North Staffordshire GP Federation
Privacy Notice (v1.0)
Valid From: July 2019
Valid To: June 2022
IDENTITY & CONTACT DETAILS OF THE CONTROLLER & THE CHIEF PRIVACY OFFICER
North Staffordshire GP Federation are committed to protecting and respecting your privacy whilst remaining compliant with The General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
North Staffordshire GP Federation, are the Data Controller and have an appointed Data Protection Officer, Hayley Gidman, Head of Information Governance, Midlands and Lancashire CSU.
Any queries in regard to Data Protection issues should be addressed to her at: –
Address: Heron House, 120 Grove Road, Fenton, ST4 4LX
Email: firstname.lastname@example.org / Tel : 01782 872648
PURPOSE OF THE PROCESSING AND THE LEGAL BASIS FOR THE PROCESSING
The North Staffordshire GP Federation collects and creates personal data for several different purposes:
- Recruitment and employment;
- Business development;
- Provision of services to our members; and
- Procurement of services
The legal basis for processing personal data for the purpose of recruitment and employment is the pursuit of our legitimate interests of developing our business (recruitment and selection) and subsequently in order to fulfil our legal obligations as an employer and our legitimate interest of striving to provide a safe and rewarding work place. We will retain personal information we collect in the recruitment and selection process for up to two years following an application for employment which we receive either directly from you or via recruitment agencies. Further information about privacy and data retention is provided in our staff handbook for employees.
The legal basis for processing personal data for the purpose of business development is the pursuit of our legitimate interest in developing our business and undertaking sales and marketing activities. We acquire personal data from a number of sources including directly from data subjects, from referrals, and from our own research activities such as reviewing websites. We will retain personal information we collect through our processes for as long as we believe our products and services may be of interest to prospects, members and former members.
Provision of services to our members
The legal basis for processing personal data for the purpose of providing services to our members is either to fulfil our contractual obligations to members or the pursuit of related legitimate interests including maintaining accurate records relating to accounting and finance, monitoring the quality of our services. We will retain personal information we collect through our service delivery processes for as long as such information is relevant to our service delivery model or as defined in our service delivery contract.
Procurement of services
The legal basis for processing personal data for the purpose of procurement is the pursuit of our legitimate interest in maintaining efficient and effective procurement processes. Personal data we collect from suppliers and prospective suppliers is usually supplied directly by data subject or their employer. We will retain personal information we collect through our procurement processes for as long as we need to comply with accounting and taxation rules, policies and conventions.
We are required to obtain consent from individuals in order to send them unsolicited electronic marketing messages. We retain evidence of the details of consent which has been provided by our members to process their information in this manner.
LEGITIMATE INTERESTS OF THE NORTH STAFFORDSHIRE GP FEDERATION OR THIRD PARTY
The North Staffordshire GP Federation may use your information for other specific legitimate purposes such as:
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have either explicitly consented to or we believe you have a legitimate interest in.
- To carry out our obligations arising from any contracts entered between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
We do not sell, rent or lease member lists to third parties. However, we may share personal information with companies we feel that there is a genuine possibility of your interest in their services. The lawful basis for this data sharing is the legitimate interest of the third party in developing and growing their business.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:
- Information that you provide by filling in forms on our site (nsgpfed.org.uk) or by corresponding with us by phone, email or otherwise. The information you give us may include:
- Name and Company Name
- Email address
- Telephone numbers
- If you contact us, we may keep a record of that correspondence.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- If you contact us via our Jobs page on our website, we may keep a record of any CV’s and Cover Letters sent.
- Details of your visits to our web site and the resources that you access.
In addition, for users of our service we will need to collect or access details relating to your medical history which may include your medical record. By visiting and using any of our services you are consenting to us using your personal and sensitive personal data in order for us to carry out our services and provide you with medical assistance and consultation. We do this under the following lawful basis to process without consent:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.
In addition, as a health service provider and needing to know your medical history and to access your medical records, we also collect and use your sensitive personal data under the following provision:
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member state law or pursuant to contract with a health professional and subject to the conditions and safeguards set out in the regulations.
RECIPIENTS OF THE PERSONAL DATA
The North Staffordshire GP Federation are required to transfer the personal information provided by its members to third parties in order to fulfil contractual obligations. The following are categories of recipients that member information or personal data could be transferred to, with your consent or by strict agreement:
- External Service Providers sourced on behalf of our members
- Payment Providers
- Accountancy Services
- Corporate Partners that have referred you to North Staffordshire GP Federation
- NHS Trusts / Foundation Trusts
- GP Practices
- NHS Commissioning Support Units
- Clinical Commissioning Groups
- NHS England (NHSE) and NHS Digital (NHSD)
- Local Authorities
- Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
All information you provide to us is stored on our secure servers. However, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will not disclose your information to any of the relevant third parties listed above for marketing purposes.
Our Data Protection Officer can provide you with contact details of our third parties upon request if required.
DETAILS OF TRANSFERS TO THIRD COUNTRIES & SAFEGUARDS
North Staffordshire GP Federation do no store personal data on information systems that require transfer to third party countries. We ensure that all other personally identifiable information held on our members and employees remains within the EEA.
We retain all member information for 5 years after they last interacted with us unless:
- a) you ask us to remove it
- b) we believe that you are no longer interested in our business
- c) we no longer need it for the purposes it was collected.
Where there has been a period of 5 years and there has been no interaction between the organisation and the member, their information is erased and securely disposed of.
RIGHTS OF DATA SUBJECTS
As a Data Subject (individual) which North Staffordshire GP Federation process information on behalf of, you have the right to request access to, and the rectification or erasure of personal data that we hold about you as well as a right to object to and to a restriction of our processing of your personal data at any given time. You can do this by contacting our Data Protection Officer through the contact details provided on page 1 of this policy.
You also have a right to lodge a complaint with the Supervisory Authority (Information Commissioners Office (ICO) in the UK – at www.ico.org.uk), should you feel that we have not handled your information in line with legislative and regulatory requirements.
You have the right to make a Data Subject Access Request to North Staffordshire GP Federation, Data Protection Officer if you wish to determine what information we hold on you. We welcome these requests and aim to respond within the timeframes set out in the GDPR.
AUTOMATED DECISION MAKING, INCLUDING PROFILING & INFORMATION ABOUT HOW DECISIONS ARE MADE, THE SIGNIFICANCE OF THE CONSEQUENCES
We may collect information about your computer, including where available your IP address, geographic location (if you allow when prompted by your browser), operating system and browser type, for system administration when you access our website. We use this information for statistical data about our users’ browsing actions and patterns when they access our website.
In the event that you wish to you alter your Privacy settings or opt-out, you are able to do this by emailing our Data Protection Officer. Our Data Protection Officer shall provide you with contact details of our third parties upon request if required.
We may send out email communication such as our newsletter to keep you up to date with all the latest News, projects and service updates from us. If you wish to unsubscribe from these emails you can do so at any time by contacting Lisa Dulson, Personal Assistant to the North Staffordshire GP Federation at Lisa.Dulson@northstaffs.nhs.uk.
Please note that even if you decide not to subscribe to, or to unsubscribe, from promotional email messages, we may still need to contact you with important member information. For example, even if you have unsubscribed from our promotional email messages, we will still send you confirmations when you confirm services from us.