Show Side Menu
English Version of Practice Booklet
Verion Cymraeg Llyfryn Ymarfer
NHS Direct Wales - 0845 46 47 - Galw IECHYD Cymru

Privacy Notice

We are a GP practice working in the Betsi Cadwaladr Health Board. We serve a practice population of 11800 + people across 1 site and employ a number of staff which include General Practitioners, Practice Nurses, Health Care Assistants and administration staff.

What is a privacy notice?

A Privacy Notice is a statement to patients, service users, visitors, carers, the public and staff that describes how we collect use, retain and disclose personal information which we hold. This is sometimes also referred to as a Privacy Statement, Fair Processing Statement or Privacy Policy.

This privacy notice is part of our commitment to ensure that we process your personal information/data fairly and lawfully.

Why issue a privacy notice?

Craig Y Don Medical Practice recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties. This notice is one of the ways in which we can demonstrate our commitment to our values and being transparent and open.

This notice also explains what rights you have to control how we use your information.

What are we governed by?

The key pieces of legislation/guidance are:

  • General Data Protection Regulations
  • Human Rights Act 1998 (Article 8)
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health & Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • The Re-use of Public Sector Information Regulations 2015
  • The Environmental Information Regulations 2004
  • Computer Misuse Act 1990
  • The Common Law Duty of Confidentiality
  • Information Security Management – NHS Code of Practice

Who are we governed by?

Why and how we collect information

Information which can be accessed, where there is a need, includes:

  • personal information, such as name, date of birth, gender;
  • allergies;
  • medication;
  • hospital admission, attendances and referral dates;
  • vaccinations and immunisations;
  • test results, including measurements such as blood pressure;
  • diagnoses (current and post problems);
  • treatment and medical procedures.
  • Telephone call recordings (kept for 2 months then destroyed)

How we use information

  • To help inform decisions that we make about your care
  • To ensure your treatment is safe and effective
  • To work effectively with other organisations who may be involved in your care
  • To support the health of the general public
  • To ensure our services can meet future needs
  • To review care provided to ensure it is of the highest standard possible
  • To train healthcare professionals
  • For research and audit
  • To prepare statistics on performance
  • To monitor how we spend public money

There is a huge potential to use your information to deliver care and improve health and care services across the NHS and social care. The information can be used to help:

  • Improve individual care
  • Understand more about disease risks and causes
  • Improve diagnosis
  • Develop new services
  • Improve patient safety
  • Evaluation of policy/procedures/pathways

It helps because

  • Accurate and up to date information assists us in providing you with the best possible care
  • If you see another healthcare professional, specialist from another part of the NHS, they can readily access the information they need to provide you with the best care possible.
  • Where possible, when using information to inform future services and provision, non-identifiable information will be used.

What information will be blocked from viewing?

No information will routinely be blocked from viewing unless you specifically ask for information to be hidden. For example, it may be possible to hide particularly sensitive information such as sexually transmitted diseases, termination of pregnancy, etc. from certain individuals. If you have any questions, please discuss this initially with your Practice Manager.

How will my information be kept secure and confidential?

Your GP medical record is stored on a secure computer system and access to it is strictly controlled. All of the practices within the cluster, and the local health board, will have signed an agreement to confirm that they will follow the strict controls in place around the computer system itself, and around any staff who are allowed to access the system. Everyone working within the cluster has a legal, contractual and professional duty to keep information about you secure and confidential.

Can I find out who has viewed my medical record?

Every time your electronic GP medical record is accessed an Audit log is created. These Audit logs are retained so if you are concerned that someone has inappropriately accessed your record, please discuss this initially with the Practice Manager.

Is there a danger someone else could hack into my record or that my information could be lost?

Contracts are in place with the supplier of the clinical computer systems to ensure that they have robust security measures installed. These measures will prevent any information from being accessed without permission, lost or accessed inappropriately by a third party.

Your right to withdraw consent

You have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you, which could include delays in you receiving care.

Contacting us about your information

Each practice has a senior person responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Calidicott Guardian. You can contact the Calidcott Guardian Dr Emmett at Craig Y Don Surgery. Sue Fairburn is the practice Data controller and the Data Protection officer is DHCW (Digital Health and Care Wales)

Your Rights under GDPR 

The General Data Protection Regulation (GDPR) includes a number of rights. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.

Right to be Informed

Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of Access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose. A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health. The practice has 28 days to action this from the date your initial request is received. (Please note during the increasing pressures of Covid 19 and staffing problems this may cause a delay,  however, we aim to keep you informed)

Right to Rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.

Right to Erasure

(‘right to be forgotten’) You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data. 

Right to Restriction of Processing 

You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data. Right to Data Portability This right is only available where the legal basis for processing under the GDPR is consent, or for the purposes of a contract between you and the Practice. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.

Right to Object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your object relates to marketing. Rights in relation to automated individual decision-making including profiling. 

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of Practices processing of personal data or believe that we are not meeting our responsibilities as a data controller.

The contact details for the Information Commissioner are:

 Information Commissioner’s Office

 Wycliffe House

 Water Lane,



Website: Tel: 0303 123 1113

Your NHS number, keep it safe

Every person registered with the NHS in England and Wales has their own unique NHS number. It is made up of 10 digits for example 123 456 7890.

Your NHS number is used by healthcare staff to identify you correctly. It is an important step towards improving the safety of your healthcare. To improve safety and accuracy always check your NHS number on correspondence the NHS sends to you.

If you don’t know your NHS number, ask at the Practice. You may be asked for proof of identify for example a passport of other form of identity. This is to protect your privacy.

For further information

If you would like additional information you can discuss the sharing of your medical records with the Practice Manager, Deputy Practice Manager, GP or any other member of the healthcare team.

Local Services, Let