Privacy Notice

Project Privacy Notices

Practice Privacy Notice

This Privacy Notice will explain how the Four Elms Medical Centres uses your personal data. Four Elms Medical Centres is the controller for personal information we process. The practice is committed to protection your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you as a registered patient at the practice.

What Information do we collect about you?

We will collect information about you and in relation to your health and health care services you have received. This will include personal information such as your NHS number, name, address, contact information, date of birth, and next of kin. We will also collect sensitive personal information about you (also known as special category data) which includes information relating to your health (appointment visits, treatments information, test results, X-rays, or reports), as well as information relating to your sexual orientation, race or religion. All the above information we collect and hold about you forms part of your medical record and is primarily held to ensure you receive the best possible care and treatment.

How is your personal data collected?

The information we hold is collected through various routes; these may include:
  • Direct interactions with you as our patient, when you register with us for care and treatment, during consultations with practice staff and when you subscribe to services for example, newsletters, text messaging, telephone recordings, creating an account for online services.
  • Indirectly from other health care providers. When you attend other organisations providing health or social care services for example out of hours GP appointments or visits to A&E and some interactions with Social Care, they will let us know so that your GP record is kept up to date.
  •  Through wearable monitoring devices such as blood pressure monitors
  • When your image is captured on practice CCTV Cameras
  • Automated technologies such as when you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. This is collected using cookies, for further information about how we use cookies please see our cookie policy: www.fourelmsmedicalcentres.co.uk/cookie-policy

How do we use your information?

The Information we collect about you is primarily used for your direct care and treatment but may also be used for:
  • The management of healthcare services
  • Participation in National Screening Programmes
  • National Data Collection Requirements
  • Medical research and clinical audit
  • Legal requirements
  • Security and Safety of our staff and premises
We will not share your information with any third parties for the purposes of direct marketing.

Partners we may share your information with

We may share your information, subject to agreement on how it will be used with the following organisations:
  • NHS Trusts / Foundation Trusts/Health Boards
  • Other GP’s such are those GP Practices as part of a cluster
  • Out of hours providers
  • Diagnostic or treatment centres
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Ambulance Trusts
  • Social Care Services
  • Digital Health and Care Wales
  • NHS Wales Shared Services
  • Legal and Risk Services
  • Health and Care Research Wales
  • Public Health Wales
  • Healthcare Quality and Improvement Partnership
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
We may also use external third-party companies (data processors) to process your personal information. These companies will be bound by contractual agreements to ensure information is kept confidential and secure. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Our legal basis for processing your personal data

The Practice will only use and share your information where there is a legal basis to do so. A full list of how your data may be used and shared can be found here: How we use your information The legal bases for most of our processing relates to your direct care and treatment:
  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special category data, for example data concerning health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:
  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or
  • Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…..
The Practice may process your personal data for the purposes of research in such circumstances our legal basis for doing so will be:
  • Article 6 (1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Where we process special category personal data for research purposes the legal basis for doing so is:
  • Article 9 (2)(a) – you have provided your explicit consent
  • Article 9(2)(j) – processing is necessary for…scientific or historical research purposes or statistical purposes.
The Practice may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special category of personal data for these purposes, the legal basis for doing so is:
  • Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
In rare circumstances we may need to share information with law enforcement agencies or to protect the wellbeing of others for example to safeguard children or vulnerable adults. In such circumstances are legal basis for sharing information is:
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6(1)(d) – processing is necessary to protect the vital interest of the data subject or another natural person; or
  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where we share special categories of person data for the purposes of safeguarding, the legal basis for doing so is:
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18 ‘Safeguarding of children and individuals at risk’

Retention of your Personal Information / Storing your Information

We are required by UK law to keep your information and data for a defined period, often referred to as a retention period. The Practice will keep your information in line with the practice records management policy which can be found here: Record Retention Periods

How to Contact us

Please contact the practice if you have any questions about our privacy notice or information, we hold about you Pengam Green Surgery Sterling Close Ffordd Pengam Pengam Green Cardiff CF24 2HB

Contact Details of our Data Protection Officer

The Practice is required to appoint a data protection officer (DPO). This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.

Our Data Protection Officer is:

Digital Health and Care Wales, Information Governance, Data Protection Officer Support Service 4th Floor, Tŷ Glan-yr-Afon 21 Cowbridge Road East Cardiff CF11 9AD Email : DHCWGMPDPO@wales.nhs.uk

Your Rights

The General Data Protection Regulation (GDPR) includes a number of rights. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.

Right to be Informed

Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of Access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose. A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

Right to Rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.

Right to Erasure (‘right to be forgotten’)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

Right to Restriction of Processing

You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

Right to Data Portability

This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and the Practice. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

Right to Object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your object relates to marketing.

Rights in relation to automated individual decision-making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of Practices processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are: Information Commissioner’s Office Wycliffe House Water Lane, Wilmslow SK9 5AF Website: www.ico.org.uk Tel: 0303 123 1113

Addendum to GP Practice Privacy Notices (11 August 2022):

Third sector organisations we work with

In order to provide you with the right level of care, from the right professional, and at the right time, the Practice works with third sector organisations to deliver the following projects:

Tier Zero Mental Health Referral Project – CARDIFF MIND

This is a Psychological Interventions Service to support patients with low level mental health conditions (i.e., conditions that do not require intervention by a GP). GP practices make referrals to the following organisation in the City and South Cardiff Cluster. This organisation is the specialist provider for mental health support. Where appropriate, your information will be shared with Cardiff Mind via your GP. This will be done with your consent to share your confidential information. The information shared is your:
  • Name
  • Date of Birth
  • Address
  • Telephone contact number
  • Gender
  • Sexual orientation
  • Ethnicity
  • Reason for referral
  • Safeguarding and risk information
  • Referral consent and contact permissions

Community Connectors Service – MIND Cardiff

This project operates across the South and East Cardiff. The Service offers our patients support to help them gain access to local community-based services that may help them manage issues (not health related) that are affecting their wellbeing. Your GP can make a referral to this Service, or you can self-refer. Only limited information is required for patients to access this service, such as:
  • Name
  • Address
  • Contact details
  • Brief summary as to the support required

Asylum Seeker Support Worker Project- Red Cross

This project offers support to those seeking asylum, who have arrived and are living within the local cluster area. The main aim of the service is to support individuals in registering with GP Practices and advising them on how to access other health and wellbeing. Patients are referred, with their consent and only the following information is shared:
  • Name
  • Address
  • Contact details
  • Brief summary as to the support required

The legal bases for sharing your information under these projects

  • Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service.
  • Article 9(2)(g) – Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Access and security of your personal information

  • To further support patients, and to ensure that these organisations can help you, the Practice needs to share your personal information with them. This information will be kept to a minimum (as described above) and may include a brief summary of the support that your GP feels will be helpful.
  • The sharing of these details will be managed in such a way to assure that it remains confidential, and any organisation that either shares or receives your information has a duty of confidentiality and to ensure that the personal data of patients is shared and stored securely.
  • If any of your information needs to be communicated by email, this is done so using secure NHS Wales email addresses where all information is protected via secure web communication channels.
  • These organisations will not share patient information further unless they have received your explicit consent in writing. These organisations may share information that they have collected during patient assessments with your GP.
*If you do not want your information to be shared with the third sector organisations listed above, please contact the Practice reception, or you can advise your GP at your consultation.

Addendum to GP Practice Privacy Notices:

South East Cardiff Cluster GP Practices (September 2022)

Partner Organisations that we work with

In order to provide you with the right level of care, from the right professional, and at the right time, the Practice works with a number of Health Service Teams, Council Departments and Third Sector Organisations within the Area. This can take the form of referrals by telephone/ confidential and secure email or through meetings as a team of professionals, who come together to consider how they can best support your needs. Our Partners include:
  • Cardiff Council Independent Living Service: This service provides a range of information and access to community- based services aimed at helping you to remain independent and well at home
  • UHB District Nurse Teams: This service provides nursing care to people who are housebound and cannot attend for GP Practice nursing care
  • UHB Mental Health Services: This service aims to provides people with access to specialist mental health support in support of/ as an alternative to GP care
  • UHB Community Resource Team: This service aims to help people regain and maintain their independence in the community
  • Age Connects, Care and Repair, MIND, Red Cross: These are third sector organisations who can provide a range of wellbeing support to individuals in the community ranging from providing adaptations providing information on local support/interest groups which may help with isolation, advocacy and financial concerns

The Information that may be shared with Partner Organisations

Where appropriate, your information will be shared with Partner Organisations via your GP. This will be done with your consent to share your confidential information. Only relevant confidential information will be shared, which may include your:
  • Name
  • Date of Birth
  • Address
  • Telephone contact number
  • Gender
  • Ethnicity
  • Reason for referral
  • Safeguarding and risk information
  • Referral consent and contact permissions

The legal bases for sharing your information under these projects

  • Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service.
  • Article 9(2)(g) – Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Access and security of your personal information

  • To further support patients, and to ensure that these organisations can help you, the Practice needs to share your personal information with them. This information will be kept to a minimum (as described above) and may include a brief summary of the support that your GP feels will be helpful.
  • The sharing of these details will be managed in such a way to assure that it remains confidential, and any organisation that either shares or receives your information has a duty of confidentiality and to ensure that the personal data of patients is shared and stored securely.
  • If any of your information needs to be communicated by email, this is done so using secure NHS Wales email addresses where all information is protected via secure web communication channels.
  • These organisations will not share patient information further unless they have received your explicit consent in writing. These organisations may share information that they have collected during patient assessments with your GP.
*If you do not want your information to be shared with the third sector organisations listed above, please contact the Practice reception, or you can advise your GP at your consultation.

PRIVACY NOTICE – COVID 19 BOOSTER VACCINATION PROGRAMME

With the ongoing risks posed by COVID-19 and the availability of a vaccine to protect Wales’s most vulnerable citizens (as identified by the Joint Committee on Vaccination and Immunisation) there is a need to co-ordinate and identify eligible individuals in order to offer them the opportunity to be vaccinated. 

 

In order to enable this process Welsh ministers have directed Local Health Boards to request GP surgeries to make the following information available to Digital Health and Care Wales (DHCW) for the purpose of identifying priority groups, to send invitations and to book appointments for vaccination, and to manage and monitor immunisations via the Welsh Immunisation System for the Covid vaccination programme.

Data being collected

Information will be obtained from GP systems including, NHS number, and those relevant health conditions (for example those patients who are currently immunosuppressed) that make people vulnerable to covid-19.

This information is used to identify relevant eligibility for vaccination and allow patients to be appropriately offered a covid-19 vaccination.

 

How data is used and disclosed

As directed by Health Board, Digital Health and Care Wales will extracted relevant information from GP systems and use this to identify relevant eligibility for vaccination and allow patients to be appropriately offered a covid-19 vaccination.

Data concerning eligible patients will be added to the Welsh Immunisation System to allow invitations, appointments to be booked and to manage and monitor immunisations for the vaccination programme.

Legal basis for processing

Welsh ministers have directed Local Health Boards to request GPs  disclose information that is relevant for the delivery of the COVID-19 vaccination programme in accordance with the eligibility criteria set out in the minister’s written statement (“the relevant information”), in relation to which GPs are required to comply in accordance with paragraph 85 of Schedule 3 to the  National Health Service (General Medical Services Contracts) (Wales) Regulations 2004 2023 (“GMS Contract Regulations”).

Local Health Board will authorise DHCW in writing to collect and process this information as reasonably required in connection with the LHB’s functions in respect of the COVID-19 vaccination programme.

DHCW is directed to collect and process the relevant information  from GPs for the purposes of delivering the COVID-19 vaccination programme.  

For GDPR Purposes the Practice’s lawful basis for processing this information is Article 6(1)(e) exercise of official authority and for the processing of special categories (health) data the conditions are 9(2)(h) Health and social care and 9(2)(i) public health purposes.

Directions have been issued as follows that enable this processing to take place:

a)       Local Health Boards (“LHBs”) in exercise of the power conferred by section 12(3) of the National Health Service (Wales) Act 2006 (“NHS (Wales) Act 2006”) for the purposes of the provision of information under paragraph 85 of Schedule 3 to the GMS Contract Regulations, and

b)      Digital Health and Care Wales (“DHCW”) in exercise of the power conferred by section 23(1) of the NHS (Wales) Act 2006, for the purposes of article 3(a) and (b) of the Digital Health and Care Wales (Establishment and Membership) Order 2020 and paragraph 3(1)(a) of the Digital Health and Care Wales (No.2) Directions 2021.

How your information is stored and protected

Your personal information is protected in a number of ways. The information required will be securely extracted from the practice system and stored by Digital Health and Care Wales on computer systems that have been tested to make sure they are secure, and which are kept up-to-date to protect them from viruses and hacking.

Your personal information is only stored within the UK and can only be seen by staff who have been specifically trained to protect your privacy.

Strong controls are in place to make sure all these staff can only see the minimum amount of personal information they need to do their job.

Your Rights over your information

Under data protection law, you have a number of rights over your personal information. You have the right to:

          ask for a copy of any information we hold about you

          ask for any information we hold about you that you think is inaccurate to be changed

          ask us to restrict our use of your information, for example, where you think the information we are using is inaccurate

          object to us using any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case

          delete any information we hold about you, although this is not an absolute right and we may need to continue to use your information – we will tell you why if this is the case

          ask us not to use your information to make automated decisions about you without the involvement of one of our staff

You can access any of your rights by contacting the practice.