Show Side Menu
To view, print or save our practice booklet, click here
Who Should I See?
NHS 24 - Call us free on 111
Follow Us On Facebook

Data Protection Policy


The Braehead Practice is required by law to comply with the Data Protection Act 1998 (DPA) which came into force on 01 March 2000 and was set up to establish a framework of rights and duties in order to protect all living individual’s personal data. This framework balances the needs of the organisation to collect and process personal data for clearly defined purposes with the rights of individuals to confidentiality.

The EU General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018 introduces a new legal framework with some new and different requirements, which extends the rights and protections for individuals.

The Braehead Practice is committed to ensuring that all employees comply with the DPA and GDPR in order to safeguard the confidentiality of any personal data held by us, regardless of format.

We need to collect, process and keep certain information about our patients, employees and stakeholders to conduct our business operations. In order to comply with data protection law, we must ensure that personal information is collected and used fairly, stored safely and not disclosed to any personal unlawfully. To do this, we will comply with the principles of the DPA and the GDPR.

We are committed to meeting our obligations under the law regarding data protection and confidentiality. Consequences of non-compliance can include loss of reputation, loss of public and stakeholder trust, substantial fines and criminal proceedings against the organisation and individuals. It is important to note that individual employees may be identified as criminally liable for a breach of data protection law, whether this is deliberate or through negligence.

Purpose and Scope

The purpose of this policy is to set out the Braehead Practice’s obligations in relation to data protection law to demonstrate our commitment to compliance with it. The policy aims to fulfil the requirement for fair and lawful processing of personal data in the records which the Braehead Practice creates and receives in the course of administering its own business, and in the records of organisations and private individuals deposited with us for historical purposes.

The policy relates to all staff and applies to all records regardless of format or medium, including paper, electronic, audio, visual, microform and photographic. It should be read alongside our information management and security policies and procedures..

Data Protection Principles

Schedule 1 of the DPA outlines 8 principles which underpin the handling of personal data. In order to achieve compliance, we must ensure that:

  1. Personal data shall be processed fairly and lawfully and in particular, shall not be processed unless certain conditions are met.

  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. Personal data shall be accurate and where necessary, kept up to date.

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

However some requirements do not apply when personal data are processed only for research, statistical or historical purposes.

Article 5 of the GDPR requires compliance with the follow principles. Personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

  3. Adequate, relevant and limited to what is necessary in relation to the purposes which they are processed;

  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;

  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

  6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures.

Definitions of Personal Data

Under the DPA “personal data” is defined as data which relate to a living person who can be identified:

  1. from those data, or

  2. from those data and other information which is in the possession of, or is likely to come into the possession, of the data controller”

This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Stricter conditions apply to the processing of “sensitive personal data”. Under section 2 of the DPA, “sensitive personal data” is defined as personal data consisting of information as to:

  1. the racial or ethnic origin of the data subject;

  2. their political opinions;

  3. their religious beliefs or other beliefs of a similar nature;

  4. whether they are a member of a trade union;

  5. their physical or mental health or condition;

  6. their sexual life;

  7. the commission or alleged commission by them of any offence;

  8. any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings

Under the GDPR the definition of personal data is more detailed and has been expanded to include a wide range of personal identifiers, reflecting changes in technology and the way organisations collect information about people. For example, online identifiers like IP addresses can be personal data

“Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The GDPR replaces the term “sensitive personal data” with processing of special categories of personal data:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.

Policy Statement and Commitment

In order to fulfil our obligation under data protection law, the Braehead Practice is committed to:

  • Making data subjects aware when collecting personal data about them and outlining the ways in which that information will be used

  • Observing fully conditions regarding the fair collection and use of information;

  • Meeting our legal obligations to specify the purposes for which information is used;

  • Collecting and processing appropriate information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirement;

  • Retaining records only for as long as they are needed;

  • Ensuring that people about whom we hold information can exercise their rights fully under the DPA and GDPR;

  • Taking appropriate technical and organisational security measures to safeguard personal information;

  • Ensuring that personal information is not transferred abroad without suitable safeguards.

With exemptions, where appropriate for personal data which are processed only for research, statistical or historical purposes.

This is achieved through;

  • The use of privacy notices to inform data subjects wherever collection of personal information takes place outlining the purposes for which it will be used, who it will be shared with, how it will be securely retained and how individuals may access it;

  • Notification with the Information Commissioner of all processing of personal data with the Braehead Practice (our notification number is ZA184541);

  • The identification of a Data Protection Officer as having specific, operational responsibility for data protection in the Braehead Practice

  • The regular review and operation of comprehensive procedures for the management and security of all Braehead Practice records, regardless of media or format;

  • The quick and efficient handling of subject access requests;

  • Informing staff of their responsibilities when accessing personal data and ensuring they have signed and understood the Braehead Practice Confidentiality Statement

  • The delivery of training for all practice staff in information management, security, governance and compliance, to ensure that every member of staff understands their responsibility under data protection law

  • The review and consolidation of retention and disposal schedules for all practice records to ensure information is only retained for as long as it is required;

  • The regular monitoring, review and Audit of the way in which personal information is collected, stored and used by the Braehead Practice.

Also, where and when appropriate, Braehead Practice staff will:

  • Share information in line with the Information Commissioner’s Data Sharing Code of Practice and establish data sharing agreements with 3rd parties, outlining the terms under which information will be shared;

  • Complete privacy impact assessments in order to assess privacy risks to individuals in the collection, use and disclosure of personal information

  • Carry out privacy compliance checks to assess compliance with data protection law;

  • Actively communicate privacy notices when collecting sensitive information, collecting personal data for unexpected or potentially objectionable purposes; processing information in a way which my be significantly affect an individual, or sharing information with another organisation which would be unexpected;

  • Include within privacy notices and at other times their personal information may be collected or processed, make visible the Information Commissioner’s Information signpost.

  • Engage the Information Commissioner’s Office directly in policy and process discussion touching on privacy, data sharing and other data protection issues.

Roles and Responsibilities

All staff within the Braehead practice must comply with the principles set out in this policy. Breaches of this policy and therefore data protection laws may lead to disciplinary action, in line with Scottish Governments ‘Civil Service Code’ and associated disciplinary procedures. Colleagues must familiarise themselves with, and follow this policy and the supporting codes of practice, ensure that procedures for the collection and use of personal data is complied with in their area, and familiarise themselves with the implication of data protection in their job.

The Practice Manager as data controller for the Braehead Practice has primary responsibility or ensuring that all collection and processing of personal data within the organisation complies with data protection law and principles. The Data Protection Officer has responsibility for identifying and publicising responsibilities for Data Protection within the Braehead Practice, in accordance with this policy.

The partners of the Braehead Practice regard the lawful and correct treatment of personal information as of vital importance to successful business operations and to maintaining confidence in our relationships with stakeholders. The Partners will also have to make provision for a regular review of this policy and investigate modifications when necessary.

The Braehead Practice Data Protection Officer must ensure that the Practice Data Protection notification, Data Protection Policy, Data Protection Code of Practice are all kept up to date, support all members of staff to comply with their obligations under data protection law, issue guidance and training and monitor and report on the proper functioning of data protection systems.

Line managers must ensure that staff with specific data protection responsibilities have these written into their job descriptions and fulfil their data protection responsibilities properly and all staff undertake mandatory data protection training.

Legislative Framework

Compliance with this policy will help facilitate compliance with the following acts, regulations and standards.

  • Data Protection Act 1998

  • EU General Data Protection Regulation

  • Human Rights Act 1998

  • Freedom of Information (Scotland) Act 2002

  • Equality Act 2010

Relationship to other Braehead Practice Policies

This policy forms part of the Braehead Practice’s overall framework but specifically relates to the following policies and procedures

  • Information Security Policy

  • Security Incident Reporting Procedure

  • Records Disposal Policy

  • Data Handling and Management Policy

  • Retention and Disposal Schedule

Monitoring and Review

Compliance with this policy and related standard and guidance will be monitored by the Practice’s Data Protection Officer. It will be reviewed regularly throughout 2018 and then at least every two years in order to take account of any new or changed legislation, regulations or business practices.


Local Services, Let
Set up a continuing and and welfare power of attorney before you lose capacity and it
Silver Rose Funeral Directors