Privacy notice
As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.
Download a copy of our Privacy Notice or read in full below.
Download a copy of the ‘Privacy Notice – How we use your medical records’
The New Surgery Kilmacolm and Langbank Privacy Notice
This privacy notice tells you what to expect us to do with your personal information when you contact us or use our services.
You can find more detailed information about how we your information for the following specific purposes here:
- Research – Find out how health researchers use information – See attached
Our contact details
Name: The New Surgery Kilmacolm and Langbank
Address: The Cargill Campus, Lochwinnoch Road, Kilmacolm, PA13 4LE and The Surgery, Station Road, Langbank, PA14 6YA
General phone number: 01505 872844 and 01475 540404
Website: [add website address where applicable]
We are the controller for your information. A controller decides on why and how information is used and shared.
Data Protection Officer contact details
Our Data Protection Officer is Rebecca Greene and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at the surgery details above.
The controller(s) is: Rebecca Greene, Practice Manager
Name: The New Surgery Kilmacolm and Langbank
Address: The Cargill Campus, Lochwinnoch Road, Kilmacolm, PA13 4LE
Phone number: 01505 872844
Website: [add website address of the controller(s)]
How do we get information and why do we have it?
The personal information we collect is provided directly from you for one of the following reasons:
- you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
- you have sought funding for continuing health care or personal health budget support
- you have made a complaint
- you have agreed to participate in research studies
We also receive personal information about you indirectly from others, in the following scenarios:
- from other health and care organisations involved in your care so that we can provide you with care
- from family members or carers to support your care
What information do we collect?
Personal information
We currently collect and use the following personal information
- personal identifiers and contacts (for example, name and contact details)
- photographic identity (photo ID) (for example, photographs of staff for ID badges or our website)
More sensitive information
We process the following more sensitive data (including special category data):
- data concerning physical or mental health (for example, details about your appointments or diagnosis)
- data revealing racial or ethnic origin
- data concerning a person’s sex life
- data concerning a person’s sexual orientation
- genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
- biometric data (where used for identification purposes)
- data revealing religious or philosophical beliefs
- data relating to criminal or suspected criminal offences
Who do we share information with?
We may share information with the following types of organisations:
- hospitals, community care teams, care homes, pharmacies
- third party data processors (such as IT systems suppliers)
- planners of health and care services (such as Integrated Care Boards)
- other
In some circumstances we are legally obliged to share information. This includes:
- when required by NHS Scotland to develop national IT and data services
- when registering births and deaths
- when reporting some infectious diseases
- when a court orders us to do so
- where a public inquiry requires the information
We will also share information if the public good outweighs your right to confidentiality. This could include:
- where a serious crime has been committed
- where there are serious risks to the public or staff
- to protect children or vulnerable adults
We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons.
What is our lawful basis for using information?
Personal information
Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:
(a) We have your consent – this must be freely given, specific, informed and unambiguous.
(b) We have a contractual obligation – between a person and a service, such as a service user and privately funded care home.
(c) We have a legal obligation – the law requires us to do this, for example where NHS Scotland or the courts use their powers to require the data.
(d) We need it to perform a public task – a public body, such as an NHS organisation or registered social care organisation, is required to undertake particular activities by law.
More sensitive data
Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):
(a) We need it for employment, social security and social protection reasons (if authorised by law).
(b) We need for a legal claim or the courts require it.
(c) There is a substantial public interest (with a basis in law)..
(d) To provide and manage health or social care (with a basis in law).
(e) To manage public health (with a basis in law).
(f) For Archiving, research and statistics (with a basis in law).
How do we store your personal information?
Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:
- securely dispose of your information by shredding paper records, or wiping hard drives to legal standards of destruction].
- archive your information by sending to Practitioner Services
What are your data protection rights?
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information (known as a subject access request).
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us if you wish to make a request.
How do I complain?
If you have any concerns about our use of your personal information, you can make a complaint to us at The New Surgery Kilmacolm and Langbank.
Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.
The ICO’s address is:
Scottish Information Commissioner’s Office
6th Floor Quartermile One
15 Lauriston Place
Edinburgh
EH3 9EP
Helpline number: 0303 123 1115
ICO website: https://www.ico.org.uk
Date of last review
28/03/2025