Privacy Notice

 

This Privacy Notice will explain how Pencoed Medical Centre uses your personal data.

< Back to policies & procedures

Pencoed Medical Centre is the controller for personal information processed. The practice is committed to protecting your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you at the practice.

What Information do we collect about you?   

We will collect information about you and your health as well as health care services you have received.

This will include personal information such as your NHS number, name, address, contact information, date of birth, and next of kin.

We will also collect sensitive personal information about you (also known as special category data) which includes information relating to your health (appointment visits, treatment information, test results, X-rays, or reports), as well as information relating to your sexual orientation, race or religion.

All the above information we collect and hold about you forms part of your medical record and is primarily held to ensure you receive the best possible care and treatment.

 

How is your personal data collected?

The information we hold is collected through various routes, these may include:

  • Direct interactions with you as our patient, when you register with us for care and treatment, during consultations with practice staff and when you subscribe to services for example, newsletters, text messaging, telephone recordings and creating an account for online services.
  • Indirectly from other health care providers, when you attend other organisations providing health or social care services for example, out-of-hours GP appointments or visits to A&E and some interactions with Social Care, they will let us know so that your GP record is kept up to date.
  • Through wearable monitoring devices such as blood pressure monitors.
  • Automated technologies such as when you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. This is collected using cookies, for further information about how we use cookies, please see our cookie policy
 

How do we use your information?

The information we collect about you is primarily used for your direct care and treatment but may also be used for:

  • The management of healthcare services
  • Participation in national screening programmes
  • National data collection requirements
  • Medical research and clinical audit
  • Legal Requirements
  • Security and safety of our staff and premises
 

Partners we may share your information with

We may share your information, subject to agreement on how it will be used, with the following organisations:

  • NHS Trusts/Foundation Trusts/Health Boards
  • Other GPs within our cluster
  • Out of hours providers
  • Diagnostic or treatment centres
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Ambulance Trusts
  • Social Care Services
  • Digital Health and Care Wales
  • NHS Wales Shared Services Partnership (NWSSP)
  • Legal and Risk Services
  • Health and Care Research Wales
  • Public Health Wales
  • Healthcare Quality and Improvement Partnership
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers

We may also use external third-party companies (data processors) to process your personal information. These companies will be bound by contractual agreements to ensure information is kept confidential and secure. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

We will not share your information with any third parties for the purposes of direct marketing.

The Practice will only use and share your information where there is a legal basis to do so. A full list of how your data may be used and shared can be found in Annex 1 section below.

 

Our legal basis for processing your personal data

The legal bases for most of our processing relates to your direct care and treatment:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special category data, for example data concerning health, racial or ethnic origin or sexual orientation, we need to meet an additional condition in the UK General Data Protection Regulation (UK GDPR). Where we are processing special category data for purposes related to the commissioning and provision of health services the condition is:

  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or
  • Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

The Practice may process your personal data for the purposes of research, in such circumstances our legal basis for doing so will be:

  • Article 6 (1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we process special category data for research purposes the legal basis for doing so is:

  • Article 9 (2)(a) – you have provided your explicit consent
  • Article 9(2)(j) – processing is necessary for scientific or historical research purposes or statistical purposes.

Where the Practice relies on your consent for the processing, you have the right to withdraw consent at any time.

The Practice may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject

Where we process special category data for these purposes, the legal basis for doing so is:

  • Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

In rare circumstances we may need to share information with law enforcement agencies or to protect the wellbeing of others for example to safeguard children or vulnerable adults. In such circumstances are legal basis for sharing information is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6(1)(d) - processing is necessary to protect the vital interest of the data subject or another natural person; or
  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we share special category data for the purposes of safeguarding, the legal basis for doing so is:

  • Article 9(2)(g) - processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18 ‘Safeguarding of children and individuals at risk’
 

Purpose of the Processing

Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services and help to identify a person’s risks, for example of suffering a particular condition like diabetes. Stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness Information about you is collected from a number of sources including NHS Boards and from this GP Practice. The Programme Team can be contacted via e-mail: CTM.PHMunit@wales.nhs.uk

Recipients

GP Practices, SAIL database (see above), Public Health Team, Cwm Taf Morgannwg University Health Board (CTMUHB), DHCW (see above).

Legal Basis

This project is allowed on the following legal basis

  • It is a task carried out in the public interest or in the exercise of official authority – Art 6(1)(e)
  • It seeks to deliver the provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems – Art 9(2)(h)
 

Retention of your Personal Information / Storing your Information

We are required by UK law to keep your information and data for a defined period, often referred to as a retention period. The Practice will keep your information in line with the practice records management policy.

 

How to Contact us

Please contact the practice if you have any questions about our privacy notice or information we hold about you via the below methods:

Mr Graeme Hunter
Business Manager

Pencoed Medical Centre
Heol yr Onnen
Pencoed
CF35 5PF

Contact the practice via our secure online form

 

Contact Details of our Data Protection Officer

Pencoed Medical Centre is required to appoint a data protection officer (DPO). This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.

Our Data Protection Officer is:

Digital Health and Care Wales Information Governance Data Protection Officer Support Service
5th Floor
Tŷ Glan-yr-Afon
21 Cowbridge Road
East Cardiff
CF11 9AD

 

Your Rights

The UK GDPR includes several rights. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.

The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, there are some circumstances in which we may not uphold a request to exercise a right.

Your rights and how they apply are described below:

Right to be Informed

Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of Access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the UK GDPR, although there are exceptions to what we are obliged to disclose.

The Practice may not provide information where an appropriate health professional has determined that disclosure would be likely cause serious harm to the physical or mental health of you or others.

Right to Rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.

Right to Erasure (right to be forgotten)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.

Right to Restriction of Processing

You have the right to request that we restrict the processing of the personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

Right to Data Portability

This right is only available where the legal basis for processing under the UK GDPR is consent, or for the purposes of a contract between you and the Practice. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

Right to Object

You have the right to object to processing of personal data about you at any time. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your objection relates to marketing.

Rights in relation to automated individual decision-making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of the Practices processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:

Information Commissioner’s Office
Wycliffe House Water Lane
Wilmslow
SK9 5AF

Make a complaint to the ICO

Annex 1

Collaborative Working

The practice works as part of the Bridgend East collaborative. This means that we will work together to provide services across the population to support care and treatment. Data will be shared between collaborative practices for the provision of care for example to provide GP cover or where a service is offered like physiotherapy.

Purpose of the Processing

To provide direct health or social care services to individual patients through a grouping of GPs working with other health and care professionals to plan and provide services locally.

Recipients

Other GPs within the cluster, voluntary services, medicines management, community network services – integrated health and social care e.g. District Nursing, and the Local Public Health Team.

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

Invoice Validation

If you have received treatment within the NHS, your personal information may be shared within a secure environment, to ensure the correct Health Board covers the cost of your care and treatment.

Purpose of the Processing

To ensure the correct Health Board is charged for the cost of your care and treatment.

Recipients

Details of the treatment received will be shared for charging purposes with Health Boards and as part of auditing requirements.

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

Digital Health and Care Wales (DHCW)

DHCW is a national body, which has legal responsibilities to collect information about the health and social care services. Data is collected from organisations across NHS Wales to report on the performance of the NHS so that improvements can be made to services.

More information about DHCW services and how it uses data

Purpose of the Processing

DHCW has a legal responsibility to collect information to report to NHS Wales and Welsh Government Information.

Recipients

NHS Wales, Welsh Government via anonymised data and statistics, Primary Care for discussion on improving performance to services offered

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

Registering for NHS Health Care

Everyone who receives NHS care will be registered on a national database, which holds your name, address, date of birth and NHS number. No medical Information is held. This database is held within the Digital Health and Care Wales (DHCW) who have the legal responsibilities to collect NHS Data.

Purpose of the Processing

Centralised national database of all patients who receive NHS care in Wales. This is held within DHCW who have a legal responsibility for collecting this data.

Recipients

NHS Wales - Information is shared with the Welsh Government in an anonymised form for statistical analysis.

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

Direct Care

The Practice will share your information with other services in order to provide you with direct care and treatment for example referring you to specialist treatment in a hospital, sharing your prescription with your local pharmacy and provided by out of hours and A&E

Purpose of the Processing

  • To give direct health or social care to individual patients through working with other health and care professionals to plan and provide specialist services in a hospital setting.
  • For the requirement of fulfilling your prescription request.
  • Out of hours and A&E staff may need to access your records in order to provide you the most appropriate care and treatment.

Recipients

  • Health Boards, Voluntary Services, Medicines Management, Community Network Services, Integrated Health and Social Care teams e.g. District Nursing, Local Public Health Team
  • Between GP and Pharmacy
  • A&E Hospital doctors and nurses directly involved in your care. Doctors and Nurses providing GP out of hours services Hospital pharmacists directly involved in your care.

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

Welsh GP Summary Record

This record provides a summary of important information contained in your GP records including your full name, address and contact information, along with current medication, previous medication prescribed in the last two years, current problems or diagnosis, recent test results and allergy or adverse reaction information. You can “opt out” of sharing your information in the summary record. Further information is available here: Welsh GP Record

Purpose of the Processing

To allow healthcare professional quick and timely access to the most relevant and recent clinical information when providing you direct care and treatment.

Recipients

Hospital doctors and nurses directly involved in your care, doctors and nurses providing GP out of hours services, hospital pharmacists directly involved in your care. First responders and advanced paramedics in the ambulance service who are directly involved in your care, community pharmacists providing a one-to-one consultation to you through the Choose Pharmacy Service. vaccinators who administer COVID-19 vaccinations through the Welsh Immunisation System (WIS) – vaccinator access is limited to only view prescribed medication and allergies/adverse reactions to medication through WGPR

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

National Screening Programmes

The practice will share data for the purpose of inviting patients to participate in national screening programmes. These programmes are used to assist the early detection of certain medical conditions and diseases. There are currently several programmes in place including, bowel screening, breast screening aortic aneurysms screening, diabetes screening, cervical screening, antenatal screening, new-born hearing screening and new-born bloodspot screening. The law permits Pencoed Medical Centre to share information with Public Health Wales for you to be notified to attend the relevant screening programme.

Purpose of the Processing

Information is shared so that the most high-risk patients are identified and invited for screening where treatment can be offered.

Recipients

Public Health Wales

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
 

Medicines Management

The Practice may conduct reviews of medications prescribed to patients.

Purpose of the Processing

This service performs a review of prescribed medication to ensure patients receive the most appropriate update to date and cost-effective treatments.

Recipients

Medicines management, Pharmacies, GP practices, community network services – integrated health and social care e.g. District Nursing, and the Local Public Health Team

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • and/or Article 9(2)(i) ‘…. necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices …..’
 

Clinical Audit

Clinical Audit allows a review of the quality of care provided to patients. The practice will only share information for organisations responsible for national Healthcare Quality Improvement Partnership (HQIP)

Purpose of the Processing

Medical research purposes and to review the quality of healthcare provided to patients

Recipients

For national clinical audit purposes The data will be shared with Healthcare Quality Improvement Partnership (HQIP) and Digital Health and Care Wales.

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • and/or Article 9(2)(i) ‘…. necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices …..’
 

Public Health Wales

To prevent the spread of infectious diseases and other diseases, which threaten the health of the population, the law requires us to share data. If an instance occurs, the necessary information will be reported to Public Health Wales. For further information about Public Health Wales and the reporting of diseases, please see Public Health Wales.

Purpose of the Processing

To give direct health or social care to individual patients. Information must be shared by law under public health legislation therefore you are unable to object

Recipients

Public Health Staff, Health Boards and Hospitals, Welsh Assembly government and other relevant organisations as required

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ’…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • and/or Article 9(2)(i) ‘…. necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices …..’
 

Medical Research

Medical research allows researchers to understand the causes of diseases and supports to the development of new and better clinical care and treatment. We may use information we hold about you in research, information will only be shared with organisations like Health Care and Research Wales where the law allows or with your consent.

Purpose of the Processing

Medical research purposes and to review the quality of healthcare provided to patients.

Recipients

For medical research purposes, information will be shared with: Data will be shared with Health and Care Research Wales

Legal Basis

  • Article 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(a) ‘the data subject has given explicit consent to..’
  • and/or Article 9(2)(j) – ‘processing is necessary for…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures
 

Safeguarding

There may be rare situations where we need to share information to protect people with safeguarding needs such as children, staff or even you from harm. No consent of permission is needed for the practice to do this.

Purpose of the Processing

To protect children, staff or vulnerable adults from harm.

Recipients

Your information may be shared with Social Services, the Police or other law enforcement bodies where the law allows. or Your information must be shared if a court orders us to do.

Legal Basis

  • Article 6(1)(c) ‘ ….necessary for the compliance with a legal obligation to which the controller is subject’
  • and/or Article 6(1)(d) ‘…. Necessary in order to protect the vital interests of the data subject or another natural person’.
  • and/or Art 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ Art 9(2)(g) ‘…necessary for reasons of substantial public interests.’ Data Protection Act 2018, S10 and Schedule 1 Para 18 ‘Safeguarding of children and individuals at risk’
 

Health Care Inspectorate Wales (HIW)

Healthcare Inspectorate Wales is an independent inspectorate and regulator of health care in Wales. They regulate and inspect NHS services and independent healthcare providers to ensure that safe care is provided and to identify areas for improvement. It is compulsory and a legal requirement for the practice to inform HIW of any serious incidents that may occur such as when a patient safety has been put at risk.

Further information can be found on the Healthcare Inspectorate Wales website

Purpose of the Processing

The law requires information to be shared with the Healthcare Inspectorate Wales so they can perform their regulatory functions. This means you are unable to object.

Recipients

Health Care Inspectorate Wales (HIW) staff as directed.

Legal Basis

  • Article 6(1)(c) ‘….necessary for compliance with a legal obligation to which the controller is subject’
  • Article 9(2)(h)’ necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • and/or Article 9(2)(j) – ‘processing is necessary for…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’
 

Legal Advice/ Claims

There may be rare situations where individuals make claims against the practice, when this occurs we may share all relevant claim and relative medical records/ information to enable the practice to obtain legal advice, establish the facts of the case and defend such instances.

Purpose of the Processing

To obtain legal advice, or for the purpose of establishing, exercising or defending legal rights (including prospective legal proceedings)

Recipients

Your information may be shared with the GP’s Medical Defence Unions, solicitors or legal representatives and NHS Wales Shared Services who operate the All Wales GMPI scheme. See the Legal and Risk Service Team Privacy Notice.

Legal Basis

  • Article 6(1)(c) ‘…. necessary for compliance with a legal obligation to which the controller is subject’
  • and/or Article 6(1)(e) ‘…. necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(f) ‘…necessary for the establishment, exercise of defence of legal claims…’
 

SAIL

SAIL Databank is a rich and trusted population databank. It improves lives by providing researchers with secure, linkable and anonymised data. Anyone wishing to opt out of anonymised data related to them being sent to SAIL or used for other secondary purposes, should make a request directly to us as their GP.

Purpose of the Processing

Data is collected in SAIL for scientific or historical health research purposes. SAIL Databank does not receive or handle identifiable data.

Details on the Anonymisation and Linkage Process

Recipients

SAIL Databank

Legal Basis

  • Art 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(j) ‘….processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’
 

Medical Examiners Service (MES)

NHS Wales Shared Services Partnership are responsible for the management of the MES service. The MES provides independent scrutiny of non-coronial deaths both in hospital and in the community.

Purpose of the Processing

Information is accessed/shared by the practice with MES for the purpose of independent scrutiny of non-coronial deaths. The practice may also share next of kin details of the deceased with the MES.

Further information is available on the NHS Wales website.

Recipients

NHS Wales Shared Services Partnership – Medical Examiners Service

Legal Basis

For accessing records of the deceased:

  • Section 251 of the National Health Service Act 2006 and Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002.

For sharing contact details of next of kin:

  • Art 6(1)(e) ‘….necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’