What is GDPR?
The EU General Data Protection Regulation (GDPR) applies to all EU member states and will come into force on 25th May 2018. The GDPR is to be read in conjunction with the Data Protection Bill published in September 2017. The overall aim of the GDPR is to protect individuals from data and privacy breaches in an environment that is driven by technological advances.
The GDPR is based on the 1980 ‘Protection of Privacy and Transborder Flows or Personal Data Guidelines’ which outlined the following eight principles:
- Collection limitation
- Security safeguards
- Data quality
- Purpose specification
- Individual Participation
- Use limitation
The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of ‘Practice Privacy Notices PPN)’.
YGMC - Practice Privacy Notice
There are four key themes that the PPN discusses. Please see below links for further detail:
- Provision of direct care;
- Medical research and clinical audit;
- Legal requirements to share;
- National screening programmes.
How we handle your information
We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.
Data Controller contact details
PCIG Consulting Limited,
Primary Care Development Centre Ltd, Office 25, NBV Enterprise Centre, 6 David Lane, Nottingham, NG8 6BA.
Data Protection Officer contact details
Dr Monisha Kurian based at Yardley Green Medical Centre
Purpose of the processing
Compliance with legal obligations or court order.
Lawful basis for processing
The following sections of the GDPR mean that we can share information when the law tells us to.
Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’
Recipient or categories of recipients of the processed data
The data will be shared with NHS Digital.The data will be shared with the Care Quality Commission. The data will be shared with our local health protection team or Public Health England.The data will be shared with the court if ordered.
Rights to object and the national data opt-out
There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.
You have the right to object to information being shared with NHS Digital for reasons other than your own direct care.
This is called a ‘Type 1’ objection – you can ask your practice to apply this code to your record (Please note: The ‘Type 1’ objection, however, will no longer be available after 2020).
This means you will not be able to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012.
NHS Digital sharing with the Home Office
Care Quality Commission (CQC)
Your information must be shared if it ordered by a court. This means that you are unable to object.
Right to access and correct
You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website Share link
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
Right to complain
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline on
0303 123 1113
Privacy Information Leaflet - Adults
Privacy Information Leaflet - Children
GDPR childrens poster
GDPR Adults poster