ‘Raising a concern’.

We always make sure the information we give you is up to date. Any updates will be published on our website, in our leaflets, and on our posters.

This policy will be reviewed in May 2019

INR Star Privacy Notice
To read our new INRstar Privacy Notice please click here.

INR star is the name of the anticoagulation software that we use in Practice to ensure anticoagulation services are safe, effective and cost efficient.  This software is developed and supported by a company called LumiraDX Care Solutions Ltd and is hosted on the secured NHS IT network infrastructure.  We use INRstar to help support our patients with anticoagulation and connected self-care for patients on both warfarin and direct oral anticoagulation drugs (DOACs/NOACs).  The support software is used to help clinicians determine the best possible care for patients undergoing anticoagulant care, and to record a patient’s therapy and treatments.

Who Processes the stored data?

LumiraDX Care Solutions Ltd are classed as our data processor under the Data Protection Act 2018 and the UK General Data Protectin Regulation (UK GDPR).  This means , as a Practice, we have contracted with this compant to process personal data on our behalf with the appropriate assurances that they meet all the data protection requirements as a data processor.

Changes to policy

On 30th July 2021, LuniraDX Care Solutions Ltd moved the current location of the INRstar software to a new Cloud-First technology, within England in a UK Government approved data centre.  The move of the data held within INRstar and the IT infrastructure that supports the software to Cloud-First technology, aligns with the NHS Architectural principle which help to define best practice on the use of the information technology to improve health and social care services in the UK.  Cloud-First technology offers enhanced security, increased reliability, and improved system performance at peak times, and enables LumiraDX Care solutions Ltd to provide a robust service for its clinicians and their patients whilst providing confidence that the data they hold remains safe and secure.

What does this mean for you as a patient?

There are no changes to the clinical system itself, or logic within, and so should not result in any changes to patient management in any way.  Importantly, your data will not have been modified during the migration unless authorised by your care team and will only be processed in accordance with this Privacy Notice.

Why we are informing you

It is our legal duty at Tywyn Health Centre to inform and notify our patients who have undergone or are currently undergoing anticoagulant care, information in relation to the INRstar system and the migration to a new Cloud-First technology.

By using this website you agree to accept our Privacy Policy

Coronavirus (COVID-19)

Get the latest NHS information and advice about coronavirus (COVID-19).

Get a test to check if you have coronavirus

For further information go to or