Savile Town Medical Centre supports equality of access for all, including in line with commitments set out in the Equality Act 2010 and the NHS Constitution/Care Act 2014. We are committed to complying with the Accessible Information Standard (DCB1605 Accessible Information (formerly SCCI1605 Accessible Information).

The practice makes every effort to give the best service possible to everyone who attends our surgery. However, we are aware that sometimes certain events or situations can go wrong, leading to a patient feeling that they have a genuine cause for complaint.

If this is the case, we would wish for the matter to be settled as quickly, and as amicably, as possible. Simply contact the Practice Manager, who will give you the opportunity to further discuss you grievance.

Further written information is available on the complaints procedure form obtainable from reception.

We constantly aim to improve our service and strive to improve.

All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in Savile Town Medical Centre in the last financial year was £64,021 before tax and National Insurance.

This is for 1 Full time GP and 1 part time GP who worked in the practice for more than six months.

Our Practice Privacy Notice explains how Savile Town Medical Centre will collect, look after, use or otherwise process your personal data. “Personal data” is information relating to you as a living, identifiable individual.

This practice handles medical records in-line with laws on data protection and confidentiality

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way, and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

Our contact details as Data Controller

Name: Savile Town Medical Centre

Address: 786 Scarborough Street, Dewsbury, West Yorkshire. WF12 9AY

Phone number: 01924 461124

Email: admin.saviletownmedicalcentre@nhs.net

We are the data controller for your information and is registered with the Information Commissioners Office as a Data Controller. A data controller decides on why and how information is used and shared.

Data Protection Officer contact details

Our Data Protection Officer is Helen Holt and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at Helen.holt@this.nhs.uk

Why we collect your information?

As a GP practice we are responsible for your day-to-day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.

It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).

We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.

These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

• Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
• Contact we have had with you such as appointments or clinic visits.
• Notes and reports about your health, treatment and care
• Details of diagnosis and treatment given
• Information about any allergies or health conditions.
• Results of x-rays, scans and laboratory tests.
• Relevant information from people who care for you and know you well such as health care professionals and relatives.
• For visitors to the practice basic information such as name and vehicle registration number

By providing the Practice with their contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

You can find more detailed information about how we your information for the following specific purposes here:

Primary Care Networks

• For commissioning and healthcare planning
• Population Health Management
• Yorkshire & Humber Care Record
• Summary Care Record
• Research – Find out how health researchers use information.
• Safeguarding, life or death situations and other circumstances we are required to share information.

What information do we collect?

Personal information

We currently collect and use the following personal information:

• personal identifiers and contacts (for example, name and contact details)

More sensitive information

We process the following more sensitive data (including special category data):

• data concerning physical or mental health (for example, details about your appointments or diagnosis)
• data revealing racial or ethnic origin
• data concerning a person’s sex life
• data concerning a person’s sexual orientation
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• data revealing religious or philosophical beliefs
• data relating to criminal or suspected criminal offences

How do we use your information and how do we get it?

As health professionals, we maintain records about you to direct, manage, and deliver the care you receive. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.

We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. In the practice, individual staff will only look at what they need in order to carry out tasks such as booking appointments, making referrals, supporting your care, or to support the management of the services we provide.

The personal information we collect is provided directly from you for one of the following reasons:

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
• if you have signed up to our newsletter / patient participation group, we will engage with you to seek you comments and views on the practice.
• If you have made a complaint we will need to collect information about the complaint which will include your personal information. We may also need to gain additional information from, or share information we have with, other healthcare providers and NHS organisations in order to process and investigate your complaint.

We also receive personal information about you from others, in the following scenarios:

• from other health and care organisations involved in your care so that we can provide you with care
• from family members or carers to support your care
• If you register with us from another practice, your historic GP notes are transferred to us from your old practice. This can happen electronically and your paper notes are transferred via an organisation called Primary Care Support England

The NHS care record guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:

https://webarchive.nationalarchives.gov.uk/ukgwa/20130513181549/http:/www.nigb.nhs.uk/guarantee

Primary Care Networks:

All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.

PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.

We are members of Dewsbury and Thornhill PCN along with Thornhill Lees Medical Centre, Healds Road Surgery, The Paddock Surgery, The Albion Mount Medical Practice, The Sidings Health Centre and Windsor Medical Centre.

This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.

For commissioning and healthcare planning purposes:

In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.

• Kirklees Council: Public Health, Adult or Child Social Care Services
• Calderdale Council: Public Health, Adult or Child Social Care Services
• Wakefield Council: Public Health, Adult or Child Social Care Services
• West Yorkshire Integrated Care Board (or their approved data processors)
• NHS Digital (Formerly known as (HSCIC)
• The “Clinical Practice Research Datalink” (EMISWeb practices) or ResearchOne Database (SystmOne practices).
• Other data processors which you will be informed of as appropriate.

In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

Population Health Management:

Population Health Management (PHM) is about improving the physical and mental health of people.  It involves analysing data, in a format which does not identify individuals, and using the results to help making decisions on ways to prevent ill-health, improve care, reduce hospital admissions and help ensure that the most effective services are available for our patients.

The benefits of PHM are:

• to help frontline teams understand current health and care needs and predict what will be needed in the future.
• to identify specific groups of patients that are high risk and would benefit from direct interventions to improve their health and wellbeing.
• to improving the standard and quality of care.
• to prevent people needing hospital care unless necessary
• to support Working across different organisations in the health and care sector, to a positive difference to people’s lives. This can be supported by joining the data dots to tackle health inequalities we know exist across West Yorkshire.
• to identify gaps in services, as well as inform service redesigns.

We, and other healthcare providers like the hospital and community service providers, send information that relates to you to our data processor the North of England Commissioning Support Unit (NECS). NECS then pseudonymise this data, which means the information that could identify you is removed and is replaced with a pseudonym.  Information about the different health and care interventions you have had is then linked together so that it can be analysed without identifying you.

This pseudonymised data is then shared with West Yorkshire Integrated Care Board who will analyse the data to carry out commissioning and planning services and Population Health Management. Sometimes this analysis identifies individuals who might benefit from direct interventions to prevent illness. The results relating to patients registered at our practice are sent back to us so that we can assess who would benefit or require a particular healthcare intervention.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do not want your data to be used in this way, you can opt-out of all planning and research initiatives through the national data opt-out service. Access this service online at www.nhs.uk/your-nhs-data-matters or by calling: 0300 303 5678.

Summary Care Record

Your Summary Care Record (SCR) is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.

All patients registered with a GP have a SCR, unless they have chosen not to have one. Your SCR contains basic information about allergies and medications and any reactions that you have had to medication in the past.

Some patients, including many with long term health conditions, have previously agreed to have Additional Information shared as part of their Summary Care Record. This additional information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR patient consent preferences form and return it to your GP practice.

The Yorkshire & Humber Care Record

The Yorkshire and Humber Care Record (YHCR) https://yhcr.org/  is a digital shared care record solution that enables citizen information from multiple sources, to be accessed securely and updated in real time, when it is needed by appropriate health and care professionals.

By linking information systems the YHCR enables appropriate health and care staff to access your health and care information in real-time at the point of care. At the same time, it allows you to be more actively involved in your own health and wellbeing.

For research purposes

Research data is usually shared in a way that individual patients are non-identifiable.  Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects.  The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority

Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit.

For safeguarding purposes, life or death situations or other circumstances when we are required to share information:

We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).

For example, your information may be shared in the following circumstances:

• When we have a duty to others e.g. in child protection cases
• Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.

Who do we share information with?

We share information about you with other health professionals to support your care, and in more limited ways for indirect care purposes:

• NHS Trusts and hospitals that are involved in your care.
• Community Care Teams
• Care homes
• Other General Practitioners (GPs) or Primary Care Networks (which are groups of GP Practices).
• Ambulance Services.
• Social Care Services.
• Education Services.
• Local Authorities.

• Services commissioned by West Yorkshire ICB or NHS England for GP practices.
• NHS Digital Weight management Service
• NHS Diabetes Prevention Programme (NHS DPP)
• Voluntary and private sector providers working with or for the NHS. Such as Dentists, Pharmacies. Opticians & care homes
• Curo Health Ltd – GP Federation (Extended Hours Service or other Commissioned Services by ICB NHS England): To support patient care outside of core hours, our practice provides extended access services in partnership with Curo Health Ltd (GP Federation at Dewsbury Health Centre To deliver these services effectively, relevant medical information may be shared with Curo Health Ltd – This data sharing is carried out in accordance with the UK General Data Protection Regulation (UK GDPR), specifically:

• • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

Additionally, TPP SystmOne eDSM (Enhanced Data Sharing Model) sharing out is enabled for registered patients at the practice as part of the provision of services delivered by the Curo Health Ltd.

You have the right to opt out of this data sharing arrangement. However, if you choose to opt out or dissent, we will be unable to offer you access to services offered through Curo Health Ltd, as your medical record would not be available to the clinicians providing your care.

All shared information is handled securely and accessed only by authorised healthcare professionals directly involved in your treatment.

From time to time we may offer you referrals to other providers, specific to your own health needs not included in the list above. In these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.

 We may also share information with the following types of organisations:

• third party data processors
  • IT system supplier (West Yorkshire ICB / Leeds City Council)
  • Software suppliers (TPP SystmOne, EMIS)
  • Communication suppliers (telephony services, email, text messages)
  • GP Connect Data Sharing
    GP Connect enables GP practices and authorised clinical staff to securely share patient information across different IT systems using Application Programming Interfaces (APIs), improving access to data for direct patient care. NHS England operates GP Connect under a legal direction from the Department of Health and Social Care, in accordance with Section 254 of the Health and Social Care Act 2012. The legal basis for processing personal data through GP Connect is Article 6(1)(e) of the UK GDPR – processing necessary for tasks in the public interest or under official authority. For special category data, such as medical records, the basis is Article 9(2)(h) – processing necessary for medical diagnosis, treatment, and the management of health or social care services. Access to patient records via GP Connect is strictly limited to organisations providing direct care.
  • iGPR – We outsource our Medical Reports to iGPR : 

We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for.

iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

• • Diabetes Care Support – Third-Party Service Notice

To enhance the care we provide to adult patients living with diabetes, our GP surgery has commissioned a third-party service delivered by a team of Medicines Optimisation professionals. This service is designed to support safe and effective prescribing, improve clinical outcomes, and ensure alignment with national clinical guidelines.

Participation in this service is entirely voluntary, and patients may opt out at any time. Any personal data shared with the third-party provider will be handled securely and in full compliance with data protection legislation and our practice’s privacy policy.

• • Minuteful Kidney service for patients with diabetes (and/or other conditions): The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice. Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at: http://minuteful.com/

In some circumstances we are legally obliged to share information. This includes:

• when required by NHS England to develop national IT and data services
• when registering births and deaths
• when reporting some infectious diseases
• when a court orders us to do so
• where a public inquiry requires the information
• Medical examiners

We will also share information if the public good outweighs your right to confidentiality. This could include:

• to detect, prevent or investigate crime
• where there are serious risks to the public or staff
• to protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

Is information transferred outside the UK?

As a GP surgery, we do not routinely send patient data outside of the UK / EU where the laws do not protect your privacy to the same extent as the law in the UK.

Our data is hosted in UK and is only available to our staff and technical support staff in the UK.

What is our lawful basis for using information?

Under UK GDPR the Practice are mandated to identify a legal basis to process your

personal information.

For personal data

• 6(1)(a) – Consent: this must be freely given, specific, informed and unambiguous.
• 6(1)(b) – Contract: between a person and a service, such as a service user and privately funded care home.
• 6(1)(c) – Legal obligation: the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.
• 6(1)(d) – Vital interests: Life & Death
• 6(1)(e) – Public task: a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

Special Category data (Sensitive Data including Health Records)

• 9(2)(a) – Explicit consent
• 9(2)(b) – Employment, social security and social protection (if authorised by law)
• 9(2)(c) – Vital interests – Life and Death
• 9(2)(e) – Made public by the data subject
• 9(2)(f) – Legal claims or judicial acts
• 9(2)(g) – Reasons of substantial public interest (with a basis in law)
• 9(2)(h) – Health or social care (with a basis in law)
• 9(2)(i) – Public health (with a basis in law)

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we have a legal requirement to collect, share and use the data
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

How do we protect your personal information?

As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.

Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.

Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.

Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.

All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.

As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.

Your information is securely stored for the time periods specified in the Records Management Code of Practice.

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

What are your data protection rights?

Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing.

For reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:

• Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
• Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.

Right to be informed

You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice

The right of access

You have the right of access You have the right to ask us for copies of your personal information, this is often referred to as a ‘Subject Access Request’. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

You can make a subject access request by emailing admin.saviletownmedicalcentre@nhs.net

The right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.The right to erasure

You have the right to ask us to erase your personal information in certain circumstances- This will not generally apply in the matter of health care data

The right to restrict processing

You have the right to ask us to restrict the processing of your information in certain circumstances– You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.

The right to object

You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you

Rights in relation to automated decision making and profiling.

Your rights in relation to automated processing– Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us assess your possible future health and care needs with you and we will discuss these with you.

The right to data portability

Your right to data portability you have the right to ask that we transfer the information you gave us from one organisation to another. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances

National data opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.  Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

See the situations where the opt-out will not apply

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation has reviewed the disclosures we make and is compliant with the national data opt-out policy.

OpenSAFELY COVID-19 Service

The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of COVID-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

Further information can be found on the NHS digital website.

Other ways we use your information

Call recording

All Telephone calls are routinely recorded for the following purposes:

• To make sure that staff act in compliance with Savile Town Medical Centre’s procedures.
• To ensure quality control.
• Training, monitoring and service improvement
• To prevent crime, misuse and to protect staff and patients

SMS Text messaging

When attending the Practice for an appointment or a procedure you may be asked to confirm that the Practice has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.

CCTV

We employ surveillance cameras (CCTV) on and around our practice in order to:

• protect staff, patients, visitors and Practice property
• apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
• provide a deterrent effect and reduce unlawful activity
• help provide a safer environment for our staff
• monitor operational and safety related incidents
• help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance

We will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal

Employee Notice

When you apply for a position within the Practice you will provide us with relevant information about you including:

1. Your contact details (such as your name and email address, including place of work and work contact details).
2. Employment history
3. Qualifications
4. Referee Details

During the recruitment and selection processes we will begin to add further information including:

• Copies of qualifications and certificates
• Pre-employment checks, including references, identity documents and right to work check information
• Publicly available information such as social media presence
• Selection information including correspondence, interview notes, results of any selection tests that you may be undertake

Following your appointment, we may add any other information you supply to us or is required as part of your employment such as revalidation information.

Information about you from others

Information may be provided about you from a number of sources during your recruitment and on-going employment with the Practice including:

• Disclosure and Barring Service disclosures, where applicable, which will tell the organisation about any criminal convictions you may have
• Referees providing confidential information about your suitability to the role
• Inter Authority Transfer (IAT) – Information held by your previous NHS employer
• Information from HM Revenue and Customs (HMRC) relating to your pay and employment
• Information about your right to work and visa applications
• Pension Information when transferring within the NHS
• Information from your manager and HR team relating to your performance, sickness absence and other work related matters
• Confirmation of your registration with a professional body

When do we share information about you

The Practice may disclose personal and sensitive information with a variety of recipients including:

• Our employees, agents and contractors where there is a legitimate reason for them receiving the information
• Current, past or potential employers of our staff to provide or obtain references
• Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process.
• Government departments and agencies where we have a statutory obligation to provide information (e.g. HMRC, NHS Digital, Department of Health and the Home Office)
• The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
• Third parties who work with us to provide staff support services (e.g. counselling)
• Crime prevention or detection agencies (e.g. the police, security organisations, department for works and pensions and local authorities)
• Internal and external auditors
• Debt collection and tracing agencies
• Courts and tribunals
• Trade union and staff associations
• Survey organisations for example for the annual staff survey

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

Legal Basis for processing your data

The Practice will only ever process your personal information where it is able to do so by law and using one of a number of legal basis available under the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).

The legal bases we use are as follows:

Special Category data (Sensitive Data including Health Records)

• Explicit consent
• Employment, social security and social protection (if authorised by law)
• Vital interests – Life and Death
• Made public by the data subject
• Legal claims or judicial acts
• Reasons of substantial public interest (with a basis in law)
• Health or social care (with a basis in law)
• Public health (with a basis in law)

For personal data

• Consent:the individual has given clear consent to process their personal data for a specific purpose.
• Contract:the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• Vital interests: Life & Death
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Your Individual rights as an employee

You have certain rights with respect to the data held about you by the Practice.

These are:

• To be informed why, where and how we use your information
• To ask for access to your information
• To ask for your information to be corrected if it is inaccurate or incomplete
• To ask for your information to be deleted or removed where there is no need for us to continue processing it
• To ask us to restrict the use of your information
• To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information
• To object to how your information is used
• To challenge any decisions made without human intervention (automated decision making)

How we use the personal data about you

The Practice uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations. The purposes for which we may use staff data (including sensitive personal information) include:

• Process your recruitment application and correspond with you in relation to Practice vacancies
• Maintaining staff records
• Recruitment and selection
• Managing Human Resource employment matters (e.g. promotion, training and development, conduct, attendance, appraisals, management progress, grievances, misconduct investigations, disciplinary actions and complaints)
• Administering finance (e.g. salary, pension and staff benefits)
• Complying with visa requirements
• Providing facilities such as IT/system access, library services and car parking
• Monitoring equal opportunities
• Preventing and detecting crime, such as using CCTV and using photo’s on ID badges
• Providing communication about the Practice, news and events
• Maintaining contact with past employees
• Provision of wellbeing and support services
• Compliance with legal obligations such as making external/statutory returns to NHS England, sharing information with HMRC
• Carrying out research, surveys and statistical analysis (including using third party data processors to carry out the national staff survey)
• Carrying out audits

The Practice processes sensitive personal data for a number of administrative purposes:

• Equal opportunities monitoring
• Managing Human Resources processes such as administering sick pay and sick leave, managing absence, administrating Maternity Leave and associated pay schemes
• Managing a safe environment and ensuring fitness to work
• Managing obligations under Equal Opportunities Legislation
• Provision of Occupational Health and Wellbeing service to individuals
• Payment of trade union membership fees

How long are records retained

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

Freedom of Information

The Freedom of information Act 2000 provides any person with the right to obtain certain information held by the Practice, subject to a number of exemptions. If you would like to request some information from us, please contact us.

Please note: if your request is for information we hold about you (for example, your health record), please instead see above, under “How You Can Access Your Records”.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at admin.saviletownmedicalcentre@nhs.net or contact us on 01924 461124.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:

Information Commissioner’s Office

Wycliffe House,  Water Lane

Wilmslow, Cheshire. SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Date of last review

This privacy notice was reviewed and updated in August 2025.

This practice considers aggressive behaviour to be any personal, abusive and/or aggressive comments, cursing and/or swearing, physical contact and/or aggressive gestures.

The practice will not tolerate this kind of behaviour from anyone, and could result in the patient being removed from the practice list. This includes anyone who is aggressive or abusive towards a doctor, member of staff, other patient, or who damages property.

All instances of actual physical abuse on any doctor or member of staff, by a patient or their relatives will be reported to the police as an assault.