Data Protection Law has changed
On the 25th May 2018 the General Data Protection Regulation, known as GDPR came into effect. GDPR imposes additional obligations on organisations and gives you extra rights around how your data is used.
Thames Avenue Surgery ask you for information about yourself so that we can give you appropriate care and treatment. This information is kept, together with details of the care you have received, because it may be needed if we have to see you again.
Your information is not only used to guide and administer the care you receive, it is also used to help look after the health of the general public, to audit NHS services, to investigate complaints and to make sure our services can meet patient needs in the future.
Everyone working for the NHS has a legal duty to keep your information confidential and anyone who receives that information from us is also under a legal duty to keep it confidential too.
We have now published new Privacy Notices to give you more information on the data we hold on you, what we do with that data, who we share your data with and your new rights under the GDPR.
You can view our Privacy Notices here or alternatively you can request a copy from us directly:-
Direct Care (Routine Care and Referrals) Privacy Notice
COVID-19 Privacy Notice
GP Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19)
Direct Care (Emergencies) Privacy Notice
Summary Care Record Privacy Notice
National Screening Programme Privacy Notice
Public Health Privacy Notice
Research Privacy Notice
Care Quality Commission Privacy Notice
Payments Privacy Notice
NHS Digital Privacy Notice
Commissioning, Planning, Risk Stratification & Patient Identification Privacy Notice
Safeguarding Privacy Notice
Data Protection Impact Assessment (DPIA)
The DPIA is the most efficient way for Thames Avenue Surgery to meet its data protection obligations and the expectations of its data subjects.
In accordance with Article 35 of the GDPR, DPIA should be undertaken where:
- A type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons; then the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
- Extensive processing activities are undertaken, including large-scale processing of personal and/or special data
DPIAs are to include the following:
- A description of the process, including the purpose
- An evaluation of the need for the processing in relation to the purpose
- An assessment of the associated risks to the data subjects
- Existing measures to mitigate and control the risk(s)
- Evidence of compliance in relation to risk control
It is considered best practice to undertake DPIAs for existing processing procedures to ensure that Thames Avenue Surgery meets its data protection obligations. DPIAs are classed as “live documents” and processes should be reviewed continually. As a minimum, a DPIA should be reviewed every three years or whenever there is a change in a process that involves personal data.
Publishing of our DPIAs help to foster trust in your handling of personal data, and demonstrate accountability and transparency. You can view our DPIA's below or request a copy from us directly.
DPIA_MEDICAL INTEROPERABILITY GATEWAY
DPIA_DIABETIC EYE SCREENING