Protecting your information
Privacy Notice
Your info, your rights - English
Your info, your rights - Welsh
Welshpool Medical Practice is the controller for personal information we process. The practice is committed to protection your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you as a registered patient at the practice.
What Information do we collect about you?
We will collect information about you and in relation to your health and health care services you have received. This will include personal information such as your NHS number, name, address, contact information, date of birth, and next of kin.
We will also collect sensitive personal information about you (also known as special category data) which includes information relating to your health (appointment visits, treatments information, test results, X-rays, or reports), as well as information relating to your sexual orientation, race or religion.
All the above information we collect and hold about you forms part of your medical record and is primarily held to ensure you receive the best possible care and treatment.
We may also collect your personal image on surgery CCTV when you attend the practice premises.
How is your personal data collected?
The information we hold is collected through various routes; these may include:
- Direct interactions with you as our patient, when you register with us for care and treatment, during consultations with practice staff and when you subscribe to services for example, newsletters, text messaging, telephone recordings, creating an account for online services.
- Indirectly from other health care providers. When you attend other organisations providing health or social care services for example out of hours GP appointments or visits to A&E and some interactions with Social Care, they will let us know so that your GP record is kept up to date.
- Through wearable monitoring devices such as blood pressure monitors
- When your image is captured on practice CCTV Cameras
- Automated technologies such as when you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. This is collected using cookies, for further information about how we use cookies please see our cookie policy.
How do we use your information?
The Information we collect about you is primarily used for your direct care and treatment but may also be used for:
- The management of healthcare services
- Participation in National Screening Programmes
- National Data Collection Requirements
- Medical research and clinical audit
- Legal requirements
- Security and Safety of our staff and premises
We will not share your information with any third parties for the purposes of direct marketing.
Partners we may share your information with
We may share your information, subject to agreement on how it will be used with the following organisations:
- NHS Trusts / Foundation Trusts/Health Boards
- Other GP’s such are those GP Practices as part of a cluster
- Out of hours providers
- Diagnostic or treatment centres
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Ambulance Trusts
- Social Care Services
- Digital Health and Care Wales
- NHS Wales Shared Services
- Legal and Risk Services
- Health and Care Research Wales
- Public Health Wales
- Healthcare Quality and Improvement Partnership
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Voluntary Sector Providers
We may also use external third-party companies (data processors) to process your personal information. These companies will be bound by contractual agreements to ensure information is kept confidential and secure. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Our legal basis for processing your personal data
The legal bases for most of our processing relates to your direct care and treatment:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special category data, for example data concerning health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:
- Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or
- Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…..
The Practice may process your personal data for the purposes of research in such circumstances our legal basis for doing so will be:
- Article 6 (1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we process special category personal data for research purposes the legal basis for doing so is:
- Article 9 (2)(a) - you have provided your explicit consent
- Article 9(2)(j) – processing is necessary for…scientific or historical research purposes or statistical purposes.
The Practice may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special category of personal data for these purposes, the legal basis for doing so is:
- Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
- Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
In rare circumstances we may need to share information with law enforcement agencies or to protect the wellbeing of others for example to safeguard children or vulnerable adults. In such circumstances are legal basis for sharing information is:
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(d) - processing is necessary to protect the vital interest of the data subject or another natural person; or
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we share special categories of person data for the purposes of safeguarding, the legal basis for doing so is:
- Article 9(2)(g) - processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18 ‘Safeguarding of children and individuals at risk’
Please contact the practice if you have any questions about our privacy notice or information, we hold about you:
Practice Manager
Welshpool Medical Practice
Salop Road
Welshpool
SY21 7ER
Contact Details of our Data Protection Officer
The Practice is required to appoint a data protection officer (DPO). This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.
Our Data Protection Officer is:
Digital Health and Care Wales,
Information Governance, Data Protection Officer Support Service
4th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD
Email : DHCWGMPDPO@wales.nhs.uk
Patient (Data Subject) Rights
Right to be informed
This privacy notice informs you of your rights.
Right of access
The General Data Protection Regulation (GDPR) grants you the right to access particular personal data which we hold about you. This is referred to as a subject access request. We will respond promptly and at least within one calendar month from the date of receiving the request and all necessary information in writing from you.
Right to rectification
If considered appropriate, a retrospective entry can be made by a clinician if you have concerns regarding the accuracy of your clinical record. You will also have the right to have incomplete personal data completed, if necessary by providing a signed and dated supplementary statement. We will respond to the request for rectification at least within one calendar month.
Right to erasure
You have the right to request erasure of personal information concerning you if this is no longer relevant.
Right to restrict processing
Subject to exemptions, you will have the right to obtain from us restriction of processing if:
- The accuracy of the personal information is contested by you.
- We no longer need the personal information for the purpose of delivering personal care and medical treatment
Right to object
You have the right to object to processing of your data for direct marketing or for the purposes of scientific/historical research and statistics.
Right of data portability
We can respond to a request from you for the supply of your personal information in an electronic format, which you then have the right to transmit elsewhere.
Rights in relation to automated decision
Patients have the right not to be subject to a decision based on automated processing. Patients have the right to (a) obtain human intervention, (b) express their point of view, and (c) obtain an explanation of the decision and challenge it.
For more information regarding your individual rights please visit the ICO website by clicking here
Invoking your rights
If you would like to invoke any of the above data subject rights with the practice, please write to the Practice Manager, Welshpool Medical Centre, Salop Road, Welshpool, SY21 7ER or Dr Russell, Senior Partner, Welshpool Medical Centre, Salop Road, Welshpool, Powys SY21 7ER
Important Information
Questions and queries
If you have any questions or queries which this privacy policy has not addressed, or if you have any concerns about how we use the personal information we hold, please write to the Practice Manager, Welshpool Medical Centre, Salop Road, Welshpool, SY21 7ER
Complaints
If you have a complaint regarding the use of your personal information, please write to the Practice Manager, Welshpool Medical Centre, Salop Road, Welshpool, SY21 7ER.
On behalf of Drs Russell, Aslam, Vibhishanan, Kelly, Kingham & Hirons