This practice is committed to complying with the Data Protection Act 2018, the General Data Protection Regulation (GDPR), GDC, NHS and other data protection requirements relating to our work. We only keep relevant information about employees for the purposes of employment and about patients to provide them with safe and appropriate health care. This policy can be read in conjunction with Data Protection Overview and Information Governance Procedures, which can be obtained from emailing email@example.com. This policy and all related policies, procedures and risk assessments are reviewed annually.
The person responsible for Data Protection is the Information Governance Lead: Anand Patel.
Our lawful basis for processing personal data is:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Necessary for the purposes of legitimate interests pursued by the controller or a third party
Our lawful basis for processing special category data is:
Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
Pseudonymisation means transforming personal data so that it cannot be attributed to an individual unless there is additional information.
- Pseudonymisation – the data can be tracked back to the original data subject
- Anonymisation – that data cannot be tracked back to the original data subject
Examples of pseudonymisation we use are:
- We never identify patients in research, patient feedback reports or other publicly available information
- When we store and transmit electronic data it is encrypted and the encryption key is kept separate from the data
We report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach results in a high risk of adversely affecting individuals’ rights and freedoms we also inform those individuals without undue delay. We keep contemporaneous records of any personal data breaches, whether or not we need to notify.
Right to be informed
We provide ‘fair processing information’, through our Privacy Notice, which provides transparency about how we use personal data.
Right of Access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. If an individual contacts the practice to access their data they will be
provided with, as requested:
- Confirmation that their data is being processed
- Access to their personal data
- Any other supplementary information or rights as found below and in our Privacy Notice
Right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The practice will delete personal data on request of an individual where there is no compelling reason for its continued processing. The right to erasure applies to individuals who are not patients at the practice. If the individual is or has been a patient, the clinical records will be retained according to the retention periods in Record Retention procedures.
Right of rectification
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
Right to restriction
Individuals have a right to ‘block’ or suppress the processing of their personal data. If requested we will store their personal data, but stop processing it. We will retain just enough information about the individual to ensure that the restriction is respected in the future.
Right to object
Individuals have the right to object to direct marketing and processing for purposes of scientific research and statistics.
An individual can request the practice to transfer their data in electronic or other format.
Information Governance Procedures includes the following information security procedures:
- Team members follow the ‘Staff Confidentiality Code of Conduct’, which clarifies their legal duty to maintain confidentiality, to protect personal information and provides guidance on how and when personal or special category data can be disclosed
- How to manage a data breach, including reporting
- A comprehensive set of procedures, risk assessments and activities to prevent the data we hold being accidentally or deliberately compromised and to respond to a breach in a timely manner
- The requirements and responsibilities if team members use personal equipment such as computer, laptop, tablet or mobile phone for practice business
This policy and the data protection and information governance procedures it relates to are reviewed annually.
Information Commissioner www.ico.org.uk
EU – US Privacy Shield www.privacyshield.gov