The Oakwood Surgery

Access to data we hold about you.

‘Subject Access Requests’

Terms used

Data Controller.

This is the controller of the data and the system, as defined in the Act. In this case the Controller is The Oakwood Surgery.

Data Subject.

This is the person whose image is within the system, and who has rights of access as determined under the Act.

Third Party.

A person or body other than the Data Subject who requests access, or to whom an image may be provided.

Data protection act

The UK Data Protection Act and EU GDPR specify the rights of access of Data Subjects.  

All requests for access must be in writing on a Data Access form which will be provided on request.

The form must be fully completed.  A response will be provided as soon as possible, and in any event within 1 month.

Where an application is declined, a reason will be given. In some circumstances, some parts of your record may be withheld.

How to make an access request

Download a Subject Access Request form here

 Ensure that the form is fully completed, using a separate sheet of paper if necessary, and return it to the address below.

 Your request will be completed within 1 month

There is no facility for immediate access.


Send the application to:

The Oakwood Surgery

Masham Road




CCTV images

 Images will not be retained longer than is considered necessary, and will be then be deleted.

 All images will be held securely, and all access requests, and access to images will be documented.

 Images may record individuals and / or record incidents. Not all recordings are designed to identify persons.

 Other than in accordance with statutory rights, the release or availability of images will be at the discretion of the Partners to the Practice, who are Data Controllers for the purposes of the Data Protection Act.

 Images are held to improve the personal security of patients and staff whilst on the premises, and for the prevention and     detection of crime, and images may be provided to police or other bodies.

 Where access is granted in response to an application received, the image may be edited to exclude images of third parties who may be also included within the requested image. This may be necessary to protect the identity of the third parties. In these circumstances the image released as part of the application may record / identify the “data subject” only.

 Images will be located by the Data Controller or authorised person.

When assessing the content of the image released the decision will be taken by the Data Controllers having due regard to the requirements of the Data Protection Act and Code of Conduct.

Information and third parties

The practice may share your personal information with other NHS organisations where this is appropriate for your healthcare.

In other circumstances we may approach you for specific consent to release personal information to third parties.

Information will not normally be released to other family members without written patient consent.

In some circumstances there are statutory or ethical obligations to disclose information to others (such as public health issues) which may not require your consent, however you may be consulted about these in advance.

All staff have access to your medical and personal details which is required in relation to their roles, and have completed confidentiality agreements.