Privacy Notice for Stockwell Road Surgery
This Notice has been written to inform our patients about how we collect their personal information and what we do with it. Please be aware that this notice may be subject to change. The latest version can be found on the Practice’s website.
Who are we?
Practice Name is a ‘Data Controller’ as defined by Article 4 (7) of GDPR. This means that we determine the purposes for which, and the way in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.
The practice has appointed Paul Couldrey at PCDC to be its Data Protection Officer. Their contact details are: Tel: 0115 838 6770 email: firstname.lastname@example.org
What data do you collect about me?
We will collect general information about you including:
- Name, address, DOB,
- Contact details and emergency contacts,
- Carer or legal representative.
We will also process certain ‘special category’ data about our patients. This means information which is more sensitive and needs extra protection. Most of what we collect about you is information relating to your physical or mental health such as:
- Contact you have had with us in relation to appointments, clinic visits, emergency appointments etc,
- Notes and reports about your health,
- Information about your treatment and care,
- Results of tests, x-rays, and investigations,
- Any other relevant patient information including information provided by others such as health professionals, relatives, carers or other partner organisations who you may be involved with,
It may also be necessary for us to process other special category information about you for medical purposes including, but not necessarily limited to:
- Sex life or sexual orientation,
- Racial or ethnic origin,
- Religious or philosophical beliefs.
What do you do with my personal data?
We use your information in order to:
- Provide you with healthcare services,
- Improve service delivery and planning,
- Investigate any concerns you have raised about the service you have received,
- Conduct research and produce statistical data.
We also use your information for the following reasons:
• Risk stratification
Risk stratification is a process in which we use personal information to determine if patients may be at high risk of experiencing certain medical conditions. This is done for preventative reasons and we will collect this information from various health care services including NHS Trusts and the information we hold about you within the practice.
• Medicines Management
Harrogate and Rural District CCG provide support to Audit and review patients’ medicines and prescriptions and in order to do this they will require access to patient records. This is in place to enhance effective and safe prescribing of medication and to ensure we are operating in a cost effective way. We have a confidentiality agreement in place to govern this process.
• GP Practice Variation
Harrogate and Rural District CCG provide support to promote understanding of the variation between GP practices. This work requires access to patient records and is governed by a confidentiality agreement.
What is your lawful basis to process my personal data?
There are a number of reasons we may rely on to process your personal data in line with Article 6 and Article 9 of GDPR. These are:
- Because we have a legal obligation,
- Because it is in the public interest or we have official authority,
- To protect the vital interests of you or another person,
- for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services,
- reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,
- research or statistical purposes,
Who has access to my personal data within the practice?
Employees of Practice Name may only access your personal data if they require it to perform a task. There are procedures and checks in place to ensure that employees can not use your data for their own personal benefit.
Who do you share my personal data with?
The practice will only share personal data with another organisation if it has a lawful basis to do so and will always keep records of when your data has been disclosed to another organisation. Organisations who we may share your information with include, but is not limited to:
- NHS Trusts,
- Other GPs (if you transfer to another practice),
- Independent contractors including dentists, opticians and pharmacists,
- Voluntary sector providers,
- Ambulance Trusts,
- Harrogate and Rural District Clinical Commissioning Group,
- Local Authorities,
- Children or Adults Social Care,
- Education Services,
- Fire and Rescue Services,
- Regulatory Authorities (such as CQC and NMC).
We will not share information about you without your permission unless we are required to do so by law. Sometimes we may be required to share your information and will not always be able to tell you. Examples might be for the purposes of detection or prevention of crime, or where we are required to share due to a court order.
Third party processors
In order to deliver the best possible service the practice may use third party organisations. These organisations will sometimes require access to your personal data in order to complete their work. If we do use a third party organisation we will always have an agreement in place to ensure that the other organisation keeps your data secure.
How do you protect my personal data?
Practice Name is committed to keeping the personal data that it holds safe from loss, corruption or theft. It has a number of measures in place to do this including:
- Annual training for all employees on how to handle personal data,
- Policies and procedures detailing what employees can and can not do with personal data.
- A number of IT security safeguards such a firewalls, encryption, and virus protection software,
- On site security safeguards to protect physical files and electronic equipment
How long do you keep my personal data for?
Practice Name will only keep your personal data for as long as it is required to fulfil the purpose it was collected for or for as long as is required by legislation.
Do you transfer my data outside of the UK?
Generally the information that the practice holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. We will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK or EU government. If the practice does need to send your data out of the EU it will ensure it has extra protection from loss or unauthorised access.
What are my Data Protection rights?
Under data protection legislation you have the following rights in relation to the processing of your personal data:
- to be informed about how we process your personal data. This notice fulfils this obligation.
- to request access to your personal data that we hold, and be provided with a copy of it,
- to request that your personal data is amended if inaccurate or incomplete,
- to request that your personal data is erased where there is no compelling reason for its continued processing,
- to request that the processing of your personal data is restricted,
- to object to your personal data being processed,
If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above.
If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the practice has handled your personal data. You can do so by contacting:
First Contact Team, Information Commissioner's Office, Wycliff House, Water Lane