Chawton House Surgery

St Thomas Street, Lymington, SO41 9ND

Current time is 21:06 - Sorry, we're closed


Telephone: 01590 672953

Chawton House Surgery Privacy Notice


We are required to provide you with this Privacy Notice by Law. This notice explains how we use the personal and healthcare information we collect, store and hold about you.  The notice explains who the information is shared with and how we keep it safe. It also explains how the practice uses the information we hold about you, how you may gain access to this information if you wish to see it, and how to have any inaccuracies corrected or erased. If you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please contact our Practice Manager.


The Law says:

  • We must let you know why we collect personal and health care information about you
  • We must let you know how we use any personal and/or healthcare information we hold on you
  • We need to inform you in respect of what we do with it
  • We need to tell you about who we share it with or pass it on to and why, and
  • We need to let you know how long we can keep it for.


If you:

  • Have questions about how your information is being held
  • Require access to your information, or you wish to make a change to your information
  • Wish to make a complaint about anything to do with the personal and healthcare information we hold about you

Or any other query relating to this Policy and your rights as a patient, please direct any questions or concerns to Marcia Thomarel, Practice Manager. You can contact her by telephone: 01590 672953; you can also send an email to and mark the subject/your email for the attention of the Practice Manager. 



Chawton House Surgery is a 4 Partner, established practice situated on St Thomas Street in Lymington, Hampshire. We are a Data Controller of your information. This means that we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be a Data Processor. The purposes for which we use your information are set out in this Privacy Notice. 


Our records are stored electronically and on paper and include personal details about you including your name, address, date of birth, carers, legal representatives and emergency contact details, as well as:

  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls
  • Details about your medical care, treatments & outcomes (past & present), tests, investigations, scans, observations and opinions
  • Results of any investigations such as laboratory tests and x-rays
  • Details of any medication you are taking
  • Relevant information from other health or social care professionals, relatives or those who care for you
  • Notes and reports about your health
  • Comments made by healthcare professionals in this practice, who are involved in your health care 


Your records are used to ensure you receive the best possible care from our nurses and doctors. It enables the staff to see previous treatments and medications, and enables them to make informed decisions about future decisions about your care. It helps the doctors to see lists of previous treatments and any special considerations which need to be taken into account when care is provided.

Important information is also collected to help us to remind you about specific treatment which you might need, such as health checks, or reminders for screening appointments such as cervical smear reminders.

Information held about you may be used to help protect the health of the public and to help us to improve NHS services. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Staff at the practice use your information to help deliver more effective treatment to you and to help us to provide you with proactive advice and guidance. Staff who have access to your information will only normally have access to that which they need to fulfil their roles. You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. 


If your health needs require care from others outside this practice we will provide them with whatever information is necessary for them to provide that care. In addition, when you make contact with NHS healthcare providers outside of the practice, it is normal for them to send us information relating to your encounter. Your consent to this sharing of data, within the practice and with those outside of the practice, is assumed and is allowed by law.

There are a number of ways that information collected about you is shared, which includes:

  1. Patient Referrals

With your agreement, your GP or Nurse may refer you to healthcare providers and other services not provided by the practice, or they may work with other services to provide your care in the practice. Once you have been to your appointment with the other health care provider, they will normally tell us about the treatment they have provided for you and any follow up that our practice needs to provide. This information is then included in your GP record.

  1. Local Hospital, Community or Social Care Services

Sometimes the clinicians caring for you need to share some of your information with others who are also supporting you. This could include hospital or community based specialists, nurses, health visitors, therapists or social care services.

  1. Summary Care Record (SCR)

A Summary Care Record is an electronic record of important patient information, created from the GP medical records. It contains information about medication you are taking, any allergies you suffer from and any bad reactions to medications you have previously had. It can be seen and used by authorised staff in other areas of the health and care system involved in your direct care. Giving healthcare staff access to this information can prevent mistakes being made when caring for you in an emergency or when your GP practice is closed. Your Summary Care Record also includes your name, address, date of birth and your unique NHS Number to help identify you correctly. If you and your GP decide to include more information it can be added to the Summary Care Record, but only with your express permission. For more information visit

  1. Care and Health Information Exchange (CHIE)

The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton. GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems. The Care and Health Information Exchange stores summary information from these organisations in one place so that – with your consent – professionals can view it to deliver better care to you. This record contains more information than the SCR, but is only available to organisations in Hampshire. For more information visit

  1. National Services

There are some national services like the National Cancer Screening Programme that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cervical, breast or bowel cancer screening. Often you have the right to not consent to these organisations having your information. You can find out more about how the NHS holds and shares your information for national programmes on the NHS website

  1. Other NHS organisations

Sometimes the practice shares information with other organisations that do not directly treat you, for example, Clinical Commissioning Groups. Normally, it will not be possible to identify you from this information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication. However, this information is anonymous and does not include any written information, such as GP notes, and cannot be linked to you.


  1. Local Data Sharing Agreements 

The practice currently has 5 data sharing agreements, both of which are in place with Southern Health NHS Foundation Trust, our community services provider. The agreements cover:

  • Integrated Care Teams (community nurses, physiotherapists and occupational therapists)
  • The Urgent Treatment Centre at Lymington New Forest Hospital (run by Partnering Health Ltd)
  • Diabetic Eye Screening – nationally commissioned
  • Oakhaven Hospice (offsite and community)
  • Frailty Team
  1. The Control of Patient Information Notice (COPI) during Covid-19 

The Control of Patient Information Notice (COPI) relates to the sharing of information during the Covid-19 pandemic. The legal compliance for this is to support public health during the pandemic because it is necessary for the performance of a task carried out in the public interest, or under official authority vested in the controller (Chawton House Surgery). The COPI regulations override all opt outs and information has to be shared for the purpose of public health. 



The healthcare professionals who provide your care maintain records about your health.  This is a record of your care history and allows health care professionals to review your care to help inform future decisions about your treatment. Sharing this information helps to improve the treatment you receive, for example, a hospital consultant writing to your GP.   We follow strict data sharing guidelines to keep your information safe and secure.



Health and social care records are subject to a nationally agreed code of practice which regulates the minimum period for which records must be kept. This specifies that GP records should be retained until 10 years after the patient’s death or after the patient has permanently left the country, unless they remain in the European Union. Electronic patient records must not be destroyed or deleted for the foreseeable future. For more information, see the records management code of practice:



Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation 2018
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as a life or death situation, or where the law requires information to be passed, or where it is in the best interest of the patient to share the information.

In May 2018, a new national regulation called the General Data Protection Regulation came into force and the practice has a legal responsibility to ensure that we comply with these regulations.



The law gives you certain rights to your personal and healthcare information that we hold, as set out below:

  • Access and Subject Access Requests
  • Correction or Removal of Inaccuracies
  • Data Portability
  • Right to Object
  • Have Information Erased


  1. How can I access the information you hold about me? 

You have a right under the Data Protection legislation to request access to obtain copies of all the information the surgery holds about you. You are also allowed to have information amended should it be inaccurate.

In order to access your medical record, you need to let the practice know by making a Subject Access Request (SAR).

The practice will respond to your request within one month of receipt of your request. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

It will be very helpful to the practice if you could specify any particular information you need so we can provide the information to you as soon as possible.

Usually there is no charge to see the information that the practice holds about you unless the request is excessive, complicated or repetitive. In any of these cases, we may charge an administrative fee.

For information about your hospital medical records, you should write directly to them.


  1. How can I have inaccuracies corrected or removed?

If you feel that the personal data that the practice holds about you is inaccurate or incomplete then please let us know and we will update your records within one month of notification. If this incorrect information has been sent onwards, we will also inform any other organisations of this. If it is not possible to correct the information then we will write to you to let you know the reason behind the decision and inform you how you can complain about this.

If you feel information in your health record should not be there, you can ask the practice to erase that information. We will look at each request specifically.  Please bear in mind there may well be legal reasons why we will need to keep data even if you request it to be erased.  We will explain this to you in detail in our response.


  1. Data Portability

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation. We will require your clear consent to be able to do this.


  1. Right to Object

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research or educational purposes. We would always ask you for your consent in order to do this. You have the right to object to personal data about you being used or shared in this way.

You also have the right to restrict the use of data the practice holds about you. If you do wish to object, please contact the practice. This will prevent your confidential information being used other than where necessary by law.

If you are a Carer and have a Lasting Power of Attorney for Health and Welfare then you can also object to personal data being used or shared on behalf of the patient who lacks capacity.

If you do not hold a Lasting Power of Attorney then you can raise your specific concerns with the patient’s GP. If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then this must be their decision.



Should you have any concerns about how your information is managed at the practice, please contact Marcia Thomarel, Practice Manager. The practice will listen to your concerns and try and act upon the concerns, as best as we can. If you are still unhappy or have any concerns following a review by the GP practice, you may wish to complain to the Information Commissioners Office (ICO) via their website: .



Sometimes we record information about third parties that you speak about to us, during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party, including yourself. Third parties can include spouses, partners and other family members. 



The Law says we need a legal basis to handle your personal and healthcare information.

  • Contract: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public
  • Consent: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us
  • Necessary Care: Providing you with the appropriate healthcare, where necessary. The Law refers to this as protecting your vital interests, where you may be in a position not to be able to consent
  • Law: Sometimes the Law obliges us to provide your information to an organisation



The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows: 

  • Public Interest: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment
  • Consent: When you have given your consent
  • Vital Interest: If you are incapable of giving consent, and we have to use your information to protect your vital interest (e.g. if you have had an accident and you need emergency treatment)
  • Defending a Claim: If we need your information to defend a legal claim against us, by you, or by another party
  • Providing you with Medical Care: Where we need your information to provide you with medical and healthcare services



Because we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services we provide to you involving your direct care, therefore you must ensure that the details we have for you are up to date. This is to ensure we are actually contacting you, and not another person. 



We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained.



You may find a copy of this Privacy Notice in our practice reception. A copy can be provided on request. 


Changes to Privacy Policy

We regularly review and update our Privacy Notice. This privacy policy was last updated on 07/02/2022.



If English is not your first language and you would like a translated copy of this Privacy Notice, please contact the Surgery.

Opening Times

  • Monday
    07:30 until 18:30
  • Tuesday
    08:00 until 18:30
  • Wednesday
    08:00 until 13:00
    14:00 until 18:30
    The main reception is closed between 1-2pm but phone lines remain open for urgent medical needs.
  • Thursday
    08:00 until 18:30
  • Friday
    08:00 until 18:30
  • Saturday
    08:00 until 11:00
    (2nd Saturday of each month ONLY, depending on statutory holidays) - Suspended until further notice
  • Sunday