GDPR/Privacy Policy

 

 logo

As a registered patient, TaffVale Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.    

 

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer DHCW DPO  Support Services   DHCWGMPDPO@wales.nhs.uk

 

The main things the law says we must tell you about what we do with your personal data are:

  • We must let you know why we collect personal and healthcare information about you
  • We must let you know how we use any personal and/or healthcare information we hold about you
  • We need to inform you in respect of what we do with it
  • We need to tell you about who we share it with or pass it on to and why
  • We need to let you know how long we can keep it for

 

What is a privacy notice?

A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).

 

Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with patient’s personal information. This means that the practice must:

  • Have lawful and appropriate reasons for the use or collection of personal data
  • Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)
  • Be open about how the data will be used and provide appropriate privacy notices when collecting personal data
  • Handle personal data in line with the appropriate legislation and guidance
  • Not use the collected data inappropriately or unlawfully

 

What is fair and lawful processing?

Under data protection legislation, personal data, including special category data must be processed fairly and lawfully. Processing broadly means collecting, using, disclosing, sharing, retaining or disposing of personal data or information.

For the processing to be fair, NHS Wales organisations must be open and transparent about the way they process personal data by informing individuals using a variety of methods. The most common way to provide this information is in a privacy notice.

TaffVale Practice manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in Wales such as the Healthcare Inspectorate and the General Medical Council.

 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • UK General Data Protection Regulations 2016
  • UK Data Protection Bill
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Computer Misuse Act
  • Audit Commission Act
  • Regulation of Investigatory Powers Act
  • The National Health Service (General Medical Services Contracts) (Wales) Regulations 2004
  • NHS (Wales) Act 2006
  • Information: To Share or Not to Share Review

 

This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.

The healthcare professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g., NHS Hospital Trust, GP surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

 

NHS health records may be processed electronically, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

 

What is special category data?

Special category data refers to the types of personal data that are defined by data protection legislation as relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, sexual orientation, genetic and biometric data where processed to uniquely identify an individual. Some special category data is also protected by legislation separate to the data protection legislation. For example, information relating to certain sexually transmitted diseases is subject to separate legislative provisions in certain circumstances.

Who is the data controller?

TaffVale Practice is registered as a data controller under the Data Protection Act 2018. Our registration number is Z5251142 and our registration can be viewed online in the public register at www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately when you are seen by us as a patient.

 

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

 

What information do we collect about you?

We will collect information such as personal details, including NHS number, National Insurance number, name, date of birth, address, gender, information (such as your entitlement to benefits) that indicates your eligibility to receive a service free of charge, your health records, treatment and medications, test results, X-rays, NHS prescriptions that you had dispensed in Wales etc. and any other relevant information to enable us to deliver effective medical care.

 

How we will use your information

Primary Care Services works on behalf of Health Boards to reimburse the following for providing NHS services to patients:

  • GP practices
  • Community pharmacies
  • Opticians
  • Dentists

To calculate and validate payments to GP practices under the terms of the contract that they enter with NHS Wales, we need to know:

  • The number of patients who are registered with a practice
  • Their age and gender
  • Where they live
  • Their eligibility to receive specific services

To calculate and validate payments to community pharmacies, opticians and dentists for providing NHS services, we need to know one or more of the following:

  • The name, age and gender of the patient receiving the service
  • Where they live
  • Their eligibility to receive specific services

NHS Wales organisations are in some circumstances required by law to disclose information. Examples include, but are not limited to, information requested under Data Protection legislation, Access to Health Records legislation, the Freedom of Information Act and the Environmental Information Regulations.

Processes must be in place for disclosure under these circumstances. Where required, advice should be sought from the practice’s information governance department.

NHS Wales also uses relevant information about your health to help to improve NHS Wales’ services and public health. Information will only be used or passed on to others involved in your care if they need it. Whenever your information is used for your care, it will be handled in the strictest confidence. NHS Wales will not normally disclose your personal information without your consent, unless it is in your best interests or required by law.[1] 

 

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR. 

 

Sharing personal data

The Wales Accord on the Sharing of Personal Information (WASPI) Framework provides good practice to assist organisations to share personal data effectively and lawfully. WASPI is utilised by organisations directly concerned with the health, education, safety, crime prevention and social wellbeing of people in Wales.

NHS Wales organisations will use the WASPI Framework for any situation that requires the regular sharing of information outside of NHS Wales wherever appropriate. Advice must be sought from the information governance department in such circumstances.

Formal Information Sharing Protocols (ISPs) or other agreements must be used when sharing information between external organisations, partner organisations and external providers. ISPs provide a framework for the secure and confidential obtaining, holding, recording, storing and sharing of information. Advice must be sought from the information governance department in such circumstances.

Personal data may need to be shared externally on a one-off basis in the event of an emergency, where an ISP or equivalent sharing document does not exist. The sharing of such information must be formally documented with a clear, justifiable purpose, and processed securely.

Maintaining confidentiality and accessing your records

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the Confidentiality Code of Practice for Health and Social Care in Wales. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

 

All our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role, and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for TaffVale Practice, an appropriate contract (Article 24-28) will be established for the processing of your information.

 

We always maintain our duty of confidentiality to you. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (information to share or not to share) where “the duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

 

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK GDPR and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the practice in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

 

 

Sharing your information without consent

We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:

 

  • Where there is a serious risk of harm or abuse to you or other people
  • Safeguarding matters and investigations
  • Where a serious crime, such as assault, is being investigated or where it could be prevented
  • Notification of new births
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
  • Where a formal court order has been issued
  • Where there is a legal requirement, for example if you had committed a road traffic offence.

 

Third party processors

To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. In addition, the practice will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

 

  • Companies that provide IT services and support, including our core clinical systems, systems that manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems that facilitate appointment bookings or electronic prescription services and document management services etc.

 

  • Further details regarding specific third-party processors can be supplied on request to the DPO as below.

 

Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.

 

Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

 

Audit

Auditing of clinical notes is done by TaffVale Practice as part of its commitment to the effective management of healthcare whilst acting as a data processor.

 

Article 9.2.h is applicable to the management of healthcare services and “permits processing necessary for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.” No consent is required to audit clinical notes for this purpose.

 

Furthermore, compliance with Article 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person who is subject to an obligation of secrecy.

 

Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. It would be realistically impossible to require consent for every patient reviewed that is unnecessary.

 

Computer system

This practice operates a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication.

 

To provide around the clock safe care, unless you have asked us not to, we will make information available to our partner organisations. Wherever possible, their staff will ask your consent before your information is viewed.

 

NHS Wales health checks

Cohorts of our patients aged 40 to 74 are eligible to be invited for an NHS Health Check. This could be for conditions such as Diabetic eye screening, cervical screening, bowel cancer etc. Nobody outside the healthcare team at TaffVale Practice will see confidential information about you during the invitation process.

 

Patient communication

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details.

 

We may contact you using SMS texting to your mobile phone should we need to notify you about appointments and other services that we provide to you involving your direct care. This is to ensure we are certain that we are contacting you and not another person. As this is operated on an ‘opt out’ basis, we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number. Please let the practice know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.

 

Safeguarding

The practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

 

Our legal basis for processing for UK GDPR purposes is:

 

  • Article 6(1)(e) ‘…exercise of official authority…’.

 

For the processing of special categories data, the basis is:

 

  • Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

 

Safeguarding information such as referrals to safeguarding teams is retained by TaffVale Practice when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

 

Shared care

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems.

 

You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

 

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including TaffVale Practice. This information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

 

Telephone system

Our telephone system records all telephone calls. Recordings are retained for up to 6 months and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training. Access to these recordings is restricted to June Hunt and Jayne Taylor-LLoyd

 

Practice website

Our website does use cookies to optimise your experience. You have the option to decline the use of cookies on your first visit to the website. The only website this privacy notice applies to is TaffVale Practice website.

 

If you use a link to any other website from the practice’s website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

Invoice validation

Your information may be shared if you have received treatment to determine which local health board is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially. It will not be used for any other purpose or shared with any third parties.

 

Opt-outs

You have a right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information outside this practice.

 

Retention periods

Your healthcare records will be retained in accordance with the Welsh Government Records Management Code of Practice for Health and Social Care 2022. Further details can be obtained via the link or at www.gov.wales.

 

Your rights as a patient

Individuals have certain rights regarding the processing of their personal data. NHS Wales practices must ensure that appropriate arrangements are in place to manage these rights. Staff must follow their organisational procedures and guidance to ensure requests relating to individual rights are managed appropriately.

You have a right to access the information we hold about you and, if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

 

  1. Contact  the practice’s data controller via email at taffvale.general@wales.nhs.uk GP practices are data controllers for the data they hold about their patients
  2. Write to the data controller at Taffvale Practice, Duffryn Road Rhydyfelin, Pontypridd, RCt, CF37 5RW
  3. Ask to speak to the Reception Team Leader, Mrs Shirley Farrant , or Mrs June Hunt, Operations Manager

 

The Data Protection Officer for TaffVale Practice is DPO Support Services based at Digital Health Care Wales.

 

Complaints

In the unlikely event that you are unhappy with any element of our data processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.

 

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy is to be reviewed January 2026

 



NHS WalesThis site is brought to you by My Surgery Website