All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.
We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely.
SPC and its member practices do not transfer personal confidential information overseas without adequate protection.
Under the Data Protection Act 2018, SPC is required to register with the Information Commissioner’s Office detailing all purposes for which personally identifiable data is collected, held and processed.
SPC and its member practices have a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
SPC and its member practices will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and or required to by law. SPC and its member practices is a party to a number of information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation.
How Long Do We Keep Your Information?
There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care which determines the length of time records should be kept.
NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller.