What are Cookies?

Cookies are text files that are placed on to your device when you visit a website. They are widely used to make websites work efficiently and to collect standard information and track how you use websites for examples the pages you visit.

How we use Cookies

We use cookies to make our website work and to measure how you use our website for instance, we use language cookies to know what language you would like the web site displayed to you in, we also use YouTube cookies to embed videos in pages and Google Analytics cookies to track users’ behaviour whilst on the site, such as which pages you have visited. By understanding how people use our site, we can improve the navigation and content to better meet people’s needs. The data will not be used to identify any user personally. The cookies we use on our site are:

How to manage cookies

You can set your browser not to accept cookies.  You can also remove cookies from your web browser. Both these actions are completed through browser settings. To find out more about cookies and how to manage them, visit www.allaboutcookies.org

To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

This Privacy Notice will explain how the Bradley’s Practice uses your personal data.

Bradley’s Practice is the controller for personal information we process.  The practice is committed to protection your personal information and respecting your privacy.  We have a legal duty to explain how we use personal information about you as a registered patient at the practice.

What Information do we collect about you?

We will collect information about you and in relation to your health and health care services you have received.  This will include personal information such as your NHS number, name, address, contact information, date of birth, and next of kin. 

We will also collect sensitive personal information about you (also known as special category data) which includes information relating to your health (appointment visits, treatments information, test results, X-rays or reports), as well as information relating to your sexual orientation, race or religion. 

All the above information we collect and hold about you forms part of your medical record and is primarily held to ensure you receive the best possible care and treatment. 

We may also collect your personal image on surgery CCTV when you attend the practice premises.

How is your personal data collected?

The information we hold is collected through various routes; these may include:

• Direct interactions with you as our patient, when you register with us for care and treatment, during consultations with practice staff and when you subscribe to services for example, newsletters, text messaging, telephone recordings, creating an account for online services.
• Indirectly from other health care providers.  When you attend other organisations providing health or social care services for example out of hours GP appointments or visits to A&E and some interactions with Social Care, they will let us know so that your GP record is kept up to date.
• Through wearable monitoring devices such as blood pressure monitors
• When your image is captured on practice CCTV Cameras
• Automated technologies such as when you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns.  This is collected using cookies, for further information about how we use cookies please see our cookie policy

How do we use your information?

The Information we collect about you is primarily used for your direct care and treatment but may also be used for:

• The management of healthcare services
• Participation in National Screening Programmes
• National Data Collection Requirements
• Medical research and clinical audit
• Legal requirements
• Security and Safety of our staff and premises

We will not share your information with any third parties for the purposes of direct marketing.

Partners we may share your information with

We may share your information, subject to agreement on how it will be used with the following organisations:

• NHS Trusts / Foundation Trusts/Health Boards
• Other GP’s such are those GP Practices as part of a cluster
• Out of hours providers
• Diagnostic or treatment centres
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Ambulance Trusts
• Social Care Services
• NHS Wales Informatics Services
• NHS Wales Shared Services
• Health and Care Research Wales
• Public Health Wales
• Healthcare Quality and Improvement Partnership
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Voluntary Sector Providers

We may also use external third-party companies (data processors) to process your personal information.  These companies will be bound by contractual agreements to ensure information is kept confidential and secure.  This means that they cannot do anything with your personal information unless we have instructed them to do it.  They will not share your personal information with any organisation apart from us.  They will hold it securely and retain it for the period we instruct. 

Our legal basis for processing your personal data

The Practice will only use and share your information where there is a legal basis to do so.

A full list of how your data may be used and shared can be obtained from the practice.

The legal basis for most of our processing relates to your direct care and treatment:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special category data, for example data concerning health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR.  Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:

• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or
• Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…..

The Practice may process your personal data for the purposes of research in such circumstances our legal basis for doing so will be:

• Article 6 (1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we process special category personal data for research purposes the legal basis for doing so is:

• Article 9 (2)(a) - you have provided your explicit consent
• Article 9(2)(j) – processing is necessary for…scientific or historical research purposes or statistical purposes.

The Practice may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights.  Where we process personal data for these purposes, the legal basis for doing so is:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special category of personal data for these purposes, the legal basis for doing so is:

• Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

In rare circumstances we may need to share information with law enforcement agencies or to protect the wellbeing of others for example to safeguard children or vulnerable adults. In such circumstances are legal basis for sharing information is:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(d) - processing is necessary to protect the vital interest of the data subject or another natural person; or
• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we share special categories of person data for the purposes of safeguarding, the legal basis for doing so is:

• Article 9(2)(g) - processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18  ‘Safeguarding of children and individuals at risk’

Retention of your Personal Information / Storing your Information

We are required by UK law to keep your information and data for a defined period, often referred to as a retention period.  The Practice will keep your information in line with the practice records management policy.

How to Contact us

Please contact the practice if you have any questions about our privacy notice or information, we hold about you

Mrs Clare Gill

Clinical Governance Officer

This email address is being protected from spambots. You need JavaScript enabled to view it.

Contact Details of our Data Protection Officer

The Practice is required to appoint a data protection officer (DPO).  This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.

Our Data Protection Officer is:

NHS Wales Informatics Service (NWIS)
Information Governance, Data Protection Officer Support Service
4th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD
Email : This email address is being protected from spambots. You need JavaScript enabled to view it.

Your Rights

The General Data Protection Regulation (GDPR) includes a number of rights.  We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.

The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right.  Your rights and how they apply are described below.

Right to be Informed

Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of Access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.

A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

Right to Rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.

Right to Erasure (‘right to be forgotten’)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

Right to Restriction of Processing

You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

Right to Data Portability

This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and the Practice. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

Right to Object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your object relates to marketing.

Rights in relation to automated individual decision-making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling.  Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of Practices processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Website: ico.org.uk

Tel: 0303 123 1113

For further information please go to:

https://dhcw.nhs.wales/ig/ig-documents/ypyr/yourprivacyyourrights-english-leaflet-forwebpdf/

https://dhcw.nhs.wales/ig/ig-documents/ypyr/yourprivacyyourrights-cym-leaflet-forwebpdf/