How the Practice handles your information
Purpose of providing this privacy information
This privacy notice tells you what to expect when you, and sometimes others, provide your personal information to us. It sets out what information we collect about you and why we collect it, how the information may be used, who it may be shared with and how we will protect it and keep it confidential.
The notice explains what rights you have to control how we use your information, our legal basis for processing it and how you can access it. We also explain who to contact if you have any questions and how to contact them.
The Stables Medical Practice is the Data Controller for the personal information we process, unless otherwise stated. There are many ways you can contact the Practice, including by phone, email, and post. Further details can be found on our Contact Details webpage.
Why do we need information about you?
All Health and Social Care organisations that provide you with care are required by law to maintain records about your health and any treatment or care you have received.
The Practice collects and holds information for the purpose of providing healthcare services to our patients and running our organisation, which includes monitoring the quality of care and planning the care that we provide our patients.
To do this we may collect information about you which helps us:
- respond to your queries;
- provide you with the most appropriate care; or
- arrange specialist services on your behalf.
We may keep your information in written form and/or in digital/electronic form. The records will include basic details about you, such as your name and address. They may also contain sensitive information about your health such as outcomes of assessments. All information about you is treated confidentially and only shared as described in this Privacy Notice.
What information do we collect about you?
We hold different types of information about you which forms part of your medical record and is mainly held to ensure you receive the best possible treatment and care. For example,
Personal information may include:
- name, address and other contact details;
- date of birth, next of kin and NHS number.
We may also hold your email address, marital status, occupation, oversees status, place of birth and preferred name or maiden name.
Sensitive personal information also called Special Category data may include:
- notes and reports about your health, treatment and care, including:
- your medical conditions;
- results of investigations, such as x-rays and laboratory tests;
- future care you may need;
- personal information from people who care for and know you, such as relatives and health or social care professionals;
- other personal information such as smoking status and any learning disabilities;
- your religion and ethnic origin;
- sexual orientation;
- safeguarding status, for example, if you are subject to any protection orders regarding your health wellbeing and human rights.
Where do we collect your information from?
The information we hold about you is collected through a variety of sources, including, but not limited to:
- when you register as a patient with the Practice;
- directly through communications with yourself - for example, during consultation with one of our health professionals, when receiving treat or when making an appointment to see them;
- when registering for online services such as My Health OnLine and My Health Texts;
- telephone recordings;
- from other health care professional who provide care or treatment to you - for example, when you attend A&E or another secondary care service, Out of Hours GP services and other primary care service providers;
- Social Care;
- Voluntary Sector services - for example, who form part of a multi-disciplinary team;
- through automated technologies such as when you visit our website, see our Privacy Policy for further information.
How will we process your information?
To ensure you receive the best possible care, your records are used to facilitate the care you receive. For example, the Practice may need to share your information with other health and care services who will provide you with direct care and treatment, i.e. when referring you to a Consultant in hospital for specialist treatment.
Information held about you may be used to help protect the health of the public and to help manage the NHS. It may also be used in National Screening Programmes, medical research and clinical audits. For National Data Collection requirements, safeguarding and legal requirements. Where necessary it may be used for the security and safety of our staff and our premises.
In some cases, you can object to your personal information being shared with other healthcare providers but you should be aware that this may, in some instances, affect your care as important information about your health might not be available to healthcare staff in other organisations. If this limits the treatment that you can receive then the Practice staff will explain this to you at the time you object.
We will not share your information with any third parties for the purpose of direct marketing.
What legal basis do we use to process your personal information?
When we process your personal information, we will only do so where there is a legal basis. Much of our processing relates to your direct care and treatment:
- Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis will be:
- Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special category data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR.
Where we are processing special category personal data for purposes related to the Commissioning and provision of health services the condition will be:
- Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; or
- Article 9(2)(i) - processing is necessary reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Where we process your personal data for the purposes of research, the legal basis for doing so will be:
- Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we are processing special category personal data for purposes related to research, the legal basis will be:
- Article 9(2)(a) - you have provided your explicit consent; or
- Article 9(2)(j) - processing is necessary for scientific or historical research purposes or statistical purposes.
The Practice may also process personal data for the purpose of, or in connection with, legal proceedings, including prospective legal proceedings, for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights.
Where we process personal data for these purposes, the legal basis for doing so will be:
- Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Article 6(1)(f) - processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special category personal data for these purposes, the legal basis for doing so will be:
- Article 9(2)(f) - processing is necessary for the establishment, exercise or defence of legal claims; or
- Article 9(2)(g) - processing is necessary for reasons of substantial public interest.
On occasions, we may need to share your information with law enforcement agencies or to protect the wellbeing of others. For example, to safeguard children or vulnerable adults.
Where we process personal data for these purposes, the legal basis for doing so will be:
- Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Article 6(1)(f) - processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we share special category personal data for these purposes of safeguarding, the legal basis for doing so is:
- Article 9(2)(g) - processing is necessary for reasons of substantial public interest.
Who are the partner organisations we may share your information with?
In order to deliver the best possible service, the Practice may share your information, where required, with other NHS bodies such as other GP Practices and hospitals. The information that makes up your record is also essential to help these organisations provide you with the best possible care.
All organisations that we work with are subject to strict data sharing and/or processing agreements which set out how data will be used and forms part of their contractual obligations.
The organisations we may share your information with are:
- Health Boards and Trusts in NHS Wales and where necessary NHS Trusts/Foundation Trusts in NHS England;
- Other GPs, for example, those which form part of the Cluster Network your Practice is a member of;
- Out of Hours GP Service Providers (for when your GP Practice is closed);
- Other Primary Care Service providers such as Pharmacists, Dentists and Optometrists;
- Health Board, private sector or voluntary sector providers who deliver services on behalf of the Practice. For example, Allied Health Professionals who work directly in the GP Practice to treat patients i.e. physiotherapists who hold clinics for patients with musculoskeletal problems;
- Welsh Ambulance Service Trust (WAST);
- Health Care Research Wales (HCRW);
- Public Health Wales (PHW);
- Healthcare Quality and Improvement Partnership (HQIP);
- Local Authorities and Social Care providers;
- Education Services;
- Fire and Rescue Services;
- Police and Judicial Services;
- Voluntary (Third) Sector Services.
We will never share your information without establishing the legal basis to do so, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it.
Our guiding principle is that we are holding your records in strictest confidence; we are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as Meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.
Third party processors
The Practice may use carefully selected third party service providers. When we use such a service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep your data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- companies that provide IT services and support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or document management services etc.
- delivery services, for example, if we were to arrange for delivery of any medicines to you;
- payment providers, if for example you were paying for a prescription or a service such as travel vaccinations.
Further details regarding specific third-party processors can be supplied on request by the Practice.
What rights do you have when we process your information?
The General Data Protection Regulation (GDPR) provides several rights to individuals. The practice must generally respond to requests in relation to you exercising any of these rights within one month, although there are some exceptions to this. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.
Right to be informed
Your right to be informed is met by the provision of this privacy information, and similar information when we communicate with you directly; at the point of contact.
Right of access
You have the right to obtain a copy of the personal information that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose. A situation in which we may not provide all the information your request is where, in the opinion of an appropriate health professional, disclosure would be likely to cause serious harm to you, or somebody else’s physical or mental health. See the ‘How can you access your information?’ section for further details.
Right to rectification
You have the right to ask us to rectify any personal information that we hold about you that you consider is inaccurate.
Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal information about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the information.
Right to restriction of processing
You have the right to request that we restrict processing of personal information that we hold about you. You can ask us to do this, for example, where you contest the accuracy of the data.
Right to data portability
This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and the Practice. For this to apply the information must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.
Right to object
You have the right to object to the processing of your personal information about you on the grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
Rights in relation to automated individual decision-making including profiling
You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy information, and ensure that you have an opportunity to request that the decision involves personal consideration.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of the Practice processing your personal information or you believe that we are not meeting our responsibilities as a data controller.
The contact details are:
Address: Information Commissioner’s Office, Wycliffe House Water Lane, Wilmslow SK9 5AF
Phone: 0303 123 1113
Website: ico.org.uk
How can you access your information?
If you wish to see or have a copy of the information we hold about you, you can make a Subject Access Request or SAR. These requests can be made in writing, by email or by speaking to us.
Note: Please be aware when emailing information to the Practice that we cannot guarantee the security of this information whilst in transit, and that by using this facility you are accepting the risk. If you choose to email us, we recommend that you do not include sensitive information with the body of the email.
Your request should specify you are making a request to access your own information, by clearly marking your request ‘subject access request’. Providing us with sufficient information will enable us to locate your required information in a timely manner. Please date your request and provide:
- Your full name, including any aliases, if relevant;
- Your up-to-date contact details, date of birth and NHS number if available;
- A comprehensive list of what personal information you want to access, based on what you need;
- Details, such as relevant dates/time periods, episodes of treatment, etc.
Where necessary, we may require acceptable proof of identification and address consisting of one item from List A and one from List B:
- A - Birth certificate, marriage certificate, passport or driving license;
- B - Bank/Building Society statements, recent utility bill, tax certificate, letter from Department of Work and Pensions.
All requests will be recorded and normally responded to within one month. If your request is complex or considered excessive, we may require extra time to consider your request which may take up to an additional two months. However, we will inform you if this is the case.
In most circumstances we will not charge to fulfil your request however, a reasonable fee may be charged for the administration of the request in certain instances, for example, if we think your request is manifestly unfounded or excessive or where further copies of information are requested.
The Practice is the data controller for the health records of Patients registered with us. Where an individual is not currently registered with a GP or is deceased, then these records are held by NHS Wales Shared Service Partnership (NWSSP). Please visit the NWSSP website for further information.
How do we maintain your information?
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the WHC(99)7 Preservation, retention and destruction of GP general medical services records relating to patients.
We hold and process your information in accordance with the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR). In addition, everybody working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- maintain full and accurate records of the care we provide to you;
- keep records about you confidential and secure;
- provide information in a format that is accessible to you.
The Practice will keep your information in-line with our Records Management Policy.
How can you help us to maintain your records?
Change of contact details
It is important that you tell the person treating you if any of your details such as your name, address and contact telephone number have changed or if any of your details are incorrect in order for this to be amended.
Please inform us of any changes so our records for you are accurate and up to date.
Mobile numbers and text messaging
If you provide us with your mobile phone number, we may use this to send you reminders about your appointments, responses to your online queries, health screening questions, test results and information about the services we provide.
You are responsible for ensuring the Practice has your most up to date mobile number.
Please let us know if you do not wish to receive reminders on your mobile.
Email address
Where you have provided us with your email address, we may use this to send you responses to your online queries and information about the services we provide. Please be aware when emailing information to the Practice that we cannot guarantee the security of this information whilst in transit, and that by using this facility you are accepting the risk. If you choose to email us, we recommend that you do not include sensitive information with the body of the email.
If you do not wish to receive communications by email, please let us know.
Notification and data protection certification?
Data Protection legislation requires organisations to register a notification with the Information Commissioner’s Office to describe the purposes for which they process personal and sensitive information.
This Practice is registered as a data controller with the Information Commissioner’s Office (ICO). A ‘data controller’ determines the purposes and means of processing personal data.
Our registration can be viewed online in the public register at:
ico.org.uk/what_we_cover/register_of_data_controllers
Complaints
If you have concerns or queries about how we process your personal information, please contact the Practice direct or our Data Protection Officer in the first instance.
Practice Information Governance Lead
Dr Attaie
Data Protection Officer
Under UK Data Protection legislation, the Practice is required to appoint a Data Protection Officer (DPO). This role is essential in facilitating the Practice accountability and compliance with data protection requirements.
The Practice DPO is: Dr Attaie