patient privacy notice
Introduction
Cotswold Surgical Partners LLP (“CSP”, “we, “our”) is committed to protecting the privacy and security of the personal data we collect about users of our services (“you/your”). Any personal data that we hold about you will be stored and held securely by us.
The purpose of this privacy notice is to explain what personal data we collect when you use our services or when you voluntarily disclose personal information to make an enquiry. When we do this, we are the data controller.
Please read this privacy notice carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below or by emailing us at csp.data@nhs.net.
It is important that you revisit this privacy notice regularly, as we may change the content to reflect how we deliver our services. A full copy of our privacy notice is set out below, which provides more information about how we collect and process your personal data.
Personal data we collect
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK GDPR. We are also subject to the EU GDPR in relation to services we offer to individuals in the EU. When you provide information to us as part of an online form or enquiry, when you visit our practice or when we receive information about you as part of our services, we may collect, for example, your:
- Name
- Registered address
- Email address
- Phone number
- Date of birth
- Medical history
- Sex
- Image and audio recorded via our CCTV
- Any other information provided by yourself or your GP/hospital or other referral source in the course of a referral
How your personal data is collected
We often collect your personal data directly from you—in person, by telephone, text, via our website or email. However, we may also collect information from third parties, such as GP’s or hospital referral management teams who pass your information to us which enables us to provide our services, for example, in the course of an NHS funded referral.
Where you have given your consent to another medical organisation to share your personal data on the SystmOne platform, we may collect your personal data from the SystmOne platform when you become our patient.
Purposes for which we use personal data and the legal basis
When providing services to you, we may use your personal data for the following purposes and on the following lawful bases:
| Purpose | Lawful Basis for Processing |
|---|---|
| To carry out our obligations and enforce our rights arising from any contracts entered into between you and us. | Performance of contract between you and CSP. |
| Processing your patient records which enables us to provide our healthcare services to you. | We have a legitimate interest, and we have balanced this against your rights as an individual. We may also ask for your consent to receive and share some of your personal data, with other GP surgeries and NHS trusts via SystmOne. In cases of emergency, we may process your personal data in your vital interests. Where in the provision of our services we process special category data, we do so on the basis of it being necessary for the provision of health or social care or treatment. |
| To comply with any legal obligations we may have. | CSP is required to process your personal data for various legal and regulatory purpose. For example: • to retain information for a specified amount of time; and • to disclose and exchange certain information with law enforcement agencies and regulatory bodies to comply with our legal obligations. |
| To monitor the usage of our services. | We have a legitimate interest, and we have balanced this against your rights as an individual. |
| To protect the wellbeing of our staff and patients. | We have a legitimate interest in protecting the wellbeing of our staff and patients and preventing and detecting crime. |
| Dealing with your enquiries and requests. | We have a legitimate interest, and we have balanced this against your rights as an individual. We have a legitimate interest, and we have balanced this against your rights as an individual. Where in the provision of dealing with a request or enquiry we process special category data, we do so on the basis of it being necessary for the provision of health or social care or treatment. |
| To send post-operative letters, histology reports, multidisciplinary team reports, and appointment reminders. | We have a legitimate interest, and we have balanced this against your rights as an individual. |
Where personal data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
Sharing your data
For some business activities we share your personal data with our vendors and third-party service providers, for instance, to provide our data storage services. We may also share your data with other GP’s, Hospitals and Clinical Commissioning Groups (CCGs) so that we can provide the best possible service to you. An example of this is where you have consented to the sharing of your personal data on SystmOne.
We do not normally share your personal data outside of the UK however, if it becomes necessary to do so for the purposes of providing our services to you, we will only share it with organisations in countries benefiting from an adequacy decision or on the basis an International Data Transfer Agreement (or latest equivalent safeguard) as approved by the UK ICO, which contractually obliges the recipient to process and protect your personal data to the standard expected within the UK.
Personal data may also be shared with government authorities and/or law enforcement officials for the prevention or detection of crime, if required by law or if required for a legal or contractual claim.
How long we keep your data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims. In relation to data we hold about you in the capacity of a patient, this is usually eight years after the last appointment/treatment.
At the end of the retention period, your personal data will be reviewed and securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
How we protect your data
We implement appropriate technical and organisational measures to protect data that we process from unauthorised disclosure, use, alteration or destruction.
Your rights and options
You have the following rights in respect of your personal data:
- You have the right of access to your personal data and can request copies of it and information about our processing of it.
- If the personal data we hold about you in incorrect or incomplete, you can ask us to rectify or add to it.
- Where we are using your personal data with your consent, you can withdraw your consent at any time.
- Where we are using your personal because it is in our legitimate interests to do so, you can object to us using it this way.
- Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
- You can ask us to restrict the use of your personal data if:
- It is not accurate.
- It has been used unlawfully but you do not want us to delete it.
- We do not need it any-more, but you want us to keep it for use in legal claims; or
- If you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
- In some circumstances you can compel us to erase your personal data
- You can request a machine-readable copy of your personal data to transfer to another service provider.
- You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, please contact us at csp.data@nhs.net
You can also lodge a complaint with the Information Commissioner’s Office. They can be contacted using the information provided at: https://ico.org.uk/concerns/.
Contact us
If you have any questions, or wish to exercise any of your rights, then please address your correspondence to:
General Manager
Cotswold Surgical Partners LLP
Unit 13 Interface Business Park
Royal Wootton Bassett
Wiltshire
SN4 8SY
Alternatively, you can email us at csp.data@nhs.net
Version number 5. Last updated 18.06.2024.
