GDPR – Data Privacy Notice
In this practice we have always taken the confidentiality and security of personal and clinical information extremely seriously. With the introduction of the General Data Protection Regulations we have produced this notice to explain why we collect your personal data and what we do with it.
When you supply your personal details to this practice they are stored and processed for 3 reasons.
1. We need to collect personal information about your health in order to provide you with the best possible clinical advice and treatment. Your requesting clinical advice and treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide advice and treatment.
2. We have a “Legitimate Interest” in collecting that information, because without it we couldn’t do our job effectively and safely.
3. We also think that it is important that we can contact you in order to confirm your appointments with us or to update you on matters related to your clinical care. This again constitutes “Legitimate Interest”, but this time it is your legitimate interest.
We have a legal obligation to retain your records for 8 years after your most recent appointment (or age 25, if this is longer). After this period you can ask us to destroy/delete your records if you wish, otherwise, we will retain your records indefinitely in order that we can provide you with the best possible care should you need to see us at some future date.
Your records are stored on paper in locked filing cabinets/ offices which are locked when not occupied and supervised by a member of staff, and the practice premises are always locked and alarmed out of working hours. We store certain personal or clinical information in a computer system. In compliance with the General Data Protection Regulations access to this information is password protected, and the passwords are changed regularly. Our backup media are also stored in compliance with the General Data Protection Regulations.
We will never share your data with anyone who does not need access without your written consent. Only the following people/agencies will have routine access to your data:
• Your practitioner(s) in order that they can provide you with treatment
• Our support staff, because they organise practitioners’ diaries, coordinate appointments and
reminders and communicate with patients as part of the administration of the practice. It is a condition of employment that staff only have access to the minimum of information to enable them to fulfil their roles in the practice; they are bound by a strict code of confidentiality in their terms of employment.
Although unlikely we may occasionally need to engage consultants to perform specific additional tasks which might give them access to your personal data (but not your clinical records). We will ensure that they are fully aware that they must treat that information as confidential, and we will ensure that they sign a non-disclosure undertaking.
You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. As explained above, provided the legal minimum period has elapsed, you can also ask us to destroy/delete your records.
We want you to be absolutely confident that we are treating your personal data responsibly and that we do everything we can to make sure that the only people who can access that data have a genuine need to do so.
Of course, if you feel that we are mishandling your personal data in some way, you have the right to complain.
Complaints need to be sent to what is referred to as the “Data Controller”. The data controller for this practice is:
4, Wellington Circus,
(0115) 948 4141
If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office.