Practice Policies


General Data Protection Regulations (GDPR) effective from 25 May 2018

Data Protection & Privacy

As your GP Practice we need to hold personal information about you on our computer system and in paper records to help us to look after your health needs, and your doctor is responsible for their accuracy and safe-keeping.  The practice uses a combination of working practices together with information technology to keep your details confidential.


As Data Controllers, Duns Medical Group has processing responsibilities under the Data Protection Act 1998.  We are fully registered with the Information Commissioners Office and comply fully with our obligations as Data Controllers and Processors.  This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and that you would reasonably expect. 

The Data Protection Act will be replaced by the General Data Protection Regulation (GDPR) from 25th May 2018. 


This privacy notice explains what information we need to hold about you and how the information may be used.


What do we hold and how you information will be used...

We need to hold your personal information for administrative, record keeping and internal research and audit purposes.  We will add to this personal information each time you consult the Practice.  This information is known as your health record and will be used to provide you with the best possible healthcare for your needs.


The types of information we hold about you will include:

  • Name, address, date of birth, contact telephone numbers and email address (where given).
  • Details of any parties you have consented to have access to your information (this could be carers, next of kin or legal representatives).
  • Details of any appointments or contacts with the Practice.
  • Medical notes documented by any of the health care team managing your care.
  • Hospital letters, results and documents from clinics or other services relevant to your care.
  • Any information that is necessary and relevant to your care and wellbeing from other health professionals.


If we need to share information about you...

From time to time information may be shared with other parties involved in your care if it is necessary.  This is in accordance with strict data protection legislation and subject to the relevant consent if appropriate.


This may happen if:

  • You are referred to Hospital as an inpatient or an outpatient.
  • You are referred to Social Work (your consent is required for this).
  • When we have a duty towards others i.e. public health matters, child protection, life or death situations.
  • We have a legal obligation to do so, i.e. a Court Order.

You can object to your information being shared with other health care providers however this may impact on the care you may receive.  If there is any impact to you by refusing to allow your information to be shared, the GP will explain this to you at the time.

We may also share some relevant information about you with our partner agencies if they are involved in your care, subject to any necessary consent.

Our partner agencies include:

  • NHS National Services Scotland.
  • NHS Borders and other NHS Health Authorities involved in your care.
  • Independent contractors such as Dentists, Opticians, Pharmacists.
  • Private & voluntary sector health care providers.
  • Ambulance services.
  • Social Care Services and Local Authorities.
  • Education Services
  • Police, Fire and Rescue Services.
  • Services aiding communication such as Docmail and Medical Messenger.


Some information is held centrally by National Services Scotland for statistical purposes and is used to manage and tailor the health needs and services for the people of Scotland.  The information used for this purpose is strictly anonymous.  You can opt out of having your data shared for this purpose.  Further information is available on request from the Practice Manager.

The type of information we may share includes basic details about you to the NHS Board responsible for this area and to the Common Services Agency for the Scottish Health Service.  This information sharing is required as part of our contractual obligation as General Medical Services Providers in order that we are paid for the services provided to you.  These organisations have a role in protecting public funds and are authorised to check that payments are being properly made.

We may also use external companies to process personal information, such as for archiving, communication or mailing purposes.  These companies are bound by contractual agreements to ensure information is kept confidential and secure.  We have contracts with all external companies we use and are confident they are GDPR compliant.

In other circumstances you may be required to give explicit written consent before information is released – such as when we are asked to provide medical reports for insurance purposes or solicitors.



Protecting and Maintaining Your Confidentiality...

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998, Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.

All of our staff and contractors receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.  Staff are only permitted to access personal information where it is appropriate to their role and is strictly on a need-to-know basis.

To ensure your privacy, we will not disclose information over the telephone unless we are sure that we are talking to you, similarly, we will not communicate by fax, text or email unless we are certain that any information will be transmitted directly to yourself.  Information will not be disclosed to family, friends, or spouses unless we have prior written consent, and we do not leave messages with others.  If you would like us to discuss your medical matters with a third party please send us your written, signed consent outlining exactly who you wish to have access to your medical information, this can be as little or as much as you like and can be revoked at any time by you.

We adhere strictly to the above statement and we ask that you respect our policy on confidentiality and consent when you contact the practice about third parties.

Access to Your Records

You have a right under the Data Protection Act 1998 to request access to view or to obtain copies of what information the Practice holds about you and to have it amended should it be inaccurate.

In order to request this, you need to do the following:

  • Your request must be made in writing to the GP – for information from any hospital you should write directly to them.
  • There may be a charge to have a printed copy of the information held about you.
  • We are required to respond to you within 40 days.
  • You will need to give adequate information (for example full name, address, date of birth, NHS or CHI number and details of your request) so that your identity can be verified and your records located.


Change of Details

It is important that you tell the person treating you if any of your details such as you name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended.  You have a responsibility to inform us of any changes so our records are accurate and up to date for you.



Should you have any concerns about how your information is managed in the practice, please contact the Practice Manger.  If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (

If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything.

If you have any concerns about how your data is shared then please contact the practice.



The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.  This information is publicly available on the Information Commissioners Office website  The practice is registered with the Information Commissioners Office (ICO).


Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is:

Duns Medical Group.



The practice is known as “Duns Medical Group” and is contracted by NHS Borders to provide General Medical Services at The Knoll in Duns.   The practice nurse is Maureen White.  It is not a training or teaching practice.  

NHS Borders has its headquarters at Newstead, Melrose, Roxburghshire TD6 9DB, phone (01896) 828282 or e-mail  They can provide full details of Primary Care Services available in the Borders.    

The practice is centred on Duns and covers approximately 300 square miles, bounded by and including Cockburnspath, Ayton, Paxton, Westruther, Cranshaws and Longformacus.   We will normally request that you register with another practice should you move outwith our practice area.


In line with GMC guidance, GPs and Nurses are required to offer a chaperone for any intimate examinations. A chaperone is an impartial observer who would be present during the examination. Please do not be alarmed if we ask you if you would like a chaperone present. You can decline a chaperone if you would prefer.

For more information, please ask a member of the team. 

NHS ScotlandThis site is brought to you by My Surgery Website