Privacy Notice

Privacy Policy v2.0

The practice aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements.

The data controller is Conrad Costa, who is also the information Governance Lead. This Privacy Notice is available in print or can be sent by email if that is required.

You will be asked to provide personal information when joining the practice. The purpose of us processing this data is to provide optimum health care to you.
The categories of data we process are:

  • Personal data for the purposes of staff and self-employed team member management
  • Special category data including health records for the purposes of the delivery of health care
  • Special category data including health records and details of criminal record checks for managing employees and contracted team members

We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain the individual’s permission before the referral is made and the personal data is shared.

  • Personal data is stored in the EU as a soft or hard copy
  • Personal data is obtained when a patient joins the practice and when a patient is referred to the practice

The lawful basis for processing special category data such as patients’ and employees’ health data is:

Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

The lawful basis of processing personal data such as name, address, email or phone number is:

  • Legal Obligation
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Consent (specifically for details pertaining to third parties who are not our patients or employees, who entrust their contact details to us in the course of making an enquiry about our services
  • Legitimate interest (specifically for data recorded through our CCTV systems, for the detection and prevention of crime)

The retention period for special data in patient records is a minimum of 10 years and may be longer for complex records in order to meet our legal requirements. The retention period for staff records is 6 years. The retention periods for other personal data is 2 years after it was last processed. Data collected on basis of consent will be destroyed after the query for which consent was granted is dealt with.  This is unless data collected on basis of consent changes due to the nature of the query (e.g. a third party makes a formal complaint on behalf of a third party.  The data will thereafter be retained as per legal obligation).  Details of other retention periods are available in the Record Retention (M 215) procedure available from the practice.

CCTV

Our organisation operates surveillance cameras on its premises, for the purposes of prevention and detection of crime; in particular to keep our staff and property safe.  The system does not process biometric data.  No sound is recorded, and the cameras are at set a fixed angle.  Third-party property is not recorded.  The internal camera is not set to record within office hours, when staff are likely to be on the premises.  All images are stored encrypted on a local server, and are deleted after 28 days.  Our organisation will not share information gathered by use of the CCTV system with third parties, unless a legitimate request is made by law enforcement agencies (e.g. a court order).  The person with access to the system and who is responsible for the maintenance and upkeep of the system is Conrad Costa. 

You have the following personal data rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (clinical records must be retained for a certain time period)
  • The right to restrict processing
  • The right to data portability
  • The right to object

Further details of these rights can be seen in our Information Governance Procedures or at the Information Commissioner’s website. Here are some practical examples of your rights:

  • If you are a patient of the practice you have the right to withdraw consent for important notifications, newsletters, surveys or marketing. You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text. You have the right to obtain a free copy of your patient records within one month.
  • If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.

We have carried out a Privacy Impact Assessment and you can request a copy from the details below. The details of how we ensure security of personal data is in our Security Risk Assessment and Information Governance Procedures.

Comments, suggestions and complaints

Please contact Conrad Costa at the practice for a comment, suggestion or a complaint about your data processing at 3 Hercules Road, Norwich NR6 5HQ, or 01603 869 600 or by email at info@castleandcosta.co.uk. We take complaints very seriously.

If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.

Related practice procedures

You can also use these contact details to request copies of the following practice policies or procedures:

  • Data Protection and Information Security Policy
  • Privacy Impact Assessment, Information Governance Procedures

Subject Access Request Policy v1.0

You have a right, under the General Data Protection Regulation, to access the personal data we hold on you. To do so, you should make a subject access request, and this policy sets out how you should make a request, and our actions upon receiving the request.

DEFINITIONS “Personal data” is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including your name. “Special categories of personal data” includes information relating to:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life or
  • sexual orientation

MAKING A REQUEST Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.

Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.

Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.

TIMESCALES Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.

FEE We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.

In addition, we may also charge a reasonable fee if you request further copies of the same information.

INFORMATION YOU WILL RECEIVE When you make a subject access request, you will be informed of:

whether or not your data is processed and the reasons for the processing of your data; the categories of personal data concerning you;

  • where your data has been collected from if it was not collected from you;
  • anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
  • how long your data is kept for (or how that period is decided);
  • your rights in relation to data rectification, erasure, restriction of and objection to processing;
  • your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
  • the reasoning behind any automated decisions taken about you.

CIRCUMSTANCES IN WHICH YOUR REQUEST MAY BE REFUSED We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.