Braidcraft Medical Centre
General Data Protection Regulation – Privacy Notice
In compliance with the new GDPR we have created a privacy notice. The privacy notice explains to patients the types of information we hold about them and how we collect and process it.
We have introduced a texting service for our patients. This will include:
- appointment reminders,
- health campaigns such as flu or other clinics,
- texts regarding closures due to public holidays etc.
Under the terms of the GDPR we require to have explicit consent from patients that they wish to receive these texts. As such we have sent out a text to the mobile numbers we hold asking for consent to receive these texts. These texts have been sent before GDPR came into force.
You can opt in to receiving texts at any time. Similarly you can opt out of receiving texts at any time.
Further information on the changes under the new act can be found at https://ico.org.uk .
The General Data Protection Regulation (GDPR) comes in to force on May 2018, superseding the current Data Protection Act (1998).
Under the terms of the new GDPR Braidcraft Medical Centre has a legal duty to explain to patients by means of a privacy notice what personal data is held about them and how it is collected.
Information obtained from you
When you register with the practice you provide us with personal data on your registration form, via online registration for prescription services and over the telephone phone. This data includes name, address, date of birth, landline number, mobile number, email address, next of kin and ethnicity.
We may also keep information contained in any correspondence or conversations. In addition to the above the practice records calls from and to patients for reflective training and audit purposes.
Information collected from other sources
When you register with the practice your medical history from your previous practice(s) is sent to us. The provision of such information enables us to deliver effective patient centred medical care.
We also collect records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
How we will use your information
The admin team use your information to make appointments for you, to generate prescriptions, to electronically file hospital and clinic records, and to provide test results as requested by you. The admin team only access your medical informationon a “need to know” basis in order to perform their duties.
Your mobile phone number will be used to send you text reminders of your appointments, to send texts regarding flu clinics and other clinics you may attend, and to send texts regarding administrative matters, eg surgery closures. We may share your mobile phone number with other healthcare professionals involved in your care.
If you have provided your email address, we may communicate with you in this way or send referrals by email to other services involved in your medical treatment who may then communicate with you by email.
The clinical team use your information to provide you with care and medical treatment.
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases when the law allows.
Sometimes the NHS also uses relevant information about your health to help improve NHS services and public health in Scotland – for example, to find out how many people have a particular illness or disease. If so, information that identifies you is removed if possible. If the NHS uses information that does identify you (for example, to include it in a disease register), they must explain how and why your information will be used.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Processing of Report and Subject Access Requests
We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for.
iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws.
The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Scotland Code of Practice, as well as guidance issued by the InformationCommissioner’s Office (ICO).
In accordance with the Records Management NHS Codes of Practice (Scotland), your healthcare records will be retained for the duration of your life and for 3 years after your death.
Patient Rights (as the Data Subject)The right to erasure
The right to erasure is also known as “the right to be forgotten” and in general refers to an individual’s right to request the deletion or removal of personal information where there is no compelling reason for the Braidcraft Medical Centre to continue using it.
As with other rights, there are particular conditions around this right and it does not provide individuals with an absolute right to be forgotten.
Individuals have the right to have their personal information deleted or removed in the following circumstances:
- When it is no longer necessary for the purpose for which it was collected.
- When Braidcraft Medical Centre no longer have a legal basis for using you your personal information, for example if you gave us consent to use your personal information in a specific way, and you withdraw your consent, we would need to stop using your information and erase it unless we had an overriding reason to continue to use it.
- When you object to the Braidcraft Medical Centre using your personal information and there is no overriding legitimate interest for us to continue using it.
- If we have used your personal information unlawfully.
- If there is a legal obligation to erase your personal information for example by court order.
Braidcraft Medical Centre can refuse to deal with your request for erasure when we use your personal information for the following reasons:
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority
- for public health purposes in the public interest
- archiving purposes in the public interest, scientific research historical researchor statistical purpose
- the exercise or defence of legal claims
When using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us under the NHS Scotland Act as noted previously. This means that in most circumstances we can refuse requests for erasure. However we will advise you of this as soon as possible following receipt of your request.
The right to restrict processing
You have the right to control how we use your personal information in some circumstances. This is known as the right to restriction. When processing is restricted, Braidcraft Medical Centre is permitted to store your personal information, but not further use it until an agreement is reached with you about further processing. We can retain enough information about you to ensure that your request for restriction is respected in the future.
Examples of ways you can restrict our processing would be:
- If you challenge the accuracy of your personal information, stop using it until we check its accuracy
- If you object to processing which is necessary for the performance of our tasks in the public interest or for the purpose of legitimate interests, we will restrict our processing while we consider whether our legitimate grounds override your individual interests, rights and freedoms
- If our use of your personal information is found to be unlawful and you ask for restriction instead of full erasure we will restrict our processing
- If we no longer need your personal information but you need it to establish, exercise or defend a legal claim, we will restrict our processing.
If we have shared your personal information with any individuals or organisations, if we restrict our processing, we will tell those individuals or organisations about our restriction if it is possible and not an unreasonable amount of effort.
Whenever we decide to lift a restriction on processing we will tell you.
The right to data portability
The right to data portability allows individuals to obtain and re-use their personal information for their own purposes across different services. It allows them to move, copy or transfer personal information easily from one IT environment to another in a safe and secure way. For example: it enables consumers to take advantage or applications and services which can use their information to find them a better deal.The right to data portability only applies when the individual has submitted their personal information directly, through electronic means to Braidcraft Medical Centre.This means that in most circumstances the right to data portability does not apply within Braidcraft Medical Centre.
Rights related to automated decision making and profiling
You have the right to object to any instances where a decision is made about you solely by automated means without any human involvement, including profiling.Braidcraft Medical Centre does not undertake any decision-making about you using wholly automated means.
Invoking your rights
If you wish to invoke any of the data subject rights then please write to The Practice Manager, Braidcraft Medical Centre, 200 Braidcraft Road, Glasgow G53 5QD.
PHS Primary Care Intelligence Service (PCIS)
Patient Privacy Notice Data extracts previously captured via SPIRE are now scheduled to be undertaken by the new PHS Primary Care Intelligence Service (PCIS). The permissions associated with the new service are the same as those previously agreed for SPIRE.
Our Practice records calls for quality and training purposes. Calls are recorded to protect the interests of one or more participants, and for safety. We comply with GDPR requirements, for further information on our polices regarding call recording please write to the Practice.
What to do if you have any questions
- Contact the practice’s data controller via email at [email protected] . GP practices are data controllers for the data they hold about their patients *
- Write to the data controller at Braidcraft Medical Centre, 200 Braidcraft Road, Glasgow G53 5QD
- Ask to speak to the practice manager, Grant Anthony.
The Data Protection Officer (DPO) for Braidcraft Medical Practice is Grant Anthony and he is based at Braidcraft Medical Centre.
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details,visit ico.org.uk and select ‘Raising a concern’.