The practice aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (UK GDPR), the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements.

The data controllers are Audrey Costa and Jamie O’Donnell, who are also responsible for Information Governance. This Privacy Notice is available in print or can be sent by email if that is required.

You will be asked to provide personal information when joining the practice. The purpose of us processing this data is to provide optimum health care to you.

The categories of data we process are:

• Personal data for the purposes of staff and self-employed team member management
• Special category data including health records for the purposes of the delivery of health care
• Special category data including health records and details of criminal record checks for managing employees and contracted team members

We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential, unless required to share the information lawfully (e.g a court order). If we intend to refer a patient to another practitioner or to secondary care such as a hospital, we will gain the individual’s permission before the referral is made and the personal data is shared.

• Personal data is stored in the UK or EU as a soft or hard copy
• Personal data is obtained when a patient joins the practice and when a patient is referred to the practice

The lawful basis for processing special category data such as patients’ and employees’ health data is:

• Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of UK or EU law or a contract with a health professional

The lawful basis of processing personal data such as name, address, email or phone number is:

• Legal Obligation (specifically Patient personal details and health data)
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract (specifically for non-clinical interactions with contractors)
• Consent (specifically for patient contact details such as their telephone number and email address, enabling us to contact them with important information; details pertaining to third parties who are not our patients or employees, who entrust their contact details to us in the course of making an enquiry about our services, or in order to act as a go-between with a patient’s consent; for the recording of IP address information to help highlight fraudulent website submissions; for marketing purposes with individuals’ explicit consent)
• Legitimate interest (specifically for data recorded through our CCTV systems, for the detection and prevention of crime)

The retention period for special data in patient records is a minimum of 10 years and may be longer for complex records in order to meet our legal requirements.  For individuals known to be deceased, their records will be retained for 4 years after their death.  For children, their records will be kept until they turn 25 or for 11 years after their last visit to us, whichever is longer.  The retention period for staff records is 6 years.  The retention period for other personal data is 2 years after it was last processed.  Data collected on basis of consent will be destroyed after the query for which consent was granted is dealt with or as soon as that consent is withdrawn. This is unless data collected on basis of consent changes due to the nature of the query (e.g. an individual makes a formal complaint on behalf of a third party.  The data will thereafter be retained as per legal obligation).  Details of other retention periods are available in the Record Retention Procedure available from the practice.

To manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and related consents, we use the consent tool “Real Cookie Banner”. Details on how “Real Cookie Banner” works can be found at https://devowl.io/rcb/data-processing

The legal basis for the processing of personal data in this context are Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. Our legitimate interest is the management of the cookies and similar technologies used and the related consents.

The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we will not be able to manage your consents.

CCTV

Our organisation operates surveillance cameras on its premises, for the purposes of prevention and detection of crime; in particular to keep our staff and property safe.  The system does not process biometric data.  No sound is recorded, and the cameras are at set a fixed angle.  Third-party property is not recorded.  The internal camera is not set to record and no images are stored.  The CCTV images are transmitted via the internet through an encrypted connection, and are available to view live by our reception staff.  Our organisation will not share information gathered by use of the CCTV system with third parties, because it is not stored.  The persons with access to the system and who are responsible for the maintenance and upkeep of the system are Audrey Costa and Jamie O’Donnell as the data controllers.

You have the following personal data rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure (this is not absolute clinical records must be retained for a certain time period)
• The right to restrict processing (this is not an absolute and might restrict our ability to provide a patient with care)
• The right to data portability (would not apply to paper records)
• The right to object

Further details of these rights can be seen in our Information Governance Procedures or at the Information Commissioner’s website. Here are some practical examples of your rights:

• If you are a patient of the practice you have the right to withdraw consent for important notifications, newsletters, surveys or marketing. You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text and the recording of your IP address when interacting with us electronically. You have the right to obtain a free copy of your patient records within one month.
• If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.

We have carried out a Privacy Impact Assessment and you can request a copy from the details below. The details of how we ensure security of personal data is in our Security Risk Assessment and Information Governance Procedures.

Comments, suggestions and complaints

Please contact Audrey Costa or Jamie O’Donnell at the practice for a comment, suggestion or a complaint about your data processing at 10-12 Cathedral Street, Norwich, NR1 1LX, or 01603 628 963 or by email

If you are unhappy with our response or if you need any advice, you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.

Related practice procedures

You can also use these contact details to request copies of the following practice policies or procedures:

• Data Protection and Information Security Policy
• Subject Access Request Policy
• Record Retention Policy
• Privacy Impact Assessment, Information Governance Procedures