This Data Protection Policy ('the Policy') sets out the principles which we will apply to our processing of personal data so that we not only safeguard one or our most valuable assets, but also process personal data in accordance with the law.
When you complete your online form we refer you to the privacy policy and how we collect and use your data.
Data protection principles
ClinicYou will comply with the following principles in respect of any personal data
which it processes as a data controller:
1 Personal data must be processed fairly and lawfully and must not be processed
unless:
1.1 at least one of the conditions in Schedule 2 to the Act is met; and
1.2 in the case of sensitive personal data, at least one of the conditions in Schedule
3 to the Act is also met. The Schedule 2 and 3 conditions are set out in the Guidance.
2 Personal data must be obtained only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with those purposes.
3 Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data must be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data must be processed in accordance with the rights of data subjects
under the Act. These rights are:
6.1 the right of subject access;
6.2 the right to prevent processing likely to cause damage or distress;
6.3 the right to prevent processing for purposes of direct marketing;
6.4 the right to object to automated decision-taking.
7 Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
SCHEDULE 2 - CONDITIONS RELEVANT FOR THE PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA
1. The data subject has given his consent to the processing.
2. The processing is necessary -
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering
into a contract.
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary to protect the vital interests of the data subject.
5. The processing is necessary-
(a) for the administration of justice
(b) for the exercise of any functions conferred on any person by or under any enactment
(c) for the exercise of any functions of the Crown, a Minister of theCrown or a
government department
(d) for the exercise of any other functions of a public nature exercised in the
public interest by any person.
6. (1) The processing is necessary for the purpose of legitimate interests pursued
by the data controller or by the third party or parties to whom the data are disclosed,
except where the processing is unwarranted in any particular case by reason of prejudice
to the rights and freedoms or legitimate interests of the data subject.
(2) The Secretary of State may by order specify particular circumstances in which
this condition is, or is not, to be
SCHEDULE 3 - CONDITIONS RELEVANT FOR THE PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF SENSITIVE PERSONAL DATA
1. The data subject has given his explicit consent to the processingof the personal data.
2. (1) The processing is necessary for the purposes of exercising orperforming any
right or obligation which is conferred or imposed by law on the data controller
in connection with employment.
(2) The Secretary of State may by order-
(a) exclude the application of sub-paragraph (1) in such cases as may be specified,
or
(b) provide that, in such cases as may be specified, the condition in sub-paragraph
(1) is not to be regarded as satisfied unless such further conditions as may be
specified in the order are also satisfied.
3.1 The processing is necessary-
(a) in order to protect the vital interests of the data subject or another person,
in a case where-(i) consent cannot be given by
or on behalf of the data subject, or, (ii) the data controller cannot reasonably
be expected to obtain the consent of the data
subject, or
(b) in order to protect the vital interests of another person, in a case where consent
by or on behalf of the data subject has been unreasonably withheld.
4. The processing -
(a) is carried out in the course of its legitimate activities by any body or association
which-(i) is not established or conducted for profit, and (ii) exists for political,
philosophical, religious or trade-union purposes,
(b) carried out with appropriate safeguards for the rights and freedoms of data
subjects,
(c) relates only to individuals who either are members of the body or association
or have regular contact with it in connection with its purposes, and
(d) does not involve disclosure of the personal data to a third party without the
consent of the data subject.
5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
6. The processing-
(a) is necessary for the purpose of, or in connection with, any legal proceedings
(including prospective legal proceedings), (b) is necessary for the purpose of obtaining
legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending
legal rights.
7. (1) The processing is necessary -
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under an enactment,
or
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a
government department.
(2) The Secretary of State may by order -
(a) exclude the application of sub-paragraph (1) in such cases as may be specified,
or
(b) provide that, in such cases as may be specified, the condition in sub-paragraph
(1) is not to be regarded as satisfied unless such further conditions as may be
specified in the order are also satisfied.
8. (1) The processing is necessary for medical purposes and is undertaken by-
(a) a health professional, or
(b) a person who in the circumstances owes a duty of confidentiality which is equivalent
to that which would arise if that person were a health professional.
(2) In this paragraph "medical purposes" includes the purposes of preventative
medicine, medical diagnosis, medical research, the provision of care and treatment
and the management of healthcare services.
9. (1) The processing-
(a) is of sensitive personal data consisting of information as to racial or ethnic
origin, (b) is necessary for the purpose of identifying or keeping under review
the existence or absence of equality of opportunity or treatment between persons
of different racial or ethnic origins, with a view to enabling such equality to
be promoted or maintained, and
(c) is carried out with appropriate safeguards for the rights and freedoms of data
subjects.
(2) The Secretary of State may by order specify circumstances in which processing
falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes
of sub-paragraph (1)(c) to be carried out with the appropriate safeguards for the
rights and freedoms of data subjects.
10. The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph. This Policy may be amended from time to time to reflect any changes in legislation. Any queries should be directed at the Data Protection Officer.
November 2009