Data Protection & Privacy Policy

For Use in:

All hospitals Eastern Gastroenterology Group Ltd (EGG) operates in and all activities related to EGG’s work


All EGG Staff and Subcontractors


Guiding staff at all levels regarding their responsibilities and EGG’s approach to data protection and policy

Division responsible for document:

EGG Directors over seen by the EGG chair
Key words:

Information Governance, Data Protection, Privacy

Name of document author:

Dr Bernard Brett

Named Governance Lead

Dr Marianna Mela

Senior Information Risk Officer

Dr Simon Rushbrook

Data Protection Officer

Tracey McDonnell

Director of Nursing

Tracy McDonnell

Name of document author’s Line Manager

EGG board of directors

Job title of author’s Line Manager:

EGG board of directors

Assessed and approved by the:

The directors of EGG

Date of approval:


To be reviewed before


To be reviewed by:

The company directors

Document Reference Number


Version No:


Policy Statement

Eastern Gastroenterology Group lawfully processes information about its outpatients, staff and shareholders in order to carry out its everyday business and to fulfil its private functions.

1.2   Eastern Gastroenterology Group is committed to protecting the rights of privacy and processing will be conducted fairly, lawfully and transparently in accordance with ‘Data Protection Legislation’. Data Protection Legislation means the Data Protection Act 1998 as long as it is in force and thereafter the General Data Protection Regulation (EU) 2016/679 enforced in the UK on 25 May 2018 (GDPR) and any national implementing laws and secondary legislation, as amended or updated from time to time, in the UK, and any other successor legislation and all other applicable data protection law.

1.3 Data subjects have legal rights including the right to request: access to their data; rectification of an error; erasure of their details; restriction of processing; portability of their data; and to object to processing. These rights can be found in Section 7.

1.4 This Policy must be read and complied with by all staff, contractors, Partner Organisations, other authorised third parties (suppliers and contractors) and all other authorised users when processing any of Eastern Gastroenterology Group’s personal data.

1.5 This policy is open to all internal and external stakeholders and is available on the Eastern Gastroenterology website; www.

2.1 Data Protection Legislation requires us to designate a Data Protection Officer. The Data Protection Officer for Eastern Gastroenterology Group is involved in matters which relate to the protection of personal data and will monitor compliance, provide advice and to cooperate and communicate with the Regulator as required.

2.2 The Senior Information Risk Owner (SIRO) is responsible for ensuring information assurance controls are in place.

2.3 The Board of Eastern Gastroenterology Group is responsible for developing and encouraging robust information handling practices within the Eastern Gastroenterology Group.

2.4 Beyond this, compliance with Data Protection Legislation is the responsibility of everyone that processes personal data on behalf of the Eastern Gastroenterology Group. The Eastern Gastroenterology Group, through its staff, Members and authorised third parties, is responsible for ensuring that any personal data is processed in accordance with Data Protection Legislation.

Data Protection Legislation Principles

3.1 All processing of personal data must be done in accordance with the data protection principles as prescribed in Data Protection Legislation;

Personal data shall be processed lawfully, fairly & transparently (‘lawfulness, fairness and transparency’);
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

3.2 Furthermore, Data Controllers are required to be responsible for, and to demonstrate compliance with the principles (‘accountability’). The Eastern Gastroenterology Group’s accountability is demonstrated in numerous ways, including:
The provision of mandatory data protection training, and refresher training;
Through the assignment of responsible individuals across the organisation (as set out at Paragraph 2), including the assignment of the DPO and SIRO who ensure the high standards of data privacy is maintained;
And through the application of Eastern Gastroenterology Group policies which are all regularly reviewed, promoted and accessible.
Raising awareness of data protection responsibilities happen throughout the year reflecting changing regulation and any root cause analysis gathered in relation to any incidents reported.

Lawful processing
4.1 Personal data will be lawfully processed by the Eastern Gastroenterology Group at all times.

4.2 There are six ways in which lawful processing can occur, however only five of these are available to the Eastern Gastroenterology Group as a private limited company in the performance of tasks on behalf of its own business practice and that of servicing patients on behalf of NHS Healthcare Provider and Healthcare organisations.

4.3 These five ways of lawful processing are:

The data subject consents to the processing for one or more specific purpose.
In the performance of a contract to which the data subject is a party
In compliance with a legal obligation.
It is necessary to protect the vital interests of the data subject
Processing is necessary for the performance of a task carried out in the interest of the patient or in the exercise of the official authority vested in the controller

4.4 When Eastern Gastroenterology Group exercises its official obligation to provide services, the lawful ground generally used will be 4.2 (e).  Where the processing involves special categories of personal data, if one of the exceptions detailed at Article 9(2) of the General Data Protection Regulation does not apply.

4.5 The Eastern Gastroenterology Group will be clear and transparent in Privacy Notices, detailing the purposes for which we are collecting your data and the lawful processing ground. Privacy Notices will also include the other required information stipulated at Article 13 of the General Data Protection Regulation.

4.6 Wherever the lawful ground of processing is consent, consent will be requested:

4.6.1 In clear, specific and plain language.

4.6.2 Separate from other matters. If the processing is necessary for the provision of a service or the performance of a contract consent is unlikely to be a suitable lawful processing ground.

4.6.3 Able to put individuals in control of their data, build Healthcare Provider and engagement and maintain the Eastern Gastroenterology Group’s high-standards.

4.6.4 Important in providing genuine choice and control. It will be an affirmative action and will not be deemed or gathered by pre-ticked or opt-out boxes.

4.6.5 As easy to withdraw as it was to give consent. We will clearly explain how consent can be withdrawn and continue to do so in future interactions.

4.6.6 Reviewed and refreshed regularly.

4.6.7 Acted upon, ensuring that appropriate action is taken to prevent further processing where consent is withdrawn.

4.7 If any officer of Eastern Gastroenterology Group, Member or third party partner organisation is in any doubt about these matters, they should contact the Data Protection Officer

5.Privacy Notices

5.1 When we collect personal data from data subjects we will always provide clear information in a privacy notice.   Data Protection Legislation stipulates the information which must be provided.

Security of Data
6.1 The Eastern Gastroenterology Group implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

6.2 All staff are responsible for ensuring that any Eastern Gastroenterology Group personal data which they hold are kept securely and that they are not disclosed to any unauthorised third parties.

6.3 All personal data should be accessible only to those who need to use it.   Eastern Gastroenterology Group ensures the working environment provides controlled access to employee areas where personal data is kept.

To ensure an additional level of security, we will, where deemed appropriate, keep personal data:
In a locked room with access controlled; or
In a locked drawer or filing cabinet; or
If computerised, ensure data is only accessible to the required individuals; or
Kept on encrypted disks, which are themselves stored securely.

6.4 Care will be taken to ensure that PCs and screens are not visible except to authorised individuals. Computer passwords will be kept confidential.

6.5 Care must be taken with the deletion or disposal of personal data ensuring safe disposal physical records should be shredded or placed in the confidential bins.

6.6 Electronic records should be securely stored and deleted from Eastern Gastroenterology Group systems in line with the contractual obligations agreed with the Healthcare Provider.

6.7 Where patient data is transferred from and to the Healthcare Provider, we take every step to ensure that this data is secure.

6.8 Where a third party is an authorised data processor for the Eastern Gastroenterology Group we take due diligence steps to ensure they meet Eastern Gastroenterology Group standards of security and include these requirements within our written contracts.

6.9 Where personal data is transferred to a third-party individual or organisation security measures will be taken to prevent a security breach in transit (these may include sending emails through a secure server or by password protecting that document).

6.10 The Eastern Gastroenterology Group has measures in place to ensure compliance with security requirements which are regularly reviewed through internal audit reviews.

6.11 The Eastern Gastroenterology Group is committed to ensuring that any breaches of data security are promptly reported to, and robustly investigated by, the Data Protection Officer so that mitigating steps can be taken at the earliest opportunity. Where legally required the Data Protection Officer will notify the Information Commissioner of any relevant breaches within 10 working days.

7 Rights of Data Subjects

7.1 Data Protection Legislation provides individuals with the rights to request:

a) Access to their data;
b) Portability of their data;
c) Erasure of their data where applicable;
d) To object to processing;
e) To rectification of their data;
f) To restrict processing.

7.2 The rights set out at 7.1 are not absolute rights and will be dependent upon the lawful processing ground used. Furthermore, they may be subject to an exception or exemption as set out under Data Protection Legislation.

7.3 Where a data subject wishes to exercise one of these rights, they should contact the Data Protection Officer:

7.4 When we process a request to exercise one of your rights we will take reasonable authentication steps to verify your identity.

7.5 When one of the rights detailed at 7.1 are exercised, these will be actioned by the Eastern Gastroenterology Group without undue delay and ordinarily within one month. This time may on occasion be extended by up to two months, in compliance with Data Protection Legislation. Where it is necessary to extend this time, we will inform you of the reasons for this delay.

7.6 Subject Access Request

A subject access request made in electronic form will ordinarily be responded to in the same format, unless otherwise requested. A charge will not ordinarily be made for a subject access request. Data Protection Legislation prescribes that a charge could only be made whereby further copies of personal data are requested by a data subject. Please note that your medical records will remain under the control and supervision of the host NHS provider. EGG will produce medical records which will be stored by the host organisation and not be EGG. EGG will only retain limited anonymised date for audit and billing purposes. Subject access requests are therefore best placed with the host organisation (the NHS Trust who are responsible for your care and who have commissioned EGG to provide an element of your care or medical management).

7.7 Portability
The right of portability only applies to processing carried out by automated means which is based on consent or on the performance of a contract. If you have a right of portability where possible interoperable systems will be used to transfer your personal data, however where this is not technically possible the data will be transferred in an acceptable format.

7.8 Erasure
The right of erasure does not apply to processing which is subject to the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Whereby you have an applicable right of erasure we will let you know when we will be able to delete your details from our systems. This will be without undue delay, and ordinarily within one month.

7.9 Objection
Individuals can also object to personal data processed where the processing ground was carried out in our official capacity as a public authority (as set out at paragraph 4.3(e)). Where an objection to processing is made and a relevant ex7.9 Objection Individuals can also object to personal data processed where the processing ground was carried out in our official capacity as a public authority (as set out at paragraph 4.3(e)). Where an objection to processing is made and a relevant exception does not apply, this Council will cease to process your personal data.

7.10 Rectification
Where inaccurate personal data is gathered you have the right to request rectification of this data.

7.11 Restriction
Where a right to restriction of processing applies under Article 18 of the General Data Protection Regulation such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal persons or for reasons of public interest.

8.The Regulator – The Information Commissioner’s Office

8.1 Eastern Gastroenterology Group, as a Data Processor, is required to pay the Regulator a fee on an annual basis.

8.2 If you have any queries or concerns about how the company process personal data you can contact the Data Protection Officer for

8.3 You also have a right to lodge a complaint with the Information Commissioner’s Office at

8.4 You also have the right to complain to the Healthcare Provider

By writing to the Chief Executive (in the case of EGG, the CEO, Dr B Brett)
With the assistance of Patient Advice and Liaison Service (PALS) – in the case of EGG this is offered through the Director of Nursing
Via the Healthcare Provider website
By email to

Eastern Gastroenterology will then support any investigation activity as outlined by the Healthcare Provider.

9 Disclosure of Data

9.1 Personal data may be lawfully disclosed where one of the following conditions apply:

The individual has given their consent (e.g. a member of staff or a customer has provided consented for Eastern Gastroenterology Group to share)
There is a Power of Attorney in place which authorises a third party to act on behalf of the data subject in relation to that issue.
Where an exemption under Data Protection Legislation applies, including for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment/collection of a tax or duty or an imposition of a similar nature.
Where there is a legal obligation to disclose data. If in doubt, please consult the Council’s Data Protection Officer.

10 Freedom of Information Act 2000

10.1 The Freedom of Information Act 2000 allows the public access, subject to certain exemptions, to all types of non-personal information held by public authorities, including this Council. However, requests for personal information will be dealt with under Data Protection Legislation.

11 Policy Review

11.1 This Policy will be reviewed every 2-years, and sooner if any issues are highlighted, in the case of new risks, and/or if there are changes in legislation.

12 The Data Protection Officer

12.1 For further guidance or advice on the data protection legislation contact the Data Protection Officer or their deputy;