General Data Protection (GDPR)

The General Data Protection Regulation (GDPR) is a new EU regulation that comes into force on 25 May 2018. The GDPR will, along with a new Data Protection Act (currently in draft), replace existing data protection legislation including the UK Data Protection Act 1998.

The GDPR applies to all individuals and organisations with day-to-day responsibilities for data protection. It therefore applies to GP practices, as ‘data controllers’, and their clinicians and administrative staff.

Please click on the links below to access more information about what information we hold on you, how we manage it, who we share it with and how we protect it.

This page will be updated once the Data Protection Act 2018 comes into effect.

• General Data Protection regulations
• How your information is shared
• Privacy Notice Care Quality Commission
• Privacy Notice Emergencies
• Privacy Notice for Direct Care
• Privacy Notice for National screening programs
• Privacy Notice for Payments
• Privacy Notice NHS Digital
• Privacy Notice Public Health
• Privacy Notice Risk Stratification
• Privacy Notice Safeguarding

C The Signs

Direct Care

Under the National Health Service Act 2006 and the Health and Social Care Act 2012, Gateacre Brow Practice is required by law to process your personal data to provide you with direct care. Therefore, under current Data Protection legislation (the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) the processing of your personal data is necessary under:

•  UK GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we process special categories of sensitive information relating to your physical and/or mental health, racial or ethnic origin, etc, we do so under:

• UK GDPR Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services….”

Use of Third-Party Companies

When we use a third-party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. An example of functions that may be carried out by third parties include:

• Companies that provide IT services & support, including our core clinical systems; systems which manage patient-facing services (such as our website and service accessible through the same); systems which facilitate appointment bookings or electronic prescription services; document management services etc.

Automated Decision making

Gateacre Brow Practice does not carry out any automated decision making where AI solely decides on what care or treatment a person should receive. A health and care professional will always make the final decision. Gateacre Brow may also use instances of AI that use automated decision making to improve efficiency, which does not use personal data.