Data Protection & Information Security Policy
This practice is committed to complying with the General Data Protection Regulation (GDPR), GDC, and other data protection requirements relating to our work. We only keep relevant information about employees for the purposes of employment and about patients to provide them with safe and appropriate health care. This policy should be read in conjunction with Data Protection Overview and Information Governance Procedures. This policy and all related policies, procedures and risk assessments are reviewed annually.
The person responsible for Data Protection is Radhika Mistry
Our lawful basis for processing personal data is:
Our lawful basis for processing special category data is:
Consent
The practice offers individuals real choice and control. Our consent procedures put individuals in charge to build customer trust and engagement. Our consent for marketing requires a positive opt-in, we do not use pre-ticked boxes or any other method of default consent. We make it easy for people to withdraw consent, tell them how to and keep contemporaneous evidence of consent. Consent to marketing is never a precondition of a service.
Data protection officer (DPO)
Our DPO is Radhika Mistry
Pseudonymisation
Pseudonymisation means transforming personal data so that it cannot be attributed to an individual unless there is additional information.
Examples of pseudonymisation we use are:
Data breaches
We report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach results in a high risk of adversely affecting individuals’ rights and freedoms, we also inform those individuals without undue delay. We keep contemporaneous records of any personal data breaches, whether we need to notify.
Right to be informed
We provide ‘fair processing information’, through our Privacy Notice, which provides transparency about how we use personal data.
Right of Access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. If an individual contact the practice to access their data they will be provided with, as requested:
We never identify patients in research, patient feedback reports or other publicly available information
When we store and transmit electronic data it is encrypted, and the encryption key is kept separate from the data
Right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The practice will delete personal data on request of an individual where there is no compelling reason for its continued processing. The right to erasure applies to individuals who are not patients at the practice. If the individual is or has been a patient, theclinical records will be retained according to the retention periods in Record Retention.
Right of rectification
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
Right to restriction
Individuals have a right to ‘block’ or suppress the processing of their personal data. If requested, we will store their personal data but stop processing it. We will retain just enough information about the individual to ensure that the restriction is respected in the future.
Right to object
Individuals have the right to object to direct marketing and processing for purposes of scientific research and statistics.
Data portability
An individual can request the practice to transfer their data in electronic or another format.
Privacy by design
We implement technical and organisational measures to integrate data protection into our processing activities. Our data protection and information governance management systems and procedures take Privacy by design as their core attribute to promote privacy and data compliance.
Records
We keep records of processing activities for future reference.
Privacy impact assessment
To identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy we review our Privacy Impact Assessment annually using the Sensitive Information Map, PIA and Risk Assessment.
Information security
Information Governance Procedures includes the following information security procedures:
The requirements and responsibilities if team members use personal equipment such as computer, laptop, tablet or mobile phone for practice business
Review
This policy and the data protection and information governance procedures it relates to are reviewed annually.
Further information
Information Commissioner www.ico.org.uk
EU – US Privacy Shield www.privacyshield.gov
GDPR Regulation
Approved By: Radhika Mistry, Amit Mistry
Date Published: 14/07/2021