UK General Data Protection Regulation and Management (2022)
UK GDPR came into force on 31st December 2020 with an Act of Parliament. This means that in the UK we now have UK GDPR. Therefore, Totally as a healthcare provider organisation has considered making changes to reflect this in their policies. However, the 28/06/2021 EU approved adequacy decision for the EU GDPR and the Law Enforcement Directive [LED] means that data can continue to flow between the EU and the UK until at least June 2025.
Totally does not trade outside of the UK.
The Board of Totally recognises the significance of data protection. The purpose of this policy is to protect all personal information controlled or processed by the organisation and ensure an adequate level of awareness to ensure data protection principles are applied across all areas of operation within the Totally Group.
Personal data is identified and managed in accordance with the data protection risk assessment methodology that endorses the acceptable risk levels.
Our Data Protection Policy is achieved by a stringent set of controls, including policies, processes, procedures and software and hardware functions. These controls are monitored, reviewed, and improved by the Board to ensure that specific data protection, security and business objectives are met. This is operated in conjunction with other business management processes, and incorporates the applicable statutory, regulatory, and contractual requirements.
Totally is committed to comply with data protection and the general data protection regulation requirements and good practice. These include:
- Processing personal information only where this is strictly necessary for legal and regulatory purposes, or for legitimate or contractual organisational purposes.
- Processing only the minimum personal information required for these purposes.
- Providing clear and timely information to natural persons (including children) about how their personal information can be used and by whom.
- Only processing relevant and adequate personal information.
- Processing personal information fairly and lawfully.
- Maintaining a documented inventory of the categories of personal information processed by the organisation.
- Keeping personal information accurate and, where necessary, up-to-date.
- Retaining personal information only for as long as is necessary for legal or regulatory reasons or for legitimate or contractual organisational purposes and ensuring timely and appropriate secure disposal.
- Respecting natural persons’ rights in relation to their personal information.
- Keeping all personal information secure.
- Only transferring personal information outside the UK in circumstances where it can be adequately protected.
- Maintaining the ISO 27001 standard [information security management standard] to enable the data protection policy to be implemented.
- Where appropriate, identifying internal and external interested parties and the degree to which they are involved in the governance of the organisation’s information security management standard.
- Identify workers with specific responsibility and accountability for the information security management standard.
- Maintain records of processing of personal information.
Our Data Protection Policy and Data Security Awareness Program are incorporated into our staff induction and annual training program. The Data Protection policy is readily accessible internally and presented to existing and prospective clients upon request. In addition to our employees, suppliers, contractors, and sub-contractors of Totally are mandated to adhere to our Data Protection Policy.
Totally is committed to continual improvement and all employees are empowered to take responsibility for data protection, with a robust process for identifying and reporting data breaches in place and subject to regular review.
Through compliance of applicable statutory, regulatory, and contractual requirements, and the requirements of the General Data Protection Regulations (GDPR) for the Protection of Personal Information, Totally will demonstrate confidence, integrity, and credibility both internally and externally.
Chief Executive Officer
1 February 2022
This policy covers all data that is shared by a visitor with us whether directly via the Website or via email.
This policy is occasionally updated by us, so we suggest you re-review from time to time.
Certain businesses are required under the data protection act to have a Data Protection Officer (DPO). For the purpose of the Data Protection Act 1998 our Data Protection Officer can be contacted on 020 3866 3330 or emailed at email@example.com.
Information we collect
In operating our Website, we may collect and process the following data about you:
- Details of your visits to our Website and the resources that you access including, but not limited to, traffic data, location data, weblog statistics and other communication data.
1.2 Information that you provide by filling in forms on our Website, such as when you register to receive information such as a newsletter or contact us via the contact us page.
1.3 Information provided to us when you communicate with us for any reason.
Maintaining Data Privacy and Data Protection is a priority for Totally (which incorporates the following group subsidiaries; About Health Limited, Premier Physical Healthcare Limited, Optimum Sports Performance Centre Limited, Totally Health Limited, Vocare Limited, Greenbrook Healthcare Limited, Energy Fitness Professionals, and Totally Healthcare Limited).
Any questions relating to Data Privacy with Totally plc or this Policy should be sent by email to firstname.lastname@example.org, or by writing to:
Cardinal Square West,
10 Nottingham Road,
Alternatively, you can call our Data Protection Officer on 020 3866 3330.
What personal Information is held?
We may collect and process the following data from you:
- Information you consent to provide Totally plc that is required to carry out our obligations arising from any contracts entered between you and us, or potential contracts that may be in liaison between you and us.
- Information that you consent to provide by filling in forms on our website, or as part of any direct marketing or sales activities. This includes and is not limited to personal information about you such as your name, telephone contact number, geographical address/location, email address and interests.
Note: Clear consent information is supplied at point of collection to provide information on the use of data; and a record of the consent is taken at point of collection.
- If you contact us by telephone or in writing, we may keep a copy of your correspondence or communication for record purposes. We may record our telephone conversation with you for training, monitoring, or in the case of health care calls, for contractual reasons.
If you have provided us with the personal data of another person, there is a clear requirement imposed by Totally plc for you to confirm that he/she consents to the processing of his/her personal data and that you have informed him/her of our identity as a Data Controller and the nature of the processing taking place.
Records will be retained as evidence of this consent.
How will we use the information we hold about you?
We use information held about you in the following ways:
Performance of a contract – We use information held about you to carry out our obligations arising from any contracts entered between you and us; and to notify you about changes to our services.
Legitimate Interests – We use information held about you to provide you with information, products and/or services that you request from us or which we feel may interest you if relevant to the products or services currently being supplied as part of a contract with Totally plc, or in relation to a previous contract with Totally plc whereby you are happy to continue to receive such information.
Consent (Direct Marketing) – We use information held about you to provide you with information on products and/or services that you request from us, or which we feel may interest you where you have consented to be contacted for such purposes. Where consent has been provided to Totally plc, it is a recognised right of the Data Subject that this consent can also be withdrawn.
Further Data Protection Guidance for our NHS 111, GP Out Of Hours and Urgent Care services can be found here .
Should you wish to withdraw consent, please email email@example.com, or by writing to – Totally plc, Cardinal Square West, 10 Nottingham Road, Derby, DE1 3QT.
Alternatively, you can call our Data Protection Officer on 020 3866 3330.
We will not share your data with third parties for other marketing purposes unless we have your express consent to do so.
Your rights relating to Personal Data and GDPR
You have the right to ask us to cease processing your personal data for marketing purposes. We will seek consent (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your data to any third party for such purposes. You can also exercise your right to prevent such processing by contacting us at firstname.lastname@example.org.
GDPR gives you the right to access information held about you. Your right of access can be exercised at any time. Totally operates both a Data Subjects Rights procedure and a Subject Access Rights Procedure to ensure that all rights exercised by data subjects relating to personal data are managed appropriately.
From time to time, our website may contain links to and from our strategic partner(s), partner network(s), strategic sponsor(s), advertiser(s), and affiliate(s). If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.
Retention of your information
We take appropriate measures to ensure that any information collected from you is kept secure. Totally holds BSI accredited certification to ISO 27001:2013 and is subject to both internal and external audits to ensure that information security is upheld.
Totally operates a clear Records Management and Retention policy and associated Retention Schedule to ensure personal data is kept only for so long as is necessary for the purpose for which such information is used.
We retain your records in accordance with UK legislation for the specific service provided.
If any of your personal data changes, or if you have any questions about how we use data which relates to you, please contact us by email at email@example.com. We normally update your personal data within seven (7) working days of any new or updated personal data being provided to us, to ensure that the personal data we hold about you is as accurate and up to date as possible.
Disclosure of your information
We may disclose your personal information to any member of our group, which means our subsidiaries, strategic partner(s), or strategic sponsor(s), our ultimate holding company and its subsidiaries as defined in section 1159 of the UK Companies Act 2006.
Further Data Protection Guidance for our NHS 111, GP Out Of Hours and Urgent Care services can be found here.
As part of our GDPR compliance obligations, we are duty bound to check when personal data may be shared with third parties to ensure that they apply the same or greater controls in terms of data protection. The use of non-disclosure agreements form part of our third-party data sharing controls.
We may disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; or
- if we or substantially all of our assets are acquired by a third party, in which case personal data held by it about our customers will be one of the transferred assets; or if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce or apply other agreements; or
- to protect the rights, property, or safety of Totally, our customers, or others.
Totally has risk assessed where personal information may be transferred outside the EEA. As part of our own due diligence, we have identified that personal data held for and by Totally may reside in the EU. Totally will continue to monitor this, considering any 3rd party provider changes in the future. Should a requirement for data to be transferred outside of the EU in future, Totally will implement controls and safeguards to ensure that equal to or greater data protection measures are enforced, and records retained to evidence this, in line with current UK GDPR regulations.
National Data Opt-Out programme
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.
The national data opt-out was introduced to enable patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian. By 2020 all health and care organisations are required to be compliant with the national data opt-out policy, where confidential patient information is used for research and planning purposes.
Totally is not currently engaged in routine activities that involve processing of patients’ data for purposes not involved in their direct care. This statement therefore acts as a backstop in the event that should such processing occur in the future, a mechanism exists to ensure that those patients who wish to opt out will have their wishes respected where this is not already anonymised.
Totally's ICO registration number is Z3148154.
Department of Health and Social Care – August 2021