Data Protection Policy for Primary Care Services GDPR Policy

Aim and Scope of Policy

This policy shows how the primary care service complies with the requirements of the data protection requirements found in Regulation 17: Good Governance of the Health andSocial Care Act 2012 (Regulated Activities) which expects primary care service providers to have effective governance of their record keeping with records that are comprehensively fit for purpose and securely maintained. It also show show the primary care service complies with the General Data Protection Regulation (GDPR), particularly its six main principles which state that personal data must be:

• processed lawfully, fairly and in a transparent manner in relation to individuals

• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be in compatible with the initial purposes

• adequate,relevant and limited to what is necessary in relation to the purposes for which they are processed

• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The policy applies to all manual and electronic records kept by the service in relation to service users, all staff and any third parties (agencies and professionals),with whom anyone’s personal data information held by the service might have to be disclosed or shared.

Policy Statement

This primary care service recognises it must keep all records required for the protection and wellbeing of patients, and those for the effective and efficient running of the practice such as staff records to comply with the General Data ProtectionRegulation (GDPR), which comes into force on 25 May 2018 (and which is expected to continue to apply post-Brexit).

To comply with the GDPR, the practice understands that it will be accountable for the processing, management and regulation, and storage and retention, of all personal data held in the form of manual records and on computers, tablets,etc.

This means that all personal data obtained and held by the practice to carry out its activities as a primary care provider must:

•        have been obtained fairly and lawfully

•        held for specified and lawful purposes as an organisation that is carrying out a public duty

•        processed in recognition of persons’ data protection rights, which are described in theGDPR in terms of the right:

–        tobe informed

–        to have access

–        for the information to be accurate and for any inaccuracies to be corrected

–        to have information deleted (eg if inaccurate or inappropriately included)

–        to restrict the processing of the data to keep it fit for its purpose only

–        to have the information sent elsewhere as requested or consented to (eg in any transfer situation)


–        to object to the inclusion of any information (eg if considered to be irrelevant)

–        to regulate any automated decision-making and profiling of a person’s personal data

•        be adequate, relevant and not excessive in relation to the purpose for which it is being used

•        be kept accurate and up to date, using whatever recording means are used or agreed (eg manual or electronic)

•        not be kept for longer than is necessary for its given purpose (eg in line with agreed retention protocols for each type of record)

•        have appropriate safeguards against unauthorised use, loss or damage with clear procedures for investigating any breaches of the data security

•        comply with the relevant GDPR procedures for international transferring of personal data in that it can only be sent to a country which has standards that are comparable to those in the EU.


The practice has taken the following steps to protect everyone’s personal data, which it holds or to which it has access so that it complies with the GDPR.

1.      It appoints or employs staff with specific responsibilities for:

2.     the processing and controlling of data (data controller)

3.      the comprehensive reviewing and auditing of its data protection systems and procedures (data protection officer)

4.      over viewing the effectiveness and integrity of all the data that must be protected (data protection officer).

          There are clear lines of responsibility and accountability for these different roles.

5.      It provides information to its patients and others involved in their care on their data protection rights, how it uses and protects their personal data. The information includes the actions patients and staff can take if they think that their data has been compromised in any way (eg through the complaints procedure or grievance procedure in the case of staff).


6.      It provides its staff with information and training to make them aware of the importance of protecting people’s personal data, to teach them how to do this,and to understand how to treat information confidentially.

7.      It can account for all personal data it holds, where it comes from and who it is and might be shared with.

8.      It carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by the primary care service.

9.      It recognises the importance of seeking individuals’ consent for obtaining,recording, using, sharing, storing and retaining their personal data and At the same time, the primary care service recognises that there are other legal grounds set out in the GDPR for processing data including: complying with legal obligations;fulfilling an employment contract; and being in the service’s legitimate interests.

10.      It has policies and procedures for enabling service users and/or staff to have access to their personal information and for the making of subject access requests that are in line with the time limits and rules on charging set out in the GDPR.

11.      It has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner's Office (ICO), and is aware of the possible consequences and penalties.

12.      For data held on children under the age of 16, the practice informs the child how their data is being protected in ways that the child can understand and has procedures in place to obtain consent of the responsible parent or guardian for obtaining and using the child’s data.


New staff must read and understand the policies on data protection and confidentiality as part of their induction.

All staff receive training covering basic information about confidentiality, data protection and access to records.

Training in the correct method for entering information in service users’ records is given to all staff.

The nominated data controller/protection officer are trained appropriately in their roles under the GDPR.

All staff who need to use the computer system are trained to protect individual’s private data, to ensure data security and to understand the consequences to them as individuals and the organisation of any potential lapses and breaches of the practice’s policies and procedures.



Ratified  By:                  

Y  Armstrong –

(Data  Protection Officer)


Dr MSN  Ahmed

(Data  Protection Controller)

Date: January  2020

Policy  review date: April 2020