Privacy Notice
Bury GP Federation is required to comply with the Data Protection Act 2018 (“DPA”) and the UK GDPR (the DPA and UK GDPR are together referred to as the “Data Protection Legislation”) when processing your personal data.
Your personal data includes all the information that identifies you or is about you – for example, your name, email address, postal address and date of birth. Everything we do with your personal data counts as processing it – collecting, storing, amending, transferring and deleting it. We are required to comply with the Data Protection Legislation to make sure your information is properly protected and used appropriately.
Our responsibilities
Bury GP Federation is the data controller of the personal data you provide. We have appointed Peter Case-Upton as Data Protection Officer. He is responsible for ensuring that we comply with the Data Protection Legislation and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.
What personal data do we process?
The healthcare professionals who provide you with services maintain records about your health and any treatment or care you have previously received. These records help to provide you with the best possible healthcare.
Your records may exist in several formats including electronic, paper or a mixture of both, and we deploy organisations and approaches to ensure that information is maintained within a confidential and secure environment.
The records which we could hold about you may include the following information:
- Personal details relating to you, including your address and contact details, carer, legal representative, and parents’ emergency contact details
- Any contact we have had, or intend to have, with you such as appointments, clinic or surgery visits, home visits, etc.
- Notes and reports about your health which is deemed to be of a sensitive nature
- Details about your referral, diagnostics procedures, treatment, and care
- Results of any additional relevant investigations
- Relevant information from other health professionals, relatives or those who care for you
- Special Categories of data including information about your medical background and health and diversity/equality information such as your race and ethnicity.
Anonymised information may be used to help protect the health and wellbeing of the general public and to manage our contracts with commissioners. Information could also be used to monitor the quality of the services we provide. Some of this information will be used for statistical purposes and we will ensure that individuals cannot be identified. For situations where we may contribute to research projects, we will always gain your explicit consent before releasing any relevant information.
We process most of your information on the grounds of consent from you, legitimate interests, such as performance of a contract we have entered into with you, protection of the vital interests of a Data Subject or, in the case of special categories of data, processing for the provision of health or social care or treatment or the management of health or social care systems or services.
Who will receive your personal data?
Please note – although the UK is no longer part of the EU, we still comply with the following:
We only transfer your personal data to the extent we need to. Recipients of your personal data include:
- NHS Trusts / Specialist Trusts
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Integrated Care Systems
- NHS England
- GP Federations and Alliances
- Primary Care Networks
- NHS Digital
- National Institute for Health and Care Excellence
- Care Quality Commission
- NHS Improvement
- NHS Shared Business Services
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police
- Other ‘Data Processors’
We do not transfer your personal data outside of the EEA.
How long will we keep your personal data?
Your data will be retained for no longer than is necessary and in accordance with our Documentation Management Lifecycle Policy and the associated Schedule of Retention. Your information will be always kept securely. Following the end of the relevant retention period, your files and the personal data covered by the retention period will be permanently deleted or destroyed.
What are your rights?
We have summarised the rights which may be available to you below, depending on the grounds on which we process your data. More information is available from https://ico.org.uk/
1. Access to your data
You have the right to ask us to confirm that we process your personal data, as well as the right to request access to/copies of your personal data.
We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request as soon as possible and within one month of receiving your request. If we need more information to comply with your request, we will let you know.
2. Rectification of your data
If you believe the personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we do not feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your request.
3. Right to be forgotten
In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:
- Where we no longer need your personal data for the purpose for which we collected it
- Where we have collected your personal data on the grounds of consent and you withdraw that consent
- Where you object to the processing and we do not have any overriding legitimate interests to continue processing the data
- Where we have unlawfully processed your personal data (i.e. we have failed to comply with UK GDPR); and
- Where the personal data must be deleted to comply with a legal obligation
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.
4. Withdrawal of consent
If you have provided us with consent to process your data for the purpose of providing our services (other than direct care), you have the right to withdraw this at any time. In order to do this should contact us in writing
5. Right to restrict processing
In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we do not have to delete it. This right is available to you:
- If you believe the personal data we hold is not accurate – we will cease processing it until we can verify its accuracy
- If you have objected to us processing the data – we will cease processing it until we have determined whether our legitimate interests override your objection
- If the processing is unlawful; or
- If we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim
- Data portability
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:
- Where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and
- Where we carry out the processing by automated means
We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.
7. Right to object
You are entitled to object to us processing your personal data:
- If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority
- For direct marketing purposes (including profiling); and/or
- For the purposes of scientific or historical research and statistics
In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling, legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
8. Automated decision making
Automated decision-making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late a certain number of times (without any input from HR, for example).
We do not carry out any automated decision making using your personal data.
9. Your right to complain about our processing
If you think we have processed your personal data unlawfully or that we have not complied with UK GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website: https://ico.org.uk/make-a-complaint/
10. Legal basis for processing
Our ability to process your personal and healthcare data is covered by UK GDPR article 6 and for the processing of personal sensitive data by Article 9(2)h which indicates that processing of data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
11. Maintaining the confidentiality of your records
We will take all possible care to protect your privacy and will only use information collected with the law including:
- Data Protection Act 2018 including UK GDPR
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012 (if appropriate)
- Codes of Confidentiality, Information Security and Records Management
Our staff are all trained and briefed in data protection principles and understand they have a legal obligation to keep information about you confidential. They also understand that information about you will only be shared with other parties if there is an agreed need to do so or a legal reason. We will only share your data without your permission if there are very exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and / or in accordance with the Caldicot Principle 7 e.g., to share or not to share. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles. Whilst the Caldicott Principles were originally developed for NHS purposes, we have adopted the underlying principles in order to align with best practice.
All personal information that we manage is stored within the UK within a secure environment and we always use suitably protected methods and systems to transfer your personal information.
Complaints
Should you have any concerns about how your information is managed by the Organisation please contact us at:
Bury GP Federation, Barcroft House, Barcroft Street, Bury BL9 5BT
If you are still unhappy following a review by the Organisation you can then complain to the Information Commissioners Office (ICO) via their website www.ico.org.uk
or in writing to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact us.
Any questions?
If you have any questions or would like more information about the ways in which we process your data, please contact Data Protection Officer, Peter Case-Upton via email: peter@pcu.co.uk