GDPR

Privacy Notice

Madryn House Surgery – Full Privacy Notice

 

How We Use Your Personal Information

 

1. Introduction

 

This privacy notice explains why Madryn House Surgery collects, stores and processes personal information about you, how we use it, and your rights under data protection legislation.

We are committed to protecting your privacy and ensuring your personal data is handled securely and lawfully in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025
  • Common Law Duty of Confidentiality
  • NHS Wales Codes of Practice

 

2. Data Controller

 

Madryn House Surgery is the Data Controller for the personal data we process.

Contact details: Madryn House Surgery Email: Admin.MadrynHouse@wales.nhs.uk

 

3. What Information We Collect

 

We collect and process the following types of information:

 

Personal information

 

  • Name, address, date of birth
  • Contact details
  • NHS number
  • Next of kin

 

Special category (sensitive) information

 

  • Health information
  • Medication history
  • Test results
  • Referrals and clinical correspondence
  • Safeguarding information
  • Ethnicity and language (where relevant)

 

Other information

 

  • CCTV images
  • Call recordings
  • Online consultation submissions
  • Complaints and feedback

 

4. Why We Collect and Use Your Information

 

We use your information to:

  • Provide safe, effective healthcare
  • Maintain accurate medical records
  • Make referrals to other NHS and care services
  • Prescribe medication
  • Manage long‑term conditions
  • Protect public health
  • Support safeguarding
  • Respond to queries, complaints or requests
  • Support planning, audit and service improvement
  • Meet legal and regulatory obligations

 

We only collect the minimum information necessary for each purpose.

 

5. Lawful Basis for Processing

 

Under UK GDPR, we process your personal data under:

 

Article 6 – Lawful basis

 

  • 6(1)(e) Public task
  • 6(1)(c) Legal obligation
  • 6(1)(d) Vital interests (where necessary)

 

Article 9 – Special category data

 

  • 9(2)(h) Provision of health or social care
  • 9(2)(g) Substantial public interest
  • 9(2)(c) Vital interests
  • 9(2)(i) Public health

 

6. How We Share Your Information

 

We share information with other organisations involved in your care, including:

 

  • Hospitals and secondary care services
  • Community nursing teams
  • Mental health services
  • Pharmacies
  • NHS 111 / Out‑of‑hours services
  • Social care
  • Diagnostic and screening services
  • Welsh Ambulance Service
  • Digital Health and Care Wales (DHCW)

 

We may also share information for:

 

  • Safeguarding
  • Public health
  • Legal requirements
  • Serious incident investigations
  • National screening programmes

 

We will never sell your data.

 

7. How We Store Your Information

 

Your information is stored securely on NHS systems, including EMIS and NHS Wales digital platforms. We apply strict access controls, audit trails, and security measures to protect your data.

 

8. How Long We Keep Your Information

 

We follow the NHS Wales Records Retention Schedule. Medical records are kept for the duration of your care and for the legally required retention period afterwards.

 

9. Your Rights

 

You have the right to:

  • Access your information (Subject Access Request)
  • Request correction of inaccurate data
  • Request deletion (in limited circumstances)
  • Object to processing (in limited circumstances)
  • Request restriction of processing
  • Be informed about how your data is used
  • Data portability (where applicable)
  •  

To exercise your rights, contact the Practice Manager.

 

10. Data Protection Complaints (NEW REQUIREMENT)

 

Individuals have the right to raise a data protection complaint directly with the organisation if they believe their personal data has been used in a way that does not comply with data protection legislation.

 

You can raise a data protection complaint with us by contacting the Practice Manager or Information Governance Lead using the contact details in this notice.

 

You also have the right to raise a complaint with the Information Commissioner’s Office (ICO) at any time:

 

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: www.ico.org.uk

 

11. How to Contact Us

 

For any queries about this privacy notice or your data rights:

 

Practice Manager / IG Lead Madryn House Surgery Email: Admin.MadrynHouse@wales.nhs.uk

 

12. Changes to This Privacy Notice

 

We review this notice regularly and update it when required to reflect changes in legislation or practice operations.

 

 

Last updated: June 2026

data
Page last reviewed: 03 June 2026
Page created: 04 December 2020