Privacy Statement

• Privacy Notice

  This privacy notice explains how St Paul’s Clinic uses and protects your personal information.

  In this document, “we”, “our”, or “us” refers to St Paul’s Clinic.

  You can watch a short video explaining how your information is used in the NHS here:
  https://www.youtube.com/watch?v=bP1KxW9zG8E

  Introduction

  We keep records about your health and the care you receive. This helps us provide safe and effective treatment.

  We are committed to protecting your privacy and handling your information in line with:

  • UK GDPR
  • Data Protection Act 2018
  • NHS Wales requirements
  • Data Security and Protection Toolkit (DSPT) standards

  This notice explains what information we collect, how we use it, who we share it with, and your rights.

  Who is Responsible for Your Data

  St Paul’s Clinic is the Data Controller for your information.

  Our Data Protection Officer (DPO) is provided by Digital Health and Care Wales (DHCW).

  Our Caldicott Guardian is Dr Obilanade, who is responsible for ensuring your information is used appropriately and kept confidential.

  You can contact the practice if you have any queries about how your data is handled.

  How We Use Your Information

  We use your information to:

  • Provide you with healthcare
  • Manage and plan NHS services
  • Protect public health
  • Support clinical audit and quality improvement
  • Ensure the safe and effective running of the practice

  Your information may be held electronically, on paper, or both.

  Our Legal Basis for Processing

  We do not rely on consent to provide your care.

  We process your information under UK GDPR using:

  • Public task – providing NHS healthcare services
  • Legal obligation – meeting NHS and legal requirements
  • Health or social care purposes – diagnosis, treatment, and care management

  Where consent is required (for example, certain types of research), we will ask for it separately.

  What Information We Hold

  Your records may include:

  • Personal details such as name, address, date of birth and contact details
  • Medical history and clinical notes
  • Test results and investigations
  • Treatment and care information
  • Information received from other health or care providers

  How We Share Your Information

  We only share your information where it is necessary, lawful, and in your best interests.

  This may include sharing with:

  • Hospitals and specialist services
  • Pharmacies
  • Community and social care services
  • NHS Wales organisations
  • Digital Health and Care Wales (DHCW)

  We may also share information with approved organisations for planning and improving NHS services.

  All sharing is carried out securely and in line with data protection law.

  Systems We Use

  We use secure NHS-approved systems to manage your information and support your care. These include:

  • EMIS Web (clinical records system)
  • Accurx (communication with patients, including messages and online requests)
  • iPlato (patient messaging and appointment communication)
  • NHS Wales App services
  • Digital Health and Care Wales (DHCW) national systems

  These systems meet NHS security standards and are used to support safe and efficient care.

  Use of Technology and Automation

  We may use technology, including automated systems, to support how we deliver services.

  This may include:

  • Managing patient communications
  • Processing requests
  • Supporting clinical decision-making

  These systems are designed to support staff and improve efficiency. They do not replace clinical judgement.

  Where appropriate, these tools may use advanced technologies (sometimes referred to as artificial intelligence), but decisions about your care are always made by qualified healthcare professionals.

  We do not make solely automated decisions about your care.

  Vaccination and Public Health Programmes

  Your information may be used to support vaccination programmes and public health work.

  This includes:

  • Identifying patients who are eligible
  • Inviting patients for vaccination
  • Recording vaccinations
  • Monitoring uptake across the population

  Your information may be shared with NHS Wales and public health organisations for these purposes.

  More information is available here:
  https://www.nhs.uk/your-nhs-data-matters/

  Planning and Improving Services

  Your information may be used to help plan and improve NHS services.

  Where possible, this information is anonymised so that you cannot be identified.

  Your Rights

  You have the right to:

  • Access your personal information (Subject Access Request)
  • Request correction of inaccurate information
  • Object to certain uses of your data
  • Request restriction of processing in some circumstances

  To request access to your records, please contact the practice.

  National Data Opt-Out

  You can choose whether your confidential information is used for planning and research.

  You can set your preference here:
  https://www.nhs.uk/your-nhs-data-matters/

  Keeping Your Information Safe

  We take appropriate measures to protect your information, including:

  • Secure systems and encryption
  • Access controls and audit trails
  • Staff training and confidentiality agreements
  • Regular data security reviews in line with DSPT

  How Long We Keep Your Information

  We keep your records in line with NHS Records Management guidance.

  This means your records are usually kept for:

  • 10 years after death
  • Or 10 years after leaving the UK

  Complaints

  If you have any concerns about how your information is used, please contact the practice.

  You can also contact the Information Commissioner’s Office (ICO):
  https://ico.org.uk/concerns/

  Updates

  We may update this privacy notice from time to time. The latest version will always be available on our website.

   

Freedom of Information

The Freedom of Information Act gives the public the right to request access to information held by public organisations, including GP practices.

This applies to organisational information such as policies, procedures, and reports. It does not apply to personal data, such as patient records, which are covered under data protection law.

St Paul’s Clinic adopts the Information Commissioner’s Office (ICO) Model Publication Scheme. This means we make certain information routinely available to the public as part of our commitment to openness and transparency.

Requests for information must be made in writing and should include your name and a contact address, along with details of the information you are requesting.

If you would like to make a request, please contact the practice.

We aim to respond within the required timescales in line with the Freedom of Information Act.

More information is available from the Information Commissioner’s Office:
https://ico.org.uk/for-the-public/official-information/