PPG data protection procedure

Introduction

  • St James Medical Practice Patient Participation Group has a data protection policy which is reviewed regularly. In order to help us uphold the policy, we have created the following procedures which outline ways in which we collect, store, use, amend, share, destroy and delete personal data.
  • These procedures cover the main, regular ways we collect and use personal data. We may from time to time collect and use data in ways not covered here. In these cases we will ensure our Data Protection Policy is upheld.

General procedures

  • Data will be stored securely. When it is stored electronically, it will be kept in password protected computers. When it is stored online in a third party website (e.g. Google Drive) we will ensure the third party comply with the GDPR. When it is stored on paper it will be filed carefully in a locked filing cabinet.
  • When we no longer need data, or when someone has asked for their data to be deleted, it will be deleted securely. We will ensure that data is permanently deleted from computers, and that paper data is shredded.
  • We will keep records of consent given for us to collect, use and store data. These records will be stored securely.

Mailing list

  • We will maintain a mailing list. This will include the names and contact details of people who wish to receive publicity and information on fundraising activities from St James Medical Practice Patient Participation Group and those who are willing to be contacted about general health and practice related issues.
  • When people sign up to the list we will explain how their details will be used, how they will be stored, and that they may ask to be removed from the list at any time. We will ask them to give separate consent to receive publicity and fundraising information, and will only send them messages which they have expressly consented to receive.
  • We will not use the mailing list in any way other than that the individuals on it have explicitly consented to. Other than if required by legal obligations.
  • We will provide information about how to be removed from the list with every mailing.
  • We will use mailing list providers who store data within the EU.

Selling merchandise

We sell DVD’s and Books at the practice to help raise money for the group. These items are paid for at reception and the monies are held and passed to the treasurer  at intervals. No customer information is taken except if they wish to enquire about joining the group. In this case the practice will take contact details and inform the chairman. Any personal information obtained will be kept in accord with these procedures and the group data protection policy.

We also hold cake sales and similar from time to time and, at the same time membership of the group is promoted. Personal information will be taken from those expressing interest in the group and this will be handled in accord with these procedures and the group data protection policy.

Contacting others

  • The group runs occasional health related events and in these instances participant information will be taken for the purpose of taking part in the event. Personal data will be destroyed within one month following the event except if any individual wishes to enquire about joining the group. In this case contact details will be retained. Any personal information obtained will be kept in accord with these procedures and the group data protection policy.
  • When contacting people we will provide a privacy notice which explains why we have their information, what we are using it for, how long we will keep it, and that they can ask to have it deleted or amended at any time by contacting us.

Members and others

To allow members and others to work together to organise for the group, it is sometimes necessary to share volunteer / member contact details with other volunteers or members. We will only do this with explicit consent.

Contacting committee members

  • The committee need to be in contact with one another in order to run the organisation effectively and ensure its legal obligations are met.
  • Committee contact details will be shared among the committee.
  • Committee members will not share each others’ contact details with anyone outside of the committee, or use them for anything other than St James Medical Practice Patient Participation Group business, without explicit consent.