Data Protection

Introduction

 

The Data Protection Act 1998 (DPA) requires a clear direction on Policy for security of information within the Practice.  In addition from 25th May 2018 General Data Protection Rules (GDPR) will apply to General Practice.

 

The policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.

 

The Policy

 

The Practice is committed to security of patient and staff records. All staff are made and kept aware of the new legislation regarding the use of data

 

The Practice has completed the Security and Protection Toolkit (DSPT) (See report).

 

All personal data held by the Practice should be documented and key staff should know where it came from and who it can be shared with. GDPR accountability principles regarding policies and procedures that comply with data protection principles will be in place. There has been a review of seeking, recording and managing consent; all consent will be kept on file. From the age of 13 years a person can give consent regarding the processing of their data)

 

The Practice will make information available on Access to Medical Records and Data Protection for the information of patients. The lawful basis for processing data, the data retention period and the individual’s right to complain to the ICO needs to be provided in concise, easy to understand and clear language. GDPR includes the following rights for individuals:

 

The patient will have the right: to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; the right not to be subject to automatic decision making including profiling . The patient will be able to access records within 30 day period and no fee may be charged for this service.

 

The Practice will take steps to ensure that individual patient information is not deliberately or accidentally released or by default made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. The right procedures will be in place to detect report and investigate data breeches.

 

 

 

 

 

This will include training on Confidentiality issues, DPA principles, working security procedures, and the application of Best Practice in the workplace.

 

The Practice will undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.

 

The Practice will maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.

 

GDPR issues will form part of the Practice general procedures for the Management of Risk.

 

The Practice will have named data controllers and data users and a data protection officer.

 

Specific instructions will be documented within confidentiality and security instructions and will be promoted to all staff.  The practice will adopt a proactive privacy by design rather than a reactive privacy impact assessment approach.

 

To comply with future Date Protection and GDPR legislation all Practice staff have undergone relevant and current staff training.

 

Version: 1.1

Date Reviewed:  April 2025

Implementation Responsibility: Surjit Kaur and Dr Nishat Ahmad

 

References

NHS Register with a GP Surgery online service - Data protection impact assessment - NHS England Digital

GP mythbuster 85: Data security and protection – expectations for general practice - Care Quality Commission

Check the way you handle personal information meets the right standards - Care Quality Commission

How we monitor GP practices - Care Quality Commission

Cyber security and data protection

Safe data, safe care - Care Quality Commission

Understanding the state of cyber security in adult social care

NHS England » Cyber Security

Data Security and Protection Toolkit

Page last reviewed: 19 August 2025
Page created: 04 August 2021