Data Protection Act and GDPR

You have the right to expect that information about you will be held in confidence. You also have the right to have access to the medical records held about you.  Please see our privacy notice, which details how and why your personal data / information is held, used and where appropriate shared.

Privacy notice
Fairwater Health Centre aims to ensure that we provide a high standard of medical
care. To enable this, we keep records about you, your health and the care we
provide or plan to provide to you.
This statement is a requirement of the General Data Protection Regulation. The
purpose is to tell you want data we hold about you, why we hold it, how the data is
processed and in some circumstances shared. It also covers your rights as a person
we hold data about, how long your data is held for and the contact details of the
person responsible for controlling the data at the surgery.
This privacy notice is not intended to provide exhaustive details of all aspects of the
collection and use of personal data by the Health Centre. However, we are happy to
provide any additional information or explanation.
What information do we collect and use?
The Health Centre collects, holds and processes personal information about patients
and their carers / legal guardians. Personal data is defined as any information
relating to a person who can be directly or indirectly identified from the data.
The following types of information is collected from you or about you from a third
party in relation to the delivery of care:
Details about you; i.e. your address, legal representative, emergency contact details
 Any contact the surgery has had with you; i.e. appointments, clinic visits,
emergency appointments.
 Notes and reports about your health
 Details about your treatment and care
 Results of investigations such as laboratory tests, x-rays etc
 Relevant information from other health professionals, relatives or those who
care for you
Your healthcare records contain information about your health and any treatment or
care you have received previously. These records maybe electronic, a paper record
or a mixture of both. We use a combination of technologies and working practices to
ensure we keep your information secure and confidential.
It is important that the personal data we hold about you is accurate and current.
Please keep us informed if your personal data changes during your relationship with
Your records will be retained in accordance with the NHS Code of Practice for
Records Management.
Personal data must be:
 Processed fairly, lawfully and transparently
 Processed securely
 Collected for a specified, explicit and legitimate purpose
 Adequate, relevant and necessary
 Accurate and up to date
 Only kept for as long as necessary and then securely destroyed
Why we collect and hold your information, and how we use it
The Health Centre is the data controller for this data and therefore, is responsible for
your personal data. We use and process this information for activities relating to
direct patient care. Under the GDPR, the legal basis for holding and processing this
information is:
 For the necessary performance of a task carried out in the public interest or in
the exercise of official authority
 For the purpose of preventative medicine, medical diagnosis, and the
prevision of health care and treatment.
We hold your personal primary care healthcare records and personal information,
relating to your health care records. The NHS (Wales) Act 2006 and the Social
Services and Well-being (Wales) Act 2014 gives GP Surgeries statutory functions to
promote and provide health services in Wales, improve quality of services, reduce
inequalities, conduct research, review performance of services and deliver education
and training. To do this we need to process your information in accordance with
current data protection legislation.
The information is used to:
 Provide a basis for all health decisions made by care professionals with and
for you
 Make sure your care is safe and effective
 Work effectively with others providing you with care
 Send you text notifications to you about appointment reminders, flu clinics,
health promotion information, cancellation of clinics and changes in service
provision. (You can opt out of the text notification service at any time by
phoning the Health Centre on 029 2056 6291).
We may also use, or share, your information for the following purposes:
 Looking after the health of the general public
 Making sure that our services can meet patient needs in the future
 Auditing – Using patient health information to review and improve the quality of
healthcare within the Health Centre and NHS Wales as a whole
 Patient identifiable information is only used within the practice. (Patients have
the right to request that their health information is not included in audits);
 Preparing statistics on NHS performance and activity (steps will be taken to
ensure you cannot be identified individually)
 Investigating concerns, complaints or legal claims
 Training and educating staff
We will only use your personal data for the purposes for which we collected it, unless
we reasonably consider that we need to use it for another reason and that reason is
compatible with the original purpose. If you wish to get an explanation as to how the
processing for the new purpose is compatible with the original purpose, please
contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and
we will explain the legal basis which allows us to do so.
Automated decision making and risk prediction
Risk prediction data tools are increasingly used in the NHS to help determine a
person’s risk of suffering a particular condition, preventing an unplanned or
(re)admission and identifying a need for preventive information. Information about
you is collected from a number of sources including the Health Centre. Risk
prediction enables your GP to focus on preventing ill health and not just the
treatment of illness. If necessary, your GP may be able to offer additional services.
My Health Online and online ordering of repeat prescriptions
This service allows you to book and cancel routine GP appointment (where the
Health Centre makes appointments available), check your repeat medication, order
repeat prescriptions and make changes to your email and mobile contact number
where appropriate. You will need to register at reception to use this service and can
de-register at any time.
Repeat prescriptions can also be ordered via the prescriptions page of our website,
which is encoded in secure htlm. The website is provided by a third party supplier,
who we have a confidentiality agreement with.
Direct patient mailing
We use a printing company to produce and send letters to our patients. Letters sent
to patients via this method will usually be were a large volume of letter needs to be
sent in one go, for instance invitations for vaccination appointments. Data for letters
is sent via an encrypted website to set up the letters and the mailing list. The
Company produces prints and despatch the letter via Royal Mail. The data is then
held for 28 days to take into account any mail turned to sender and then deleted.
For more information please go to:
Medicine management
The Health Centre may conduct Medicines Management Reviews of medications
prescribed to its patients. This review is to ensure patients receive the most
appropriate, up to date and cost effective treatments. This service is provided by our
clinicians, our employed Pharmacist and Pharmacists provided by Cardiff and Vale
University Local Health Board.
Computer system
The Health Centre operates a clinical computer system provided by EMIS on which
Health Centre and NHS staff record information securely. This information can be
shared with other Clinicians so everyone caring for you is fully informed about your
relevant medical history.
To provide around the clock, safe care, unless you have asked us not to, we will
make information available to trusted organisations. Wherever possible, their staff
will ask your consent before information is viewed.
We consider patient consent as being the key factor in dealing with your health
How we keep your information confidential and secure
We are committed to protecting your privacy and will only use information collected
lawfully in accordance with the Data Protection Act 1998, Article 8 of the Human
Rights Act, the common law of confidentiality, GDPR and the NHS Codes of
Confidentiality and Security. Everyone working in, or for the NHS must use personal
information in a secure and confidential way.
We will only ever use or pass on your information if there is a genuine need to do so.
We will not disclose information about you to third parties without your permission
unless there are exceptional circumstances, such as when the law requires.
To protect your confidentiality, we will not normally disclose any medical information
about you over the telephone or by fax; unless we are sure that we are talking to
you. This means we will not disclose information to your family, friends, or
colleagues about any medical matters; unless we know you have given your consent
to do so.
Anyone who receives information from us is also under a legal duty to keep it
confidential and secure
All persons working in the Health Centre sign a confidentiality agreement, which
explicitly makes clear their duties in relation to personal health information and the
consequences of breaching that duty.
Please be aware that non-clinical Practice staff will access your information in order
to perform tasks enabling the functioning of the Practice. These include:
 Typing referral letters to Hospital Consultants or allied Health Professionals
 Opening letters from hospitals and Consultants
 Scanning clinical letters, radiology reports and any other documents not
available in electronic format
 Photocopying or printing documents for referral to Consultants
 Handling, printing, photocopying and postage of medico legal and life
assurance reports and other associated documents
Sharing your data
Your data maybe shared with other NHS and social care organisations as part of
your treatment or were deemed in your best interest or the best interests of a person
who you are the parent, guardian or carer of.
Some of the organisations we regularly share data with are:
 NHS Wales (Local Health Boards, Trusts and hospitals, Out of Hours,
Ambulance trust)
 Relevant GP Practices
 Dentists, Opticians and Pharmacies
 Private Sector Providers (private hospitals, care homes, hospices, contractors
providing services to the NHS)
 Voluntary Sector Providers who are directly involved in your care
 Other NHS services
Where necessary, your consent will be sort to share your data with social care
agencies or other non-NHS or social care agencies (Police, Fire, Social Care
Services, Education services). All information is shared with these above agencies
following strict sharing protocols.
We may also receive information from the above agencies, to ensure your medical
records are kept up to date and enable the GP to provide appropriate care.
Welsh GP record (Individual Health Record)
This is an electronic summary of the health records held by us as your GP, which is
shared securely with other people who provide care for you when the surgery is
closed, such as out of hours doctors. This is because these care providers do not
have direct access to our GP medical record system. This shared record allow the
doctors and other care professional to see what medical issues and medicines you
have been having recently without having to ask you to repeat the information.
The following is contained in the summary:
 Name, address and contact details
 Current medication and medication prescribed in the last 2 years
 Allergies or reactions you suffer from
 Current medical problems and diagnosis
 Results of tests you have had in the last year
Only the following will have access to your information via the Welsh GP record:
 Doctors and nurses directly involved in your care
 Doctors and nurses working for the out of hours service directly involved in
your care
 Hospital pharmacists and pharmacy technicians directly involved in your care
The record is only available to NHS staff in Wales.
You can refuse to allow someone to look at this information and you should be asked
everyone you are seen by one of the groups above. If you don’t want your medical
information to be shared at all, let us know and we can opt you out of the scheme. If
you are the parent or guardian of a child under 16 and you don’t want your child’s
information shared in this way, please discuss this with us. For further information
Other organisations who might ask to access your information
Your medical records maybe occasionally shared with organisations such as
insurers and solicitors for the purpose of producing medical reports, processing
claims or assisting in cases you are a participant in. In these instances, we will only
share your records when we receive authorisation and consent from yourself.
 Solicitors often ask for medical reports. We will require your signed consent
for us to disclose information. We will not normally release details about other
people that are contained in your records (e.g. wife, children parents etc.)
unless we also have their consent. The information requested should be
limited to the information directly relating to the issues it is requested for.
Solicitors should not be requesting your entire medical records, unless there
is a good reason to do so. These requests should be made under the rules
governed by the Access to Medical Records Act and a fee is chargeable.
 Social Services – The Benefits Agency and others may require medical
reports on you from time to time. We will need your signed consent to provide
information to them.
 Life assurance and insurance Companies / employers / occupational
Health Doctors frequently ask for medical reports on individuals. These must
always be accompanied by your signed consent form. These requests should
be made under the rules governed by the Access to Medical Records Act and
a fee is chargeable. The information requested should be limited to the
information directly relating to the issues it is requested for. The organisation
making the request should not be requesting your entire medical records,
unless there is a good reason to do so.
We will only disclose the relevant medical information as per your consent. You have
the right, should you request it, to see reports prepared for Insurance Companies,
employers or occupational Health doctors before they are sent.
Sharing Your Information without Consent
We will normally ask you for your consent, but there are times when we may be
required by law to share your information without your consent, for example:
 Where there is a serious risk of harm or abuse to you or other people
 Where a serious crime, such as assault, is being investigated by the police or
where it could be prevented
 Where we encounter infectious diseases that may endanger the safety of
others, such as meningitis or measles (but not sensitive information i.e
 Where a sealed court order has been issued, the court can insist we disclose
the medical records we hold about you.
 Where there is a legal requirement, e.g. you had committed a Road Traffic
The Health Centre is committed to ensuring that your privacy is protected. If we ask
you to provide information by which you can be identified when using our website, be
assured that it will only be used in accordance with this privacy statement.
Your rights
You have the right to access your own personal data held by the Health Centre (right
of subject access). The data can be viewed on request and copies of the data will
be provide free of charge within 1 calendar month of receiving the request unless the
data held is complex in nature. You will need to provide adequate information to
enable us to identify you before providing the information.
You also have the right to have inaccurate or incomplete data corrected, but we
cannot delete data from your health records. In addition, you have the right to object
to the way your data is being used.
You have the right to restrict the way in which and purpose for which your data is
processed. You can choose to restrict the collection or use of your personal
information in the following ways:
 Information you supply using any electronic form(s) on the Health Centre
website will only be used for the purpose(s) stated on the form.
 If forms provided by someone other than the Health Centre, look for the tick
box that indicate you do not want the information to be used for direct
marketing purposes.
Data retention
The Health Centre will retain your data until you register with another GP surgery
when it will be send to the new GP surgery, or until your death when it will
transferred to NHS Wales Shared Services Partnership for destruction in line with
their retention rules. Some electronic data will be retained on our computerised
clinical management system, but this will only be accessed in line with the legal
reasons for processing data as stated above.
Contacts, concerns and complaints
If you wish to raise any issues or exercise your legal rights in relation to the data held
by the Health Centre about you, please contact the Practice Manger Alistair Brook:
Fairwater Health Centre
Plasmawr Road
T: 029 2056 6291
E: [email protected]
Or use the feedback form on this website (
The Practice uses the Wales data protection officer service provided by the NHS
Wales IT Service. Their contact details are:
[email protected]
You have the right to raise issues with the Information Commissioners Office about
the control and processing of your personal data. The ICO for Wales contact details
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
CF10 2HH
T: 029 2067 8400
E: [email protected]
This privacy notice will be reviewed in December 2021

Privacy notice (patient) published