View our ratings & testimonials on Doctify

For a confidential chat call Freephone on 0808 258 2350

GDPR Policy

Gladstones Clinics Ltd needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. Such data is collected from employees, customers, suppliers and clients and includes (but is not limited to), name, address, email address, data of birth, IP address, identification numbers, private and confidential information, sensitive information and bank/credit card details.

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and any other relevant the data protection laws and codes of conduct (herein collectively referred to as “the data protection laws”).

We are committed to ensuring that all personal data processed by the Company is done so in accordance with the data protection laws and its principles, along with any associated regulations and/or codes of conduct laid down by the Supervisory Authority and local law. We ensure the safe, secure, ethical and transparent processing of all personal data and have stringent measures to enable data subjects to exercise their rights.

As we employ fewer than 250 staff, we only need to document processing activities that:

  • Are more than a one-off occurrence or something you do rarely;
  • Are likely to result in a risk to the rights and freedoms of data subjects; and
  • Involve special categories of personal data or criminal conviction and offence data.

The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.]

 

PURPOSE

The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory requirements under the data protection laws and to ensure that all personal and special category information is processed compliantly and, in the individuals, best interest.

The data protection laws include provisions that promote accountability and governance and as such the Company has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data. This policy also serves as a reference document for employees and third-parties on the responsibilities of handling and accessing personal data and data subject requests.

 

SCOPE

This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

 

NATIONAL DATA PROTECTION LAW

As the Company is in the UK, we are obligated under the GDPR and the UK’s Data Protection Bill that implements the GDPR into UK law. Our data protection policies and procedures adhere to both the GDPR and Data Protection Bill requirements, as applicable to our business type.

 

GENERAL DATA PROTECTION REGULATION (GDPR)

The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and will apply to all EU Member States from 25th May 2018. As a ‘Regulation’ rather than a ‘Directive’, its rules apply directly to Member States, replacing their existing local data protection laws and repealing and replacing Directive 95/46EC and its Member State implementing legislation.

As the Company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with its rules and principles.

 

PERSONAL DATA

Information protected under the GDPR is known as “personal data” and is defined as: –

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The Company maintains a Data Asset Register which records all forms of data retained by the company and specifies the lawful purpose for processing this data, how it is safeguarded and how long it is retained. We have also mapped the flow of client data.

The company does not process biometric or genetic data.

 

THE GDPR PRINCIPLES: COMPLIANCE

In line with Article 5 of the GDPR Gladstones Clinic ensures that personal data shall be: –

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

The Registered Manager shall act as data controller and in line with Article 5(2) ‘the controller shall be responsible for, and be able to demonstrate, compliance with the data protection laws principles’.

 

LEGAL BASIS FOR PROCESSING (LAWFULNESS)

At the core of all personal information processing activities undertaken by the Company, is the assurance and verification that we are complying with Article 6 of the GDPR and our lawfulness of processing obligations. Prior to carrying out any personal data processing activity, we identify and establish the legal basis for doing so and verify these against the regulation requirements to ensure we are using the most appropriate legal basis.

The legal basis is documented in the data asset register. Data is only obtained, processed or stored when we have met the lawfulness of processing requirements, where: –

  • The data subject has given consent to the processing of their personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which we are subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company
  • Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child).

 

RISK MANAGEMENT

Gladstones Clinic maintains a risk assessment which is reviewed every twelve months, supported by information provided by our external IT support provider, Impact Solutions. As we do not embark upon major projects or make use of automated decision making, have no special category data, and do not carry out profiling or tracking, we do not consider it necessary to conduct Data Protection Impact Assessments.

 

DATA RETENTION & DISPOSAL

The Company has defined procedures for adhering to the retention periods as set out by the relevant laws, contracts and our business requirements, as well as adhering to the GDPR requirement to only hold and process personal information for as long as is necessary. All personal data is disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and prioritises the protection of the personal data in all instances.

 

PRIVACY NOTICE

The Company defines a Privacy Notice as a document, form, webpage or pop-up that is provided to individuals at the time we collect their personal data (or at the earliest possibility where that data is obtained indirectly).

Our Privacy Notice includes the Article 13 (where collected directly from individual) or 14 (where not collected directly) requirements and provides individuals with all the necessary and legal information about how, why and when we process their data, along with their rights and obligations.

We have a link to our Privacy Notice on our website and provide a copy in physical and digital formats upon request. The notice is the customer-facing policy that provides the legal information on how we handle, process and disclose personal information.

 

EMPLOYEE PERSONAL DATA

As per the data protection law guidelines, we do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information disclosure and are aware of how we process their data and why.

All employees are provided with our Staff Handbook which informs them of their rights under the data protection laws and how to exercise these rights and are provided with a Privacy Notice specific to the personal information we collect and process about them.

 

SUBJECT ACCESS REQUEST

Where a data subject asks us to confirm whether we hold and process personal data concerning him or her and requests access to such data; we provide them with: –

  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed
  • If the data has or will be disclosed to a third countries or international organisations and the appropriate safeguards pursuant to the transfer
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • The right to lodge a complaint with a Supervisory Authority
  • Where personal data has not been collected by the Company from the data subject, any available information as to the source and provider

Subject Access Requests (SAR) are passed to the Registered Manager as soon as received and a record of the request is noted. The type of personal data held about the individual is checked against our Data Asset Register to see what format it is held in, who else it has been shared with and any specific timeframes for access.

SARs are always completed within 30 days and are provided free of charge. Where the individual makes the request by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested. In response to SAR we are able to offer personal access, correction is necessary and erasure where permissible.

Please refer to our external Subject Access Request Procedures for the guidelines on how an SAR can be made and what steps we take to ensure that access is provided under the data protection laws.

CORRECTING INACCURATE OR INCOMPLETE DATA

Pursuant to Article 5(d), all data held and processed by the Company is reviewed and verified as being accurate wherever possible and is always kept up to date. Where notified of inaccurate data by a third party, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them. If we identify that any of our data is inaccurate, an incident report is completed and passed to the Registered Manager, who will conduct a full investigation and ensure the inaccuracy is rectified.

Staff who manage and process personal or special category information will be provided with data protection training and will be subject to continuous development support and mentoring to ensure that they are competent and knowledgeable for the role they undertake.

 

REPORTING BREACHES

Gladstones Clinic must notify their supervisory authority, the ICO (Information Commissioner’s Office), of a data breach within 72 hours of becoming aware of it.

When a breach is first identified, an incident report form is completed and passed to the Registered Manager. The Registered Manager will complete a full investigation before reporting to the ICO.

By ‘breach,’ we are referring to cyber attacks or any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

As this definition suggests, data breaches are not always the result of a criminal hacker breaking into your systems. They are just as likely to occur when an employee accidentally sends personal information to the wrong person, loses a laptop containing personal data, or fails to password-protect an online database.

All of these scenarios are subject to the GDPR’s data breach reporting requirements and require you to notify the ICO.

 

REVIEW HISTORY

Date Reviewed by Changes Next Review
1.12.23 SC No Changes Dec 24
16.12.24 CE No Changes Dec 25

Proud to be associated with