We're open
Latest News:
Missed Appointments and DNA’s DWP advisor will be available at Extended Primary Care Service (EPCS) Do you have a joint or muscle problem? Try the FREE getUBetter app Online booking system for blood tests from 29 August 2023 REAL reason you can’t get through to a doctor – It makes interesting reading Medical Examiner information for members of the public ‘We are drowning every day’: why Britain’s GPs are quitting the NHS Why is it so hard to get a GP appointment in some practices – A Which? Article Planned GP Online Records (Prospective/future record) Access GP National Survey Results July 2023 – What you thought of your practice, 306 Medical Centre!
Data Processing Agreement
This agreement is considered to be agreed upon signing of the Contract for Services between the Practice (acting as the Data Controller) and SurgeryWeb (the Supplier acting as the Data Processor on behalf of the Data Controller).
The Practice (as Data Controller) wishes to subcontract certain services which require the processing of personal data to SurgeryWeb (as Data Processor).
Processing of Personal Data
Both the Practice and SurgeryWeb shall comply with all applicable Data Protection Laws in the processing of the Practices personal data. The personal data to be processed includes (but is not limited to) Patient name, Date of Birth, Sex, Gender, Racial/Ethnic Origin, Address, Postcode, Telephone number, Email address, NHS number and relevant health data.
The Practice instructs SurgeryWeb to process this personal data where necessary to deliver the services provided by them. The processing required and purposes are listed below.
SurgeryWeb shall not process personal data for other purposes other than on the relevant Practices instructions. SurgeryWeb shall process personal data for the duration of the contract between the Practice and the supplier.
Sub-processing
SurgeryWeb will not appoint or share any personal data with any subcontracted processor unless authorised by the Practice. SurgeryWeb shall ensure that any subcontracted processor has implemented appropriate measures to ensure a level of security to the risk of a personal data breach as required by UK GDPR.
| Sub-processor | Personal data | Subject | Purpose | Additional Information |
|---|---|---|---|---|
| Amazon SES | Name, Email | NHS Patients, NHS Staff | Emailing patients and NHS staff | Amazon Web Services commitment to GDPR |
| Catalyst2 | Name, Date of Birth, Sex, Gender, Racial/Ethnic Origin, Address, Postcode, Telephone number, Email address, NHS number and relevant health data, documents, photographs. | SurgeryWeb customers, NHS Patients, NHS Staff | Web hosting, Storage and transmission | Catalyst2 Privacy Policy |
| Dropbox | Name, Date of Birth, Sex, Gender, Racial/Ethnic Origin, Address, Postcode, Telephone number, Email address, NHS number and relevant health data, documents, photographs. | SurgeryWeb customers, NHS Patients, NHS Staff | Storage of Data backups, retained for maximum of 2 weeks | Dropbox GDPR Compliance |
Security
All personal data is encrypted to NHS encryption standards. All personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for while the data is processed.
SurgeryWeb stores encrypted backups in a UK based data centre which auto-delete after a maximum of 2 weeks and is only accessible to authorised staff.
Data Subject Rights
SurgeryWeb will notify the Practice (Data Controller) within 2 working days if a request from a Data Subject is received in respect of personal data and will not respond to the request unless instructed to by the Practice.
Data Breach
SurgeryWeb will notify the Practice (Data Controller) without delay upon becoming aware of a personal data breach affecting personal data, providing the Practice with sufficient information to allow them to meet any obligations to report or inform Data Subjects of the breach under Data Protection Laws.
SurgeryWeb will co-operate with the Practice and take reasonable steps to assist in the investigation, mitigation and remediation of each breach.
Data Retention
SurgeryWeb has adopted retention periods for personal data of 2 weeks (14 days) for data backups and 3 years for data held on servers.
