Privacy, Freedom of Information

& information security

Essential privacy and sharing information

Click here to see our website's privacy and cookies policy

Patient Guide: Sharing your medical record

3. Patient Guide Sharing Your Medical Record v0.2

Patient guide to SystmOnline's Sharing Preferences

4. Patient Guide SystmOnline Sharing Preferences v0.2

Willowbrook Privacy Notice

willowbrook privacy notice

Freedom of Information

The Freedom of Information Act creates a right of access to recorded information and obliges a public authority to:

  • Have a publication scheme in place.
  • Allow public access to information held by public authorities.

The Act covers any recorded organisational information such as reports, policies or strategies, that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland, however it does not cover personal information such as patient records which are covered by the Data Protection Act.

Public authorities include government departments, local authorities, the NHS, state schools and police forces.

The Act is enforced by the Information Commissioner who regulates both the Freedom of Information Act and the Data Protection Act. Information about the General Practitioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

The Surgery publication scheme

A publication scheme requires an authority to make information available to the public as part of its normal business activities. The scheme lists information under seven broad classes, which are:

  • Who we are and what we do
  • What we spend and how we spend it
  • What our priorities are and how we are doing it
  • How we make decisions
  • Our policies and procedures
  • Lists and registers
  • The services we offer


Who can request information?

Under the Act, any individual, anywhere in the world, is able to make a request to a practice for information. An applicant is entitled to be informed in writing, by the practice, whether the practice holds information of the description specified in the request and if that is the case, have the information communicated to him. An individual can request information, regardless of whether he/she is the subject of the information or affected by its use. 


How should requests be made?

Requests must:

be made in writing (this can be electronically e.g. email/fax)

state the name of the applicant and an address for correspondence

describe the information requested.


What cannot be requested?

Personal data about staff and patients covered under Data Protection Act.

For more information see these websites:


Data protection act

The practice is registered under the Data Protection Act 1998. When you register, you will be asked for information about yourself so that you can receive the appropriate care and treatment. This information is kept with details of your health and treatment provided, so that the practice can ensure that the care you receive is appropriate and consistent with your medical history. The practice may pass information to other organisations and strict conditions must be complied with before information is released.

(Read our FAQ) about how and why we use your information confidentially for risk stratification.



Confidentiality is an absolute right and patients can be assured of confidentiality at all times. Patients will have access to their medical records, subject to any limitations in the law. The practice keeps up-to-date health records to give you the best possible care. This information may be used for management and audit purposes. However, it is usually only available to, and used by, those involved in your care.


Information Security

No data is captured on the website, and the forms send emails into secure NHS systems without recording any Patient Identifying Data. Your medical data is never accessible to anyone except you and a secure NHS email address. This includes site administration, so even if the site gets hacked you are secure.

The site itself is hosted from secure servers based in Nuneaton, and is SSL encrypted (which you can tell from the green padlock in the browser bar). This means that your connection to the site is fully secure at all times, and that your data cannot be captured or harvested (for example, while a form is being submitted). The site has no direct links to any medical systems or data, and therefore your data cannot be compromised through it.

All links on the pages are to secure, verified sites.


EU privacy law

Our entire infrastructure is based in the UK including all shared, reseller and backup servers. As such yes, we are fully compliant with laws that require your data never reside on servers outside the UK.


URGENT NOTICE: Telephone lines are down and it's flu season This is a link