Warwick Eye Surgeons, Mr Toor AND GDPR COMPLIANCE


Consultants, as data controllers, are required to maintain an up to date, written data inventory.


1. The types of data I store

a. Identifiable clinic letters and medical records relating to adults I have consulted with in relation to clinical care and prior medical history.

b. Identifiable clinical and medico-legal documentation relating to Civil and Criminal medico-legal expert reports I have provided.

2. Why I store it

a. This information is stored in order for me to provide ongoing clinical care to the patients I consult with and in order to complete medico-legal reports to assist the Court in civil and criminal cases in which I have been instructed to act as an expert witness.

3. Where and how the data types are stored e.g. on paper, electronically, email, clouds or other systems

a. The information is usually initially documented on a secure electronic patient record (Medisoft- which is also printed on paper for the Hospital’s own records. Medisoft is a password protected cloud-based server for which Mr Toor and his secretarial team have access.

b. The paper records are for medico-legal case files, stored securely in a locked area to which only Mr Toor has access in accordance with their own policy.

c. Mr Toor may email data to his practice management team as a password protected document using an email client with end to end encryption. They are employed by Nuffield Health and have their own GDPR policy for data protection and are separately registered with the ICO.

d. Emails from your personal email to may not be encrypted by your provider.

4. How the data and storage devices are secured.

a. Mr Toor inputs the data to a GDPR compliant password protected cloud-based server (Medisoft) which is confirmed as GDPR compliant.

c. The files are accessed by Mr Toor or his practice management team via the web-portal provided by Medisoft.


Consultants, as data controllers, are required to maintain an up to date record of data processing:

1. How and why data is collected and processed (include third parties who receive patient data to process on your behalf).

a. The data is collected in written format and documented in paper or electronic format by Mr Toor and may be sent on to Mr Toor’s practice management staff using a secure email account. Other third parties may include: a separately employed medical secretary, Private or NHS medical professionals (GPs and other clinicians), Solicitors (in medicolegal cases), transcription services and billing companies.


Consultants as data controllers are required to provide patients with a notice that sets out how their data is collected and used.

This is called a Privacy Notice (PN) or a Fair Processing Notice.

1. What information is being collected?

a. Typically, Mr Toor will record your name, date of birth, address, details of other individuals involved in your care, telephone number, hospital record and NHS number, email address, age, employment status and clinical information related to your current and past medical problems.

2. Who is collecting it?

a. Mr Toor as a Clinician involved in your care will collect and store this information.

3. How is it collected?

a. The information is recorded as a written document (medical record).

4. Why is it being collected?

a. It is collected in order to provide a contemporary record of your medical care should it need to be referred to in the future in order to ensure good clinical care.

5. How will it be used?

a. It will be used as part of your medical record with Mr Toor and as a means of managing your medical condition as part of the medical record.

6. Who will it be shared with?

a. For clinical care, the information will be shared with your permission (implied for GP and other practitioner referrals) with the referring clinician and other clinicians(including opticians) involved in your care.

b. For medico-legal reports, the information recorded and Mr Toor’s concluding opinion will be shared with your Solicitor and then with the court if the report is submitted as a Court document for evidence.

c. Mr Toor does not routinely store or pass on data entered into his website nor personal data entered into any online billing portal.

7. What will be the effect of this on the individuals concerned?

a. The intended effect is to facilitate a high standard of clinical care or, in medicolegal cases, to assist the Court in reaching a decision or to assist in a Civil claim for damages. It is not thought that the intended use of this information is likely to cause individuals to object or complain.


We work across Warwickshire:
Grafton Suite @ Stratford Hospital
Nuffield Health Warwickshire Hospital
New Foscote Hospital Banbury

Please call

01789 576033

warwick grey1



Registered Office: c/o Sandison Easson & Co, Rex Buildings, Alderley Road, Wilmslow. SK9 1HY. Company number: 10326145 - Registered in England and Wales