Skip to main content
  • Language
    • Afrikaans
    • Albanian
    • Arabic
    • Armenian
    • Azerbaijani
    • Basque
    • Belarusian
    • Bengali
    • Bulgarian
    • Catalan
    • Chinese (Simplified)
    • Chinese (Traditional)
    • Croatian
    • Czech
    • Danish
    • Dutch
    • Esperanto
    • Estonian
    • Filipino
    • Finnish
    • French
    • Galician
    • Georgian
    • German
    • Greek
    • Gujarati
    • Haitian Creole
    • Hebrew
    • Hindi
    • Hungarian
    • Icelandic
    • Indonesian
    • Irish
    • Italian
    • Japanese
    • Kannada
    • Korean
    • Lao
    • Latin
    • Latvian
    • Lithuanian
    • Macedonian
    • Malay
    • Maltese
    • Norwegian
    • Persian
    • Polish
    • Portuguese
    • Romanian
    • Russian
    • Serbian
    • Slovak
    • Slovenian
    • Spanish
    • Swahili
    • Swedish
    • Tamil
    • Telugu
    • Thai
    • Turkish
    • Ukrainian
    • Urdu
    • Vietnamese
    • Welsh
    • Yiddish
  • 0208 548 7520
  • Font Size
    • Increase Font Size
    • Decrease Font Size
    • Reset Font Size
Grove Surgery
Search
Show Main Menu
  • Home
  • About Us
    • Contact
    • Signing Up For Patient Participation Group
    • Subject Access Request (SAR)
    • Have Your Say
    • Making the most of your Practice
    • Opening Hours
    • What to do when we are closed
    • Our Team
    • Regulations & Governance
  • Appointments, Tests & Referrals
    • Appointments
    • Referrals for Further Care
    • NHS e-Referral Tracking - Choose & Book
    • Self-Referrals
    • See a Doctor or Healthcare Professional
    • Tests & Investigations
  • Clinics & Services
    • Clinics
    • Practice Services
    • Order a Repeat Prescription
    • Register with us as a New Patient
    • Asthma Annual Review Questionnaire
  • Help & Support
  • Additional Information
    • General Data Protection Regulation
    • Named GP
    • Safeguarding
Show Side Menu

Key Information

  • Accessible Information
  • Coronavirus
  • Disabled Patients
  • Extended Access Hubs - GP Hub
  • Extended Hours
  • How the NHS and care services use your information
  • Updating your details
  • NHS Advocacy
  • COVID-19 & Flu
  • Friends and Family Test
Call 111 when it's less urgent than 999
  • Live Well
  • Conditions A to Z

BBC Health News

  • Atlas of cells transforms understanding of human body20 Nov 2024 16:00Scientists are mapping out the 37 trillion cells of the human body and changing what we thought we knew
  • Drug hope to treat voice spasm like RFK Jr's20 Nov 2024 14:01Sodium oxybate can offer temporary relief, in a similar way to drinking alcohol, a trial suggests.
  • Streeting orders review to end 'toxic' NHS staff row20 Nov 2024 00:34The health secretary says fears over physician associates need looking at, but laments nature of debate.
  • BBC's Glenn Campbell: I want to show what it’s like living with a brain tumour20 Nov 2024 06:17BBC Scotland's political editor was diagnosed with an incurable cancer after having a seizure.
  • Women plan UK legal action over talc cancer claims20 Nov 2024 06:16Hundreds of women in the UK are taking legal action against Johnson and Johnson.
  • 'Ambulance delays made me a widow at 28'20 Nov 2024 06:08Aaron Morris, 31, died following a crash in County Durham in 2022, but could have been saved.

General Data Protection Regulation - GDPR

This is the privacy notice of Grove Surgery. In this document, “we”, “our”, or “us” refers to Grove Surgery, 200-202 Chadwell Heath Lane, Romford, RM6 4YU.

Telephone number: 0208 548 7520

Our Practice aims to ensure the highest standard of medical care for our patients and we are committed to protecting and respecting your privacy. To do this we keep records about you, your health and the care we have provided, or plan to provide, to you. If you have any questions regarding this Privacy Policy please contact us at the address shown above.

The General Data Protection Regulation (GDPR) came in to force on May 2018.

Introduction

  • This is a notice to inform you of our Policy about all information that we record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (personal information) and information that could not. In the context of the law and this notice, ‘process’ means collect, store, transfer, use or otherwise act on information
  • We regret that if there are one or more points below with which you are not happy, your only recourse is to leave our website immediately
  • We take seriously the protection of your privacy and confidentiality. We understand that all visitors to our website are entitled to know that their personal data will not be used for any purpose unintended by them, and will not accidentally fall into the hands of a third party.
  • We undertake to preserve the confidentiality of all information you provide to us, and hope that you reciprocate
  • Our Policy complies with UK law accordingly implemented, including that required by the EU General Data Protection Regulation (GDPR)
  • The Law requires us to tell you about your rights and our obligations to you with regards to the processing and control of your personal data. We do this now, by requesting that you read the information provided at Know Your Privacy Rights
  • Except as set out below, we do not share, sell or disclose to a third party, any information collected through our website.

Registering for NHS care

NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

  • All patients who receive NHS care are registered on a national database
  • This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive
  • The database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
  • More information can be found at NHS Digital or you can telephone general enquiries on 0300 303 5678
  • NHS England’s privacy notice
  • NHS Digital GP Practice Transparency Notice
  • National COVID-19 and Flu Vaccination Programmes Privacy Notice
  • NHS App privacy policy

Data Protection Policy

This Data Protection Policy is applicable to all stakeholders of the organisation and is updated in line with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. This policy sets out the general arrangements by which we will be compliant under the various Articles of UK GDPR and UK Data Protection Act 2018 along with other relevant regulations. The Data Controller details are below, and these can be found on the Information Commissioner’s Office Data Protection register.

As a general practice providing services under an NHS contract, we process personal and special category data relating to our staff, registered patients and others, internally and with other organisations external to the Grove Surgery. We also hold data on other types of customers, suppliers, business contacts and stakeholders.

We are required, by certain laws, to disclose certain types of data to some organisations on a regular basis such as NHS Digital, Public Health England, NHS England, the Local Authority, and the Clinical Commissioning Group. We are also required by certain laws to disclose specific types of data to different organisations on an event by event basis, such as CQC or the General Medical Council.

These processing activities as well as others, are described in detail in our Grove Surgery Privacy Notice and North East London Health & Care Partnership privacy policy uploaded at: www.eastlondonhcp.nhs.uk/aboutus/fair-processing-and-gdpr.htm.

Data Protection at the Grove Surgery

The Grove Surgery recognises that technological advances give rise to more complex ways to share and communicate digitally. So, data processing needs to be refocused to a ‘default protection’ and ensure that disclosure is lawful, informed, controlled, and of benefit to the individual. The UK GDPR enables the Grove Surgery to build patient trust in how we collect and use personal data, and improve the way in which we provide services.

We are open about how we store and process personal data, and protect ourselves from the risks of a data breach.

This policy applies for both paper and electronic media.

To comply with the law, personal data must only be collected and used fairly, stored safely and not disclosed unlawfully.

Personal data must:

  • Be processed fairly, lawfully, and transparently, in line with UK Data Protection law and the Common Law Duty Confidentiality
  • Be obtained only for specific, lawful purposes and not further processed in a manner that is incompatible with those purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

The data controller is responsible and shall be able to demonstrate compliance with Accountability, as required by UK GDPR.

Policy scope

This policy applies to our whole Grove Surgery team, clinical and non-clinical, and to everyone who works within, or on behalf of the Grove Surgery. This includes anyone who has agreed that they have a duty of confidence and has access to the Grove Surgery systems, and patient, staff and/or organisation confidential or business sensitive information. This will include but not be limited to all employees of the Grove Surgery, partner organisations who access record systems, locums, students, volunteers and contractors.

It applies to all the personal data that we process as a Grove Surgery and as part of a primary care network.

Responsibilities

Everyone who works for or with us has shared responsibility for ensuring data is collected, stored and handled appropriately. Each person that handles personal data in this organisation must ensure that it is handled and processed in line with this policy and data protection principles.

The Grove Surgery, which holds the NHS GP contract, is the data controller, and is therefore responsible for ensuring that we meet all our legal obligations.

The following specific duties and responsibilities apply within the Grove Surgery:

  • The Data Protection Officer has overall responsibility for overseeing the Data Protection of the Grove Surgery and the Grove Surgery Manager has overall responsibility for its implementation.
  • The Caldicott Guardian has responsibility for placing appropriate controls and procedures for monitoring access to any personal data held by the Grove Surgery.
  • The Information Governance (IG) Lead will be responsible for providing advice, liaising with other organisations to process subject access requests, co-ordinating the release of the data and investigating complaints.
  • The Grove Surgery Manager is responsible for ensuring all staff are aware and comply with this policy.
  • The Senior Information Risk Owner (SIRO) is required to strengthen the handling of data and minimise risk.
  • All of the Grove Surgery team, including contractors, volunteers, and agency staff are responsible for maintaining the privacy and security of personal data that they record or process and are obliged to adhere to this policy.

The Data Protection Officer

The Grove Surgery is a Public Authority, as the services we provide are under an NHS Contract. Therefore, the Grove Surgery has a named Data Protection Officer (DPO), Radha Muthuswamy, who:

  • Keeps Grove Surgery informed about current data protection responsibilities, risks and issues
  • Provides advice to the data controller
  • Assists the data controller to monitor, maintain and demonstrate compliance
  • Advises on the need for Data Privacy Impact Assessments
  • Acts as a point of contact for individuals and the ICO
  • Provides an independent view, based on knowledge of the UK’s data protection legislation

The Grove Surgery:

  • will ensure that the DPO can operate independently and without limitation
  • will involve the DPO in relevant issues
  • will inform the DPO of any new business process or change in process
  • will inform the DPO of any new processor or change in processor
  • will ensure staff are trained and aware of GDPR requirements
  • will ensure that the opinion of the DPO must always be given due weight
  • will not issue the DPO with any instructions or place any constraints relating to their DPO role
  • will allow iindividuals to contact the DPO
  • will comprehensively record and thoroughly document any reasons for acting against the advice of their DPO

Designation of the DPO

The Grove Surgery has designated the Data Protection Officer role offered by Ms Radha Muthuswamy.

Our IT Systems

  • Our Grove Surgery IT systems and support are provided via the CCG, and are under national contracts with Clinical system providers.
  • We ensure systems, services, and equipment used for storing data meet acceptable security standards
  • Regular checks and reviews are performed to ensure that the hardware and software used for security purposes are functioning properly
  • The Grove Surgery liaises with the CCG provided IT infrastructure support services
  • The Grove Surgery ensures that cyber security recommendations are implemented and deployed, and continual staff awareness is raised regarding cyber security
  • The Grove Surgery will liaise with the DPO on any technical matters relating to the GDPR

Contracts and Service Level Agreements

The Grove Surgery must ensure that appropriate wording regarding compliance with the Data Protection Act (and GDPR) is covered in all contracts and service level agreements before these are signed or changes are agreed. Temporary staff, students, volunteers, and contractors are required to sign a confidentiality agreement which is regularly reviewed and updated. Copies are available from the Grove Surgery Manager.

Training

All Staff must complete information governance training on an annual basis. Compliance is monitored, and a reminder sent to those members of staff whose training is about to, or has expired.

Data Processing Register and Privacy Notice

A register of data processing activities undertaken by the Grove Surgery, and any data processing agreements entered into will be maintained in a register, and this will be regularly updated and reviewed. This will include ensuring that the GDPR’s lawful basis for processing data is identified.

The Grove Surgery will regularly review and update, as required, the Grove Surgery Privacy Notice, and it will be published on our website.

Introduction or changes to policies, systems and processes – Data Protection Impact Assessments (DPIAs)

As a Grove Surgery we must consider data protection under UK GDPR when:

  • Planning a new information sharing initiative such as working with new partners or with existing partners in different ways
  • Introducing new IT systems for collecting and processing personal data
  • Intending to use personal data for a new purpose

We must be able to show that data protection has been considered by ‘design and default’, and we must carry out a DPIA, if a project or policy is of high-risk to the privacy of individuals.

It is important that changes to services and systems, and processing of personal data are assessed to ensure that confidentiality, accessibility, and integrity of data are maintained. The Grove Surgery will liaise with DPO to identify when a DPIA is required and will ensure that this is completed and approved before changes are introduced.

Accuracy of data

All Grove Surgery staff are responsible for ensuring that:

  • Their own personal data provided in relation to their employment is accurate and up to date
  • Personal data that they handle lawfully and as part of their role is as accurate and up to date as possible, kept securely with restricted access, and not kept for longer than necessary.

Security of Data

All staff are responsible for ensuring that personal or sensitive data is held securely and that it is not disclosed to any unauthorised third party. Data that is disclosed inappropriately or accidentally must be reported using the Grove Surgery incident reporting process. 6

All incidents and data breaches will be logged in a breach register. To ascertain if a breach is reportable to the ICO, the Grove Surgery will liaise with the DPO. Any reportable breaches will be reported to the ICO within 72 hours where possible.

All data breaches will be examined, whether reportable or not, to ensure measures are put in place to prevent recurrence, reduce risk, and ensure that lessons are learned.

Retention of data

The Data Protection Act requires that data is not held for longer than necessary. Staff are required to identify the retention periods for all personal data held by them and ensure that it is disposed off securely, in accordance with retention and destruction guidelines included in the Information Governance Alliance: Records Management Code of Grove Surgery for Health and Social Care 2021 available at: www.nhsx.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice-2021

Disclosure outside of the UK

Unless certain exemptions apply or certain protective measures are taken, personal data must not be disclosed or transferred (outside the UK) to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of the individuals, even if it would otherwise constitute fair processing. Any transfer to a country within the scope of EU GDPR will have to consider EU GDPR in addition to UK GDPR. There could be other local laws that may also apply.

Advice should be sought from the Information Governance Lead/Data Protection Officer and Caldicott Guardian before any such information is transferred.

General staff guidelines

  • The Grove Surgery will provide training to all employees to help them understand their responsibilities when handling data
  • Staff should keep all data secure, by taking sensible precautions and following the Grove Surgerys’ procedures and policies
  • NHS smartcards, passwords, and logins must be used whenever possible and they should never be shared or borrowed
  • Whenever a screen is left, programs that handle patient data should be closed or locked
  • Personal data should not be disclosed to unauthorised people, neither within the company nor externally
  • Staff should request help from the Grove Surgery Manager or Caldicott Guardian in the first instance if they are unsure about any aspect of data protection
  • Staff may liaise with the DPO where required
  • All staff will have a privacy and data protection clause added to their contracts

Relevant legislation and Statutory best practice

The Common Law Duty of Confidentiality is that, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent; unless there is an overriding public interest (e.g. public health) or a legal duty to do so (e.g. detection or prevention of serious crime).

The Data Protection Act – DPA (2018) and UK GDPR control how an individual’s personal information is used by organisations, businesses and the government. Organisations that process personal data must register with the Information Commissioner’s Office on an annual basis.

The overall principles of the GDPR are for organisations to be fair and transparent about how they use individuals’ personal information, and for individuals, where possible, to have more choice and control over how their personal information is used. GDPR builds on current law and best practices. GDPR requires that the Grove Surgery identifies the lawful basis for processing, managing, and sharing patient information. Data protection legislation applies only to living individuals, who have a right to access information that an organisation holds about them which may include patients and employees. Any Right of Access Request must be responded within 30 days.

Please see the Grove Surgery’s Subject Access Request policy and Access to Health Records Policy for further information.

A duty of confidence still applies to deceased individuals’ personal information. The Access to Health Records Act (1990) confers the right of access to records of deceased patients to executors or administrators of a deceased person’s estate and requests for access are administered in a similar way to requests for access to records under data protection law.

Caldicott Principles

The Grove Surgery adheres to the Caldicott Principles, as listed below.

  1. Justify the purpose(s)

    Every proposed use or transfer of personal and confidential data, within or outside an organisation should be clearly defined, scrutinised and documented, with continuing uses being reviewed regularly, by an appropriate guardian.

  2. Don’t use personal confidential data unless it is absolutely necessary

    Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

  3. Use the minimum necessary personal and/or confidential data.

    Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal and/or confidential data is transferred or accessed as necessary, for a given function to be carried out.

  4. Access to personal confidential data should be on a strict need-to-know basis

    Only those individuals who need access to personal and/or confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

  5. Everyone with access to personal and confidential data should be aware of their responsibilities

    Action should be taken to ensure that those handling personal and confidential data — both clinical and non-clinical staff — are fully made aware of their responsibilities and obligations to respect patient confidentiality.

  6. Comply with the law

    Every use of personal and confidential data must be lawful. Someone in each organisation handling the personal and confidential data should be responsible for ensuring that the organisation complies with legal requirements.

  7. The duty to share information can be as important as the duty to protect patient confidentiality

    Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators, and professional bodies.

  8. Inform patients and service users about how their confidential information is used

    A range of steps should be taken to ensure there are no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.

Exemptions to the Data Protection Act

There are few exemptions to the Data Protection Act.

These include:

  • Prevention or detection of crime
  • Review of equality of opportunity
  • Administration of justice

Always contact the Data Protection Officer for clarification or processing of any requests that may fall within the exemption category.

This policy will be reviewed and updated annually or, as and when the UK’s Data Protection requirements change.

Share

  • Print
  • Facebook
  • X (Twitter)
Local Services

Site

  • Sign In
  • Sitemap
  • Back To Top

About

  • Disclaimer
  • Website Privacy
  • Website Accessibility
  • Cookies
  • Content Attribution

Contact

Grove Surgery

200–202 Chadwell Heath Lane, Chadwell Heath, Romford , Essex , RM6 4YU

  • 0208 548 7520
© Neighbourhood Direct Ltd  2024
Website supplied by Oldroyd Publishing Group

Loading...

Local Services