Network Privacy and cookies policy

Introduction

This privacy policy describes how GPsurgery.net protects and makes use of the information held about you when you use the websites that we provide .

Each healthcare organisation using GPsurgery.net is responsible for their own privacy policy and should have it clearly displayed on their site, if this is not clearly displayed please contact their team.

If you are asked to provide information relating to this service, it will only be used as described in this privacy policy.

This privacy policy may be updated from time to time.  All updates and amendments are effective immediately, and we encourage you to review this policy often to stay informed of changes.

If you have any question about this policy or the data we hold about you, please contact dpo@gpsurgery.net

Who We Are

Dewar Green Limited (and the wholly owned subsidiary GPsurgerynet Limited), The Butchery, Ashford Road, St Michaels, Tenterden, Kent TN30 6PR

ICO Registration number Z2666032 and ICO Registration number ZB319547

You can contact us with queries

Via this website, by post at the above address, by telephone:  +44(0) 1580 762900 or via email dpo@gpsurgery.net

The information we collect and how we use it

GPsurgery.net is a data processor for all health care organisations using its platform, see below for information about how your data is used when it is submitted via forms.

The only information that we collect that is not controlled at the health care organisation level is for analytics. We will only share this data with the health care organisation responsible for that website, any third party that they may request ( this should be covered in their privacy statement ) and bodies of the NHS where this data might be used to monitor or improve services. As an organisation GPsurgery.net will not share this information with any other third parties.

To collect usage data we use Google Analytics.

The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system. This usage data may be processed for the purposes of analysing the use of the website and services to improve the user experience.

Our usage of your data for delivering GPsurgery.net services

We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters (“notification data“). The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters.

Providing your personal data to others

We hold your data on services run by GPsurgery.net. This includes sub processors that act on our written instruction as Data Controller.

  • Google Analytics for purposes of improving website navigation / providing information to relevant organisations in the NHS.

Retaining and deleting personal data

This Section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

We will retain your personal data as follows:

Your personal or company contact details will be retained for a minimum period of three years following the date you stop receiving services from us.

Security of personal data

Any data entered directly into our websites is stored in UK data centres ( Google does transfer visitor data and you can read more about this here ).  It is encrypted when stored at rest and in transit such as when you submit a form to us.

Access to information

In accordance with the Data Protection Act 2018 you have the right to access any information that we hold relating to you and Dewar Green Limited shall charge no fee for the processing of this request. You can make a request by emailing dpo@gpsurgery.net. If the nature of the request is unusually complex, way may write to you to explain this may delay our response. We may also charge a reasonable fee to complete the request in full if it is prohibitively time-consuming. We will explain these costs and will only be for the effort of meeting the data request.

Correcting your data

At any time, you may contact us to request your data be corrected if you believe it to be incorrect. To do so, contact us at dpo@gpsurgery.net and include who you are, and what type of data you believe needs to be corrected. To protect your data, as part of this activity we may need to ask you for identifying documents to confirm who you are.

Erasure of Data

Also known as “The Right to Be Forgotten”. You have a right to have your data erased if:

  • The personal data is no longer necessary for the purpose which we originally collected or processed it for;
  • We are relying on consent as our lawful basis for holding the data, and you withdraw your consent – we will specifically mention if we rely on consent;
  • We are processing the personal data for direct marketing purposes and you object to that processing – we will specifically mention if we will use your data for direct marketing;
  • We are determined to have processed the personal data unlawfully;

There may be times when we are unable to comply with your request, such as having to do it to comply with a legal obligation

To request erasure of your data, please contact your practice, and include the types of data about you that we need to erase, and the reason from the above list that you believe relates to the requirement for us to erase your data. To protect your data, as part of this activity we may need to ask you for identifying documents to confirm who you are.

Restriction of processing

You have the right to request that we restrict processing your data if:

  • You contest the accuracy of your personal data and we are verifying the accuracy of the data;
  • The data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
  • We no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim; or
  • You have objected to us processing your data under Article 21(1), and we are considering whether our legitimate grounds override yours.

To place such a request please email dpo@gpsurgery.net, and include the types of data about you for which we need to restrict processing. To protect your data, as part of this activity we may need to ask you for identifying documents to confirm who you are.

Objecting to processing

You have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • Direct marketing (including profiling); and
  • Processing for purposes of scientific/historical research and statistics.

For an objection against the first point, you must provide a reason relating to your own situation that warrants an objection to the processing. In the case of legitimate reason, we must stop processing the personal data unless:

  • We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the person objecting; or
  • The processing is for the establishment, exercise or defence of legal claims.

For an objection against processing for direct marketing, we must stop processing your data.

For an objection against processing for scientific/historical research and statistics, you must provide a reason relating to your own situation that warrants an objection to the processing. In the case of legitimate reason, we must stop processing the personal data unless the processing is necessary for the performance of a public interest task.

The object to processing, please email your request to dpo@gpsurgery.net, and include your objection, reason for objecting, and the types of data about you that you object to the processing of. To protect your data, as part of this activity we may need to ask you for identifying documents to confirm who you are.

Automated decision making

This notice identifies any instances of automated decision making that is related to the processing described.

How we respond to requests to exercise your rights to your personal data

We are required by law to comply with your requests. In certain circumstances, however, we have the right to reject such a request.

We may refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

In such a case that we consider a request is manifestly unfounded or excessive we can:

  • Request a “reasonable fee” to deal with the request; or
  • Refuse to deal with the request.

In either case we must justify your decision and will inform you of our reasons for doing so.

Any such fees will be based on the administrative costs of complying with your request. If we decide to charge a fee, we shall contact you promptly and inform you of such. We do not need to comply with the request until we have received the fee.

Lodging a complaint about handling of your data

If you believe you have an issue with how your data is being processed, we would encourage you to contact us first, putting your complaint in writing to dpo@gpsurgery.net. We will take any such complaints seriously and do our best to resolve them.

Under the EU General Data Protection Regulation 2016 you have the right to lodge a complaint with the supervisory authority (the organisation responsible for enforcing data protection in your country) applicable to you. If you are a UK resident, your supervisory authority is the Information Commissioner’s Office (or ICO). You can find more details about how to do this on the ICO’s website, here: https://ico.org.uk/concerns/

Cookies

About cookies

  • A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
    • Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
    • Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

Cookies that we use

  • You can view all cookies via each individual practice site. You will find a link to Cookies in the footer of all GPsurgery.net practice sites. If you have not chosen to opt out of Google Analytics then we may share this data with NHS organisations to help with their own service provision. We will not share this data with any other party unless requested by the practice.

Cookies used by our service providers

  • You can view all cookies used and detail on them via each individual practice site. You will find a link to Cookies in the footer of all GPsurgery.net practice sites.

Managing cookies

  • You can manage cookies via the practice website. You will find a link to Cookies in the footer of all GPsurgery.net practice sites.