At Deanbrook Practice Limited, we respect and value your privacy, and are committed to protecting your personal data.

When Deanbrook Practice Limited processes your personal data, it is required to comply with the Data Protection Act 2018 (“DPA”) and the UK GDPR (the DPA and UK GDPR are together referred to as the “Data Protection Legislation”).

Your personal data includes all the information we hold that identifies you or is about you, for example, your name, NHS number, email address, postal address, telephone number, date of birth, NHS registered GP, location data and in some cases opinions that we document about you; as well as special categories of data, including but not limited to, medical and health records and information about your religious beliefs, ethnic origin, race and sexual orientation. Also, transaction data which includes details about payments to and from you and other details of products and services you have purchased from us.

We collect information about you in the form of a questionnaire once you have confirmed your appointment. This will be sent to you by secure email and will be returned directly to your patient record once completed. If you contact us by telephone, email or text message, a record will be kept of that correspondence or conversation.

Everything we do with your personal data counts as processing it - including collecting, storing, amending, transferring and deleting it. We are, therefore, required to comply with the Data Protection Legislation to make sure that your information is properly protected and used appropriately.

This privacy policy provides information about the personal data we process, why we process it and how we process it.

Our responsibilities

Deanbrook Practice Limited is the data controller of the personal data you provide. Dr Alison Johnstone will have the day-to-day responsibility for ensuring that we comply with the Data Protection Legislation and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.

What personal data do we process about you?

Most personal information we process is provided to us directly by you so we can communicate with you and inform or remind you about appointments, deliver the correct service to you, conduct a thorough and accurate assessment and invoice you for the services we provide you.

We process your personal data to provide you with the services you have requested and to fulfil the contract we have entered with you. We may also process your personal data to respond to any queries or comments you submit to us and to correspond with you on a day-to-day basis.

We may also process your personal data where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests or where we need to comply with a legal or regulatory body.

Your information will be shared with appropriate staff members working at Deanbrook Practice Limited and they understand their legal obligation to follow practice procedures regarding confidentiality. We may also share your information with your NHS GP or external medical professionals that we are referring you to. We will ask for your consent to do this.

There may be situations when we need to share information such as, when there is a legal obligation for us to do so or when the information may pose risk of harm to you the patient, or risk of harm to a child or another adult. We will discuss such a proposed disclosure with you unless we believe that to do so may increase the level of risk to you or someone else.  

How we store your personal information?

Your information is stored securely in the following forms –

- Patient information is stored in our clinical software system Semble. This is a secure password protected database which is compliant with General Data Protection Regulations.

- Paper based patient records are kept to a minimum and stored in a locked filing cabinet.

- Sensitive personal information will only be sent to patients by email if they have given prior consent for us to do so. All documents will be password protected.

- Any computers or mobile devices containing personal information are password protected or protected with a passcode/thumbprint scanner.

- Access to your personal information is restricted to you the patient or those concerned with your care, and you have given prior consent.

- Data is backed up regularly.  

If you contact us via phone, text or email we will keep this information in an online filing system which is compliant with General Data Protection Regulations. Information is retained in line with Department of Health recommendations.

How long will we keep your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate period for retaining personal data we consider the type, amount and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Following the end of the relevant retention period, your files and the personal data covered by the retention period will be permanently deleted or destroyed.

What are your rights?

You benefit from several rights in respect of the personal data we hold about you. We have summarised the rights which may be available to you below, depending on the grounds on which we process your data. More information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/individual-rights/). These rights apply for the period in which we process your data.

Access to your data

You have the right to ask us to confirm that we process your personal data, as well as having the right to request access to/copies of your personal data. You can also ask us to provide a range of information, although most of that information corresponds to the information set out in this privacy policy 

We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.

We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we will let you know.

Rectification of your data

If you believe personal data, we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we do not feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your request.

Right to be forgotten 

In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:

l Where we no longer need your personal data for the purpose for which we collected it.

l Where we have collected your personal data on the grounds of consent, and you withdraw that consent.

l Where you object to the processing, and we do not have any overriding legitimate interests to continue processing the data.

l Where we have unlawfully processed your personal data (i.e. we have failed to comply with UK GDPR); and

l Where the personal data must be deleted to comply with a legal obligation.

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.

Right to restrict processing

In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data, but we do not have to delete it. This right is available to you:

l If you believe the personal data, we hold is not accurate – we will cease processing it until we can verify its accuracy.

l If you have objected to us processing the data – we will cease processing it until we have determined whether our legitimate interests override your objection.

l If the processing is unlawful; or

l If we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim.

Data portability

You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you can transmit the personal data to another data controller. This right only applies to personal data you provide to us: 

l Where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and

l Where we carry out the processing by automated means. 

We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.

Right to object 

You are entitled to object to us processing your personal data:

l If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority.

l For direct marketing purposes (including profiling); and/or

l For the purposes of scientific or historical research and statistics.

To object, you must have grounds for doing so based on your situation. We will stop processing your data unless we can demonstrate that there are compelling, legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defense of legal claims.

Automated decision making

Automated decision-making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late a certain number of times (without any input from HR, for example).

We do not carry out any automated decision making using your personal data. 

Your right to complain about our processing

If you think we have processed your personal data unlawfully or that we have not complied with UK GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website: https://ico.org.uk/concerns/.

Any questions?

If you have any questions or would like more information about the ways in which we process your data, please contact:

Dr Alison Johnstone

Deanbrook Practice Limited

Candover Clinic

Aldermaston Road

Basingstoke

RG24 9NA

Secretary telephone: +447867768582

Email: healthcare@deanbrook.co.uk