Your personal data may be required in order to:
- provide healthcare
- arrange appointments
- manage fees and payments
- what data we collect and store
- who we obtain this data from
- why and how we use this data
- what we do to keep your data safe
- how you can find out more, or raise a concern about data protection with us.
We are committed to keeping your data safe and secure, and meeting the requirements of the General Data Protection Regulation (GDPR), namely that personal data be:
- obtained fairly and lawfully
- obtained for a specific and lawful purpose
- adequate and relevant, but not excessive
- accurate and kept up to date
- held for no longer than necessary
- processed in accordance with the rights of those to whom the data pertains
- kept subject to appropriate security measures
The Data Controller, Yan-Chee Yu, is responsible for determining the purposes and means of processing personal data. He may be contacted by post at 11 Silverwood Way, Up Hatherley, Cheltenham, Glos, GL51 3TW, or by email at firstname.lastname@example.org.
Summary of Data Use
Table 1 shows:
- what data is collected
- who it is obtained from
- why this data is collected and processed
- the legal basis for processing this data
- who processes this data
- how long this data is kept, and what happens to it once it is no longer needed
- how this data is kept safe
Your data is kept secure at all times against unauthorised or unlawful access or loss using:
- locked filing cabinets,
- password protected device access,
- GDPR compliant email storage,
- written confidentiality and data protection agreements for data processors.
Data Transfer Outside of the EU
The Data Controller uses an email service which is GDPR compliant, which means that any data stored in this email inbox is appropriately protected even if it is stored on a server outside of the EU. Data transfer outside of the EU can also occur if we communicate via email and your email inbox is hosted on a server outside of the EU, or if we communicate by phone and one of us is located outside the EU. In such cases this will be because:
- it relates to provision or administration of your healthcare
- is for reasons of public interest
- is necessary for legal reasons
What Happens if There is a Data Breach?
In the event of a data breach that is likely to result in a risk to people’s rights and freedoms, the data breach will be reported to the Information Commissioner’s Office (ICO), not later than 72 hours after it has come to light. People whose data is affected will be notified in line with current legislation.
- Access – you have a right to confirmation that we are processing your data, and a copy of any of your personal data which we hold.
- Rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Erasure – in certain circumstances, you have a right to ask for the data we hold about you to be erased from our records (see also table 1).
- Restriction of processing – in certain circumstances, you have a right to restrict the processing of your personal data which we hold.
- Portability – where data is processed on the basis of consent or performance of a contract, and in addition by automated means, you have the right to have your data transferred to another Data Controller.
- Objection – under certain circumstances, you have the right to ask us to stop processing your personal data.
- Automated decision-making including profiling – you have the right not to be subject to legal or similarly significant effects which are based solely on automated processing.
If you wish to exercise any of these rights, please contact the Data Controller. In the event that the Data Controller refuses your request, you will be given a reason as to why, which you may challenge legally and/or with the Information Comissioner’s Office (ICO).
Raising a Concern
In the event that you have a concern about how your personal data has been handled, you have a right to complain to the Data Controller. If the situation cannot be resolved to your satisfaction, then you may contact the Information Commissioner’s Office (ICO). Details of how to do so can be found at ico.org.uk/concerns/.