This privacy notice explains why the GP Practice collects information about you, how that information may be used and which organisations the information will be shared with to ensure you receive the best possible care.
Who we are
Drs Murphy, Anderson, MacMillan and Marshallsay of the Braehead Medical Practice, Renfrew Health and Social Work Centre, 10 Ferry Road, Renfrew. PA4 8RU
Our responsibility to you
We take your trust and right to privacy seriously and are committed to ensuring that whenever we process personal information we do this fairly, lawfully and in a transparent manner. We comply fully with all of our obligations under the data protection laws. These laws include the Data Protection Act 1998 (DPA), and any statutory modification or re-enactment thereof, and the EU General Data Protection Regulation (GDPR)
Data Protection Act
The Data Protection Act 1998 (DPA) was enacted to ensure the fair and lawful processing of personal data. The DPA governs how organisations can collect and process information about individuals. It explains the rights of individuals (data subjects) and the responsibilities of the organisations (data controllers) which collect and process personal data. It also details the requirements of any third party organisations (data processors) which process personal data on behalf of data controllers. The DPA is regulated and enforced by the UK Information Commissioner's Office (ICO).
General Data Protection Regulation
A new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which strengthens and unifies data protection for individuals within the European Union, will come into force on 25 May 2018. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens' data privacy and to reshape the way organisations across the EU approach data privacy. NRS is working in collaboration with our partners in government and other sectors to implement the Regulation and to ensure that all of our policies and operations are compliant with it.
Data Protection in the Braehead Medical Practice
We regard the fair, lawful, and transparent treatment of personal information as integral to the success of our business operations and to maintaining the confidence of our patients. Our commitment to effective data protection is set out in the Braehead Medical Practice Data Protection Policy.
The data controllers in the Braehead Medical Practice are the Partners and the Practice Manager who are responsible for ensuring that all collection and processing of personal data within the Braehead Medical Practice complies with the data protection laws. The Braehead Medical Practice Data Protection Officer is the Practice Manager. She is responsible for monitoring and auditing compliance with the data protection laws, ensuring that our doctors, nurses and all staff understand and comply with their obligations, and assessing the risks associated with the processing of personal data.
The registration number of our entry in the ICO Register of data controllers is Z6232339.
Subject Access Requests
The DPA and the GDPR give data subjects a legal right to access the personal information the Braehead Medical Practice holds about them. These requests are known as subject access requests and we will process them within one month. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.
Subject access requests must be submitted in writing and anyone making an oral request will be invited to complete our Subject Access Request Form. More information about making a subject access request is available in the form.
We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.
Privacy Notices
The Braehead Medical Practice uses privacy notices to tell you what to expect whenever we collect and process personal information. More information can be found in the Privacy section of this website. If at any time you feel that we are not being transparent enough about how we process your personal data or you would like more information then please let us know using the contact information below.
Data Protection Impact Assessments
The Braehead Medical Practice uses data protection impact assessments (DPIAs), also known as privacy impact assessments (PIAs), to help us identify the most effective way of complying with our data protection obligations and meeting individuals' expectations of privacy.
DPIAs are a tool organisations can use to identify and reduce risks to privacy. They help minimise the risks of harm to individuals through the misuse of their personal information.
It is our policy to carry out DPIAs for all projects which involve the handling of personal data and which may have an impact on privacy.
CCTV
CCTV is in use within the Renfrew Health and Social Work Centre, provided by NHS Greater Glasgow and Clyde. The operation of CCTV within the Health Centre complies with the Information Commissioner’s Office CCTV Code of Practice.
Right to complain
Should you feel that the Braehead Medical Practice is handling your data unfairly or unlawfully, you can report your concern to the Information Commissioner’s Office (ICO). For more information visit the ICO website:
Practice Contact Information:
Braehead Medical Practice
Data Protection Officer
Renfrew Health and Social Work Centre
10 Ferry Road
Renfrew
PA4 8RU
Tel: 0141 207 7480
What Information Do We Collect?
Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. NHS Health Board, GP Surgery, NHS24, etc.). NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your healthcare record may include the following information;
- Details about you, such as address and next of kin
- Any contact the surgery has had with you, such as appointments, clinic visits, and emergency appointments, etc.
- Notes and reports about your health
- Your CHI Number
- Your NHS Number
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
Why Do We Collect This Information?
To ensure you receive the best possible healthcare, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may also be used for clinical Audit to monitor the quality of the service provided.
Who Will We Share Your Information With?
For the purposes of providing the best possible healthcare and to fulfil our statutory obligations, we may need to share your information with the following organisations:
- Secondary Care (Hospitals)
- Community Pharmacy
- Primary Care Pharmacy
- Community-based Nurses
- Other Primary Care Health Organisations
- Other NHS Greater Glasgow and Clyde Employed Staff
- Common Services Agency (NHS National Services Scotland)
- Home Office
- UK Regulatory Bodies such as the General Medical Council
- NHS Blood and Transplant
- NHSCR/General Registers Office
What are the Statutory Obligations regarding your healthcare information?
| What is shared |
Who is it shared by |
Who is it shared with |
Why |
When |
| All data on GP practice registration form (electronic) |
General Medical Practices |
Common Services Agency (NHS National Services Scotland) |
Community Health Index and Accurate payment |
All GPR forms from all General Medical Practices in Scotland |
| All data on prescription (electronic) |
General Medical Practices |
Common Services Agency (NHS National Services Scotland) |
To support accurate dispensing of the prescription |
All prescriptions |
| All data on GP practice registration form (electronic) |
Common Services Agency (NHS National Services Scotland) |
Common Services Agency (NHS National Services Scotland) |
Prevention, Detection and investigation of Crime. NSS host NHS Scotland Counter Fraud Services |
Only when a patient, GP or other worker in the GP practice has been identified as potentially committing fraud |
| Patient demographic data from the GP Practice registration form |
Common Services Agency (NHS National Services Scotland) |
Home Office |
Prevention, Detection and investigation of Crime |
Only data for specific patients who are subject to enquires by NHS Scotland healthcare providers or by the Home Office for proscribed offences, in respect of receipt of NHS Scotland treatment and services as an overseas visitor (non-EEA foreign national) |
| All data on GP practice registration form (electronic) as held on CHI |
Common Services Agency (NHS National Services Scotland) |
NHS Boards |
Accurate payment, Clinical Governance, Public Health, Screening Services |
All data relating to all patients registered with General Medical Practices in that NHS Board area |
| All data on GP practice registration form (electronic) as held on CHI |
Common Services Agency (NHS National Services Scotland) |
UK Regulatory Bodies such as the General Medical Council |
Professional Regulation |
Only data relating to specific patients registered by someone under investigation by a Regulatory Body |
| GP medical records (paper and electronic) for patients who are moving to another practice or have left the UK or have died. |
General Medical Practices |
Common Services Agency (NHS National Services Scotland) |
To transfer to the next registered GP practice or to retain in secure storage |
Whenever a patient leaves a GP practice or dies |
| GP temporary medical records (paper and electronic) for patients who have been seen by someone other than their registered GP practice |
General Medical Practices |
Common Services Agency (NHS National Services Scotland) |
To transfer to the registered GP practice or to retain in secure storage |
Whenever a patient is seen by a GP practice other than the one they are registered with |
| Patient demographic data and choice of organ donation |
Common Services Agency (NHS National Services Scotland) |
NHS Blood and Transplant |
Maintenance of the UK organ donor register |
Whenever a patient decides to provide organ donation information via the GP registration form |
| Patient demographic data from the GP Practice registration form |
Common Services Agency (NHS National Services Scotland) |
NHSCR/General Registers Office |
Maintenance of NHSCR dataset |
Demographic data for all patient is shared in order to keep the NHSCR dataset in line with CHI. The NHSCR dataset is used to identify which patients are in which NHS Boards, and which have left Scotland to other parts of the UK |
How Do We Maintain the Confidentiality of Your Records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of confidentiality and Security. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential. We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on. Anyone who receives information from us is also under a legal duty to keep this information confidential.
How your records are used to help the NHS
Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future and to investigate complaints in respect of the services we commission.
We will not publish any information that identifies you or routinely disclose any information about you without your express permission. At any time you have the right to refuse/ withdraw consent to information sharing. The possible consequences will be fully explained to you, such as potential delays in receiving care.
There may be circumstances where we are bound to share information about you owing to a legal obligation, such as for the benefit of public health in the event of a pandemic.
Access to Your Information
You have a right under the Data Protection Act 1998 to access/view what information the surgery holds about you, and to have it corrected should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
If you would like to make a Subject Access Request please contact the Practice Manager in writing.