This practice is committed to complying with the Data Protection Act 2018, the General Data Protection Regulation (GDPR), GDC, NHS and other data protection requirements relating to our work. We only keep relevant information about employees for the purposes of employment and about patients to provide them with safe and appropriate health care. This policy should be read in conjunction with Data Protection Overview (M 216) and the other related policies and procedures at the end of this policy. All data protection and information security policies procedures and risk assessments are reviewed annually in iComply.
The person responsible for data protection and information security is the Information Governance Lead, Nick Allday.
Our lawful bases for processing your personal data are listed in our Privacy Notice (M 217T).
The practice offers individuals real choice and control. Our consent procedures put individuals in charge to build patient trust and engagement. Our consent for marketing requires a positive opt-in, we don’t use pre-ticked boxes or any other method of default consent. We make it easy for people to withdraw consent, tell them how to and keep contemporaneous evidence of consent. Consent to marketing is never a precondition of a service.
Data protection officer (DPO)
[NHS practices: Our DPO is the Information Governance Lead, Nick Allday / Fully private practice: We do not have a Data Protection Officer as we do not process large volumes of data.
Pseudonymisation means transforming personal data so that it cannot be attributed to an individual unless there is additional information.
- Pseudonymisation – the data can be tracked back to the original data subject
- Anonymisation – that data cannot be tracked back to the original data subject
Examples of pseudonymisation we use are:
- We never identify patients in research, patient feedback reports or other publicly available information
- When we store and transmit electronic data it is encrypted and the encryption key is kept separate from the data
We report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach results in a high risk of adversely affecting individuals’ rights and freedoms we also inform those individuals without undue delay. We keep contemporaneous records of any personal data breaches, whether or not we need to notify. For our data breach notification procedures see Information Governance Procedures (M 217C).
Right to be informed
We provide ‘fair processing information’, through our Privacy Notice (M 217T) and the Privacy Notice for Children (M 217TC), which provide transparency about how we use personal data. [These are available on our website and from the practice.]
Your data rights
Right of Access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. If an individual contacts the practice to access their data they will be provided with, as requested:
- Confirmation that their data is being processed
- Access to their personal data
- Any other supplementary information about your rights as found below and in our Privacy Notices (M 217T) and (M 217TC)
Right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The practice will delete personal data on request of an individual where there is no compelling reason for its continued processing. The right to erasure applies to individuals who are not patients at the practice. If the individual is or has been a patient, the clinical records will be retained according to the retention periods in Record Retention (M215) and after the periods stated can be deleted upon request.
Right of rectification
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
Right to restriction
Individuals have a right to ‘block’ or suppress the processing of their personal data. If requested we will store their personal data, but stop processing it. We will retain just enough information about the individual to ensure that the restriction is respected in the future.
Right to object
Individuals have the right to object to direct marketing and processing for purposes of scientific research and statistics.
An individual can request the practice to transfer their data in electronic or other format.
Privacy by design
We implement technical and organisational measures to integrate data protection into our processing activities. Our data protection and information governance management systems and procedures take Privacy by design as their core attribute to promote privacy and data compliance.
We keep records of processing activities for future reference.
Privacy impact assessment
To identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy we review our Privacy Impact Assessment annually in iComply using the Sensitive Information Map, PIA and Risk Assessment (M 217Q).
Information Governance Procedures (M 217C) includes the following information security procedures:
- Team members follow the ‘Staff Confidentiality Code of Conduct’, which clarifies their legal duty to maintain confidentiality, to protect personal information and provides guidance on how and when personal or special category data can be disclosed
- How to manage a data breach, including reporting
- A comprehensive set of procedures, risk assessments and activities to prevent the data we hold being accidentally or deliberately compromised and to respond to a breach in a timely manner
- The requirements and responsibilities if team members use personal equipment such as computer, laptop, tablet or mobile phone for practice business
This policy and the data protection and information governance procedures it relates to are reviewed annually with iComply.
CODE iComply related policies and procedures
G 110 – Complaints, Problems and Events Overview G 110B - Event Register G 110A - Event Record G 135 – Backup Procedures and Software Log Overview G 135A – Computer Backup Log G 135B – Purchased Software Log M 215 - Record Retention M 216 - Data Protection Overview M 216A - GDPR and Data Protection Action Plan M 217A – IG Improvement Plan (NHS practices only for Data Security and Protection Toolkit M 217C – Information Governance Procedures M 217D – IG Lead Job Description M 217E - Staff Confidentiality Agreement M 217F - Subcontractors Confidentiality Agreement M 217G - Information Asset Log M 217H - Mobile Equipment Log M 217I - Mobile Equipment Terms and Conditions M 217K - Compliance Monitoring Form M 217L – Network, Computer and Software Access Log M 217M – Physical Security Risk Assessment M 217N - Business Impact Analysis M 217P - Patient Leaflet on Personal Information M 217Q - Sensitive Information Map, PIA and Risk Assessment M 217RA - Communication Consent Form M 217RB - Consent for Clinical Photography M 217RX – Data Requests Record M 217S – Legitimate Interests Assessment M 217T – Privacy Notice M 217UA - Contract for Data Processor or Joint Data Controllers M 217V - Data Protection and Security Training Needs Analysis (NHS practices for online Data Protection and Security toolkit) M 233-CON - Confidentiality Policy M 233-CNS - Consent Policy M 233-DPQ - Data Quality Policy M 233-SMD - Social Medial Policy M 255 - Disaster Planning and Emergency Procedures Arrangements
Information Commissioner www.ico.org.uk EU – US Privacy Shield www.privacyshield.gov GDPR Regulation
Personal information this website collectsWhere your data is held
Your data is held on secure servers operated by Namesco Limited and will be stored under robust security measures.
Storage and security of your personal informationSecurity
We comply with the standard procedures and requirements as laid down by applicable law to ensure that your personal information is kept secure and we use the latest in Secure Server Technology (SSL – 128bit encryption) to ensure that all of your personal information is protected to the highest standards.
The transmission of information via the internet is not completely secure. Any emails we send or receive may not be protected in transit. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website; any transmission is at your own risk. Any passwords that you use must be kept securely. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law. Additionally, the information that we collect from you may be transferred to, and stored at, a destination outside the UK and the European Economic Area ("EEA"). It may also be processed by our third party suppliers outside of the UK and EEA.Google Analytics
This site uses Google Analytics to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website. Google Analytics records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. Disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website.
Read Google's overview of privacy and safeguarding data
We use a third party provider JotForm, to deliver your details using the contact form you submit to us. Your information will remain within JotForms database for as long as we continue to use JotForms services for our contact forms.
We consider JotForm to be a third party data processor.
For more information, please see https://www.jotform.com/privacy/
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We may also use trusted third-party services that track this information on our behalf.
Most web browsers allow some control of most cookies through the browser settings. Every browser is different, look at your browser's Help Menu to learn the correct way to modify your cookies. If you turn cookies off, some features may be disabled.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.