GDPR Privacy Notice

This Information Governance Policy complies with the General Data Protection Regulation (GDPR), Data Protection Act and the Privacy and Electronic Communications Regulations. It explains how The Delphi Clinic handles the Personal Data of patients, employees, and suppliers. This policy is relevant to all personal Data that is processed regardless of the way it is stored. The policy also relates to data of past or present employees, workers, clients or supplier contacts, website users or any other Data Subject.

This policy applies to all staff.

TO ALL STAFF - You must read, understand, and comply with the policy when processing personal data. Staff are asked to attend training on its requirements.

This policy sets out what The Delphi Clinic expects from our staff, so that the company is compliant with applicable law. Your compliance with this policy is mandatory. Any breach of this policy may result in disciplinary action.

Scope

By correctly and lawfully processing personal data we will preserve confidence in our clients and suppliers. Protecting the confidentiality and integrity of personal data is an important responsibility that we always take seriously. The Manager is responsible for ensuring all staff complies with this policy and need to implement appropriate practices, processes, controls, and training to ensure such compliance.

Personal Data Protection Principles

The Delphi Clinic complies with the principles relating to processing personal data. The principles set out in the GDPR require Personal Data to be:

Managed lawfully, fairly and in a transparent way (Lawfulness, Fairness and Transparency).
Collected only for particular, explicit, and lawful purposes (Purpose Limitation).
Sufficient, applicable, and limited to what is necessary in relation to the reason for which it is processed (Data Minimisation).
Correct and where necessary and kept up to date (Accuracy).
Not kept in a form, which allows identification of individuals for longer than is necessary for the purposes for which the data is processed (Storage Limitation).
Managed in a way that ensures its security and always protects it against unauthorised or unlawful processing and against accidental loss, destruction, or damage (Security, Integrity and Confidentiality).
Not transferred to another country without suitable safeguards being in place (Transfer Limitation).
Made accessible to the individual whom the data belongs to, so that they can exercise certain rights in relation to their personal data (Data Subject's Rights and Requests).
The Delphi Clinic is accountable for and must be able to show compliance with the data protection principles listed above (Accountability).

Lawfulness, Fairness, Transparency

Personal data must always be processed in a lawful, fair, and transparent way.

Personal data should only be collected or shared for specified purposes.

The GDPR restricts actions concerning personal data. These limitations are not intended to prevent data management but to ensure that we process personal data fairly and without adversely affecting the individual.

The GDPR allows processing for specific purposes, some of which are set out below:

The individual whom the data belongs to has given his or her consent.
The processing is necessary for the performance of a contract with the individual.
To meet our legal compliance obligations.
To protect the individuals’ fundamental interests.

Consent Limit

Personal data must only be processed on the basis of one or more of the lawful basis set out in the GDPR, which includes consent. Consent for processing personal data from the individual whom the data belongs to must be indicated clearly in the agreement. Where consent is given in a document, which deals with other matters, the consent element of the documentation must be kept separate from those other matters. Individuals must be easily able to withdraw consent to processing, at any time and withdrawal must be immediately honoured. If personal data is used for a different and incompatible purpose, which was not disclosed when the individual first consented, consent may need to be refreshed.

Transparency (Notifying Data Subjects)

The GDPR requires the person obtaining consent to give detailed, specific information to data subjects depending on whether the information was collected directly from them or from elsewhere. Such information must be provided through suitable privacy notices or fair processing notices which must be succinct, transparent, comprehensible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

Purpose Limitation

Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner unsuited with those purposes.

Personal data cannot be used for new, different, or incompatible purposes from that disclosed when it was first obtained, unless you have informed the person you have taken the data from. They must be informed of the new purposes and be consented where necessary.

Data Minimisation

Personal data must be sufficient, relevant, and limited to what is necessary in relation to the purposes for which it is collected. Personal data must be processed in line with regulation data and cannot be used for any reason unrelated to what it was ascertained for.

We ensure when personal data is no longer needed for specified purposes, it is deleted or anonymised.

Accuracy

Fertility Assessment Practice Management Software By Function 365