Ballywalter Surgery Privacy Notice


Who are ‘we’?

When we refer to ‘we’ (or ‘our’ or ‘us’), that means Ballywalter Surgery, Ballywalter Health Centre.
For European Union data protection purposes, we are registered with ICO as Ballywalter Health Clinic

Our principles of data protection

We process personal data by being open, honest and transparent.
We enable efficient use of personal data to provide you with a fit for purpose Primary Healthcare Service.
We accept the responsibility that comes with processing personal data.

How we collect your data

By being registered with us we collect personal data. The ways we collect it can be broadly categorised into the following:
Information you provide to us directly: Information you provide to us including in person, by telephone or in writing in relation to the service provided by us or your registration with us will be stored in you medical record.
Information provided by other healthcare organisations or third parties: We retain information in your medical records provided to us by other organisations within HSCNI and outside organisations (for example letters from opticians, requests for information from life insurance companies or PIP).
Information which is not stored in your medical record: The majority of information we hold is stored in your medical record however at times some personal data may be stored outside your medical record for example in relation to complaints or audits, this information is stored securely on site and is usually held for six years for probity purposes.

Where we collect personal data, we’ll process it:

to provide healthcare services and maintain our own records and accounts
where we have legitimate interests to process the personal data and they’re not overridden by your rights, or
in accordance with a legal obligation, or
where we have your consent.
If we don’t collect your personal data, we may be unable to provide you with all our services.

How we use your data

First and foremost, we use your personal data to fulfil our role as providing Family Practitioner services.
In the healthcare sector, patient data is held under a duty of confidence. Healthcare providers generally operate on the basis of implied consent to use patient data for the purposes of direct care, without breaching confidentiality.
These records may include:
• Basic details, such as name, address, date of birth, next of kin.
• Contact we have had, such as appointments and home visits.
• Details and records of treatment and care, including notes and reports about your health
• Results of x-rays, blood tests, etc.
• Information from people who care for you and know you well, such as health professionals and relatives.
It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.

We may use your data:

To communicate with you:

This may include:
providing you with information you’ve requested from us or information we are required to send to you or it is in your best interests to send to you.
operational communications, for example notifying you of changes to the service we provide.
informative communications (for example inviting you to make an appointment at flu clinic or other health promotion)
to obtain feedback or to take part in any research we are conducting (which we may engage a third party to assist with).

To support you:

This may include assisting with the resolution of technical support issues such as with patient access or to help answer a query you may have.

We also use your personal data for other purposes, which may include the following:

To protect: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our services fairly.

To analyse, aggregate and report: We may use the personal data we collect about you and other users of our services to produce aggregated and anonymised analytics and reports, which we may share publicly or with third parties.

How we can share your dat

There will be times when we need to share your personal data with third parties. We will only disclose your personal data to:

  • other HSCNI organisations
  • other healthcare professionals
  • third parties where you consent to share information has been clearly demonstrated
  • regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights.
  • other people where we have your consent.


Security is a priority for us when it comes to your personal data. We’re committed to protecting your personal data and have appropriate technical and organisational measures in place to make sure that happens.


The length of time we keep your personal data depends on what it is:

  • If you transfer out or your temporary registration expires your full medical records held by us (including a printout of all computerised records) will be returned to BSO for forwarding to your new GP or secure storage as appropriate.
  • When your registration with us ceases your computerised record becomes inactive and any access is strictly audited, staff cannot access your records without providing a lawful and justifiable reason.
  • When your registration with us ceases some personal data outside your medical record for example in relation to audits or complaints may be retained securely on site for a period of 6 years.

Your rights

It’s your personal data and you have certain rights relating to it.
You also have rights to

  • Know what personal data we hold about you
  • Request a copy of your personal data
  • Ask us to restrict or cease processing your personal data (however in the healthcare context this may result in us being unable to provide our services to you)
  • Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. However, this doesn’t extend to medical opinions, where the data recorded accurately represents the opinion in question. An initial diagnosis (or informed opinion) may prove to be incorrect after more extensive examination or further tests. Individuals may want the initial diagnosis to be deleted on the grounds that it was, or proved to be, inaccurate. However, if the patient’s records accurately reflect the doctor’s diagnosis at the time, the records are not inaccurate, because they accurately reflect a particular doctor’s opinion at a particular time. Moreover, the record of the doctor’s initial diagnosis may help those treating the patient later.

Data Protection Officer: Heather Scott (Practice Manager)
Data Controllers: Dr Hughes & Dr Morrison
May be contacted via reception, by telephone or in writing.