top of page

Data Protection & GDPR Policy

Vala Health is registered, and conforms to ICO guidelines.

This policy is designed to be used in conjuction with Medical Records Policy and Computer and Data Security Procedure.

  1. Introduction

    1. Vala Health complies with the legal obligations of the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’). Vala Health gathers and uses data about doctors, employees and patients, both to manage our relationships with these individuals and in the course of conducting our business.

    2. This Data Protection Policy applies patients, staff and any other individual who has contact with Vala Health.

    3. Vala Health is a ‘data controller’ for the purposes of these individuals’ personal data, and is responsible for determining the purpose and means of the processing of that data.

    4. In line with our Medical Records Policy and Computer and Data Security Policy, Vala Health has measures in place to protect the security of individuals’ data. A copy of this can be obtained from Pete Trainor, CEO.

    5. Vala Health will retain data in accordance with our Medical Records Policy. A copy of this can be obtained from Shellane Crisostomo, Clinical Operations Manager. This data will only be held for as long as is necessary for the purposes it has been collected.

    6. This policy has been created to be fully compliant with GDPR and the 2018 Act. Where any conflict arises between those laws and this policy, Vala Health will comply with the 2018 Act and the GDPR.

    7. For employees this policy is separate from data subjects’ contracts of employment (or contract for services) and can be amended by Vala Health at any time. There is a separate policy explaining how Vala Health holds data of employees of the company.

  2. The Six Data Protection Principles

    1. Vala Health processes personal data in accordance with the six Data Protection Principles for GDPR identified by the ICO, which means it will:

      1. Be adequate, relevant and limited to what is necessary for the purposes for which it is processed;

      2. Be processed fairly, lawfully and transparently;

      3. Be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;

      4. Be collected and processed only for specified, explicit and legitimate purposes;

      5. Not be kept for longer than is necessary for the purposes for which it is processed;

      6. Be processed securely

  3. Personal Data

    1. ‘Personal data’ is defined as information relating to a living person (‘data subject’) that can be used to identify them on its own, OR in combination with other information likely to be collected by Vala Health. This applies whether the information is stored physically, electronically, or in any other format. Vala Health is a digital practice and should only be storing electronic data.

    2. It does not include anonymised data, but does include any expression of opinion about the person, or any indication of the intentions of Vala Health or others, in respect to that individual.

    3. Personal data might be provided to Vala Health by the individual, or someone else (such as a previous employer or their GP), or it could be created by Vala Health. It could be provided or created as part of the recruitment process; in the course of the contract of employment (or services); or after its termination.

    4. Vala Health will collect the following types of personal data about patients:

    5. Vala Health health records are processed electronically; Vala Health will occasionally receive paper letters following a referral. A combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by Vala Health may include the following information:

      1. Details about you, such as address and next of kin

      2. Any contact Vala Health has had with you, including appointments (emergency or scheduled), clinic visits, etc.

      3. Notes and reports about your health

      4. Details about treatment and care received

      5. Results of investigations, such as laboratory tests, x-rays, etc.

      6. Relevant information from other health professionals, relatives or those who care for you

    6. Vala Health will collect and use the following types of personal data about staff:

      1. Contact details and date of birth;

      2. Recruitment information e.g. application form, CV, references, qualifications etc.;

      3. Emergency contact details;

      4. Gender, marital status and family status;

      5. Information regarding their contract of employment (or services) e.g. start and end dates of employment; working hours; role; location; pension; benefits; holiday entitlement; and salary (including details of previous remuneration);

      6. Bank details and information in relation to tax status, including National Insurance number;

      7. Information relating to disciplinary or grievance investigations and proceedings involving them (whether or not they were the main subject of those proceedings);

      8. Electronic information in relation to their use of IT systems/SMART cards/telephone systems;

      9. Identification documents e.g. passport; information in relation to immigration status; driving licence; and right to work for Vala Health;

      10. Information relating to an employee’s performance and behaviour at work;

      11. Images (whether captured by photograph or video);

      12. Training records;

      13. Any other category of personal data which we may notify you of from time to time.

  4. Special Categories of Personal Data

    1. These comprise personal data consisting of information relating to:

      1. Racial or ethnic origin;

      2. Political opinions;

      3. Religious or philosophical beliefs;

      4. Trade union membership;

      5. Genetic or biometric data;

      6. Health;

      7. Sex life and sexual orientation;

      8. Criminal convictions and offences.

    2. Vala Health may hold and use any of these special categories of your personal data in accordance with the law.

  5. Processing Personal Data

    1. ‘Processing’ means any operation which is performed on personal data such as:

      1. Disclosure by transmission, dissemination or otherwise making available;

      2. Alignment or combination;

      3. Collection, recording, organisation, structuring or storage (e.g. within a filing system);

      4. Adaption or alteration;

      5. Retrieval, consultation or use; and

      6. Restriction, destruction or erasure.

    2. Vala Health will process individuals’ personal data (including special categories of personal data) in accordance with the obligations prescribed under the 2018 Act, including:

      1. Performing the contract of employment (or services) between Vala Health and the individual;

      2. Complying with any legal obligation; or;

      3. If it is necessary for Vala Health’s legitimate interests (or for the legitimate interests of someone else). Vala Health can only do this in circumstances where the individual’s interests and rights do not override those of Vala Health (or their own). Individuals have the right to challenge Vala Health’s legitimate interests and request that this processing be halted.

    3. Vala Health may process individuals’ personal data for these purposes without your knowledge or consent. Vala Health will not use your personal data for an unrelated purpose without informing you about it and the legal basis for processing it.

    4. Please note that if individuals opt not to provide Vala Health with some personal data, Vala Health may be unable to carry out certain parts of the contract between us, e.g. Vala Health needs staff members’ bank account details in order to pay them; Vala Health must perform an ID check to confirm patient’s identification before consultations.

    5. When Vala Health Might Process Your Personal Data

      1. For patients. Vala Health health records are processed electronically, and occasionally on paper if a letter is received from a referral. Vala Health does not hold paper records. A combination of working practices and technology are used to ensure that your information is kept confidential and secure.

      2. For employees. Vala Health is required to process individuals’ personal data in various situations during their recruitment, employment (or engagement) and even following termination of their employment (or engagement) for reasons including but not limited to:

        1. Deciding how much to pay staff, and other terms of their contract with Vala Health;

        2. Ensuring they have the legal right to work for Vala Health;

        3. Carrying out the contract between Vala Health and the individual including, where relevant, its termination;

        4. Carrying out a disciplinary or grievance investigation or procedure in relation to them or someone else;

        5. Monitoring and protecting the security (including network security) of Vala Health, of the individual, other staff, patients and others;

        6. Paying tax and national insurance;

        7. Providing a reference upon request from another employer;

        8. Preventing and detecting fraud or other criminal offences;

        9. Monthly payment of staff

    6. Vala Health may process special categories of personal data to use information in relation to your:

      1. race, ethnic origin, religion, sexual orientation or gender to monitor equal opportunities;

      2. sickness absence, health and medical conditions to monitor your absence, assess your fitness for work, to pay you benefits, to comply with our legal obligations under employment law including to make reasonable adjustments and to look after your health and safety; and

    7. Vala Health does not take automated decisions about you using your personal data or use profiling in relation to you.

    8. Vala Health will only process special categories of individuals’ personal data in certain situations in accordance with the law e.g. with their explicit consent. If Vala Health requests consent to process a special category of an individuals’ personal data, the reasons for the request will be explained. Individuals do not need to consent and can withdraw consent later if they choose by contacting Shellane Crisostomo, Clinical Operations Manager.

    9. Vala Health does not need consent to process special categories of individuals’ personal data when it is processed it for the following purposes:

      1. Where it is necessary for carrying out rights and obligations under employment law;

      2. Where it is necessary to protect individuals’ vital interests or those of another person where one or both parties are physically or legally incapable of giving consent;

      3. Where the individual has made the data public;

      4. Where processing is necessary for the establishment, exercise or defence of legal claims; and

      5. Where processing is necessary for the purposes of occupational medicine or for the assessment of the individuals’ working capacity.

    10. All employment checks, including those for criminal records, will be carried out in line with the guidance from NHS Employers, available at: NHS Employers guidance on criminal checks

  6. Sharing Your Personal Data

    1. Vala Health does not routinely share data with other companies or agencies. Vala Health will only share personal data where there is a legal obligation or a safeguarding issue.

    2. Vala Health does not send your personal data outside the European Economic Area. If this changes you will be notified and the protections in place to protect the security of your data will be explained.

  7. Processing Personal Data for Vala Health

    1. All staff who work for, or on behalf of, Vala Health has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this Data Protection policy and Vala Health’s Medical Records Policy and Data Security Policy.

    2. Vala Health’s Dr Niall Aye Maungis responsible for reviewing this policy and updating Dr Niall Aye Maung on Vala Health’s responsibilities for data protection, and any risks in relation to the processing of data. Any questions related to this policy or data protection should be directed to Shellane Crisostomo, Clinical Operations Manager.

    3. All members of staff must follow these rules:

      1. Staff must only access personal data covered by this policy if needed for purposes necessary to their job, or on behalf of Vala Health, and only if they are authorised to do so. The data must only be utilised for the specified lawful purpose for which it was obtained.

      2. Personal data must be kept secure and not shared with unauthorised people.

      3. Personal data that is accessed, stored and collected for working purposes must be regularly reviewed and updated. This includes informing Vala Health of changes to your personal contact details.

      4. Do not make unnecessary copies of personal data. Any unused copies must be kept safe before being securely disposed of.

      5. Use strong passwords and lock computer screens when not at your workstation.

      6. Where suitable, anonymise data or use separate keys/codes so that the data subject cannot be identified.

      7. Do not save personal data to personal computers or other devices.

      8. Personal data should never be transferred outside the European Economic Area except to comply with the law and with the authorisation of the Data Protection Officer.

      9. Paper Records (e.g. Letters) must be scanned and added electronically and then shredded.

      10. Do not remove personal data from Vala Health’s premises without authorisation from your line manager or Data Protection Officer.

      11. Personal data should be shredded and securely disposed of when it is no longer needed.

    4. Please contact our Dr Niall Aye Maungif you have any questions about data protection, or if you become aware of any potential improvements or vulnerabilities in data protection or data security that Vala Health can improve upon.

    5. Any deliberate or negligent breach of this policy may result in disciplinary action being taken in accordance with Vala Health’s Disciplinary Procedure.

    6. It is a criminal offence to conceal or destroy personal data which is part of a Subject Access Request. This conduct would be regarded as gross misconduct under Vala Health’s Disciplinary Procedure, which could result in dismissal.

  8. Handling Data Breaches

    1. Vala Health has robust measures in place to minimise and prevent data breaches from occurring. Should a breach of personal data occur, Vala Health will make note of the relevant details and circumstances, and keep evidence related to that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then Vala Health will notify the Information Commissioner’s Office within 72 hours.

    2. If you are aware of a data breach you must contact Shellane Crisostomo immediately and retain any related evidence to the breach that you may have.

  9. Subject Access Requests

    1. Data subjects can make a Subject Access Request (‘SAR’) to access the information Vala Health holds about them. This request must be made in writing. If you receive a SAR you should forward it immediately to the Dr Niall Aye Maung, who will prepare a response.

    2. If you wish to make a SAR in relation to your own personal data this should be made in writing to Shellane Crisostomo. Vala Health will respond within one month unless the request is complex or numerous – if this is the case, then Vala Health will need more time to complete the request, and can extend the response period by a further two months.

    3. A Subject Access Request does not incur a fee, however, if the request is deemed to be manifestly unfounded or excessive then Practice is entitled to charge a reasonable administrative fee, or refuse to respond to the request.

  10. Data Subject's Rights

    1. In most situations Vala Health will not rely on your consent as a lawful ground to process your data. If Vala Health does request your consent to the processing of your personal data for a specific purpose, you have the right to decline or withdraw your consent at a later time. To withdraw consent, you should contact, Shellane Crisostomo Clinical Operations Manager.

    2. Data subjects have the right to information about what personal data Vala Health processes, how it is processed and on what basis. They have the right to:

      1. Access their personal data via a Subject Access Request.

      2. Correct any inaccuracies in their personal data. To do so please contact Shellane Crisostomo, Clinical Operations Manager.

      3. Request that we erase their personal data in the case that Vala Health was not entitled under the law to process it, or the data is no longer needed for the purpose it was collected. In this case please contact Shellane Crisostomo, Clinical Operations Manager.

      4. Object to data processing where Vala Health is relying on a legitimate interest to do so and the data subject contends that their rights and interests outweigh those of Vala Health and wish us to stop.

      5. Object if Vala Health processes their personal data for the purposes of direct marketing.

      6. Receive a copy of their personal data and transfer their personal data to another data controller. Vala Health will not charge for this and will in most cases aim to do this within one month.

      7. With some exceptions, they have the right not to be exposed or subjected to automated decision-making.

      8. Be notified of a data security breach (within the appropriate timescales) concerning their personal data.

    3. If you have a complaint about how your data is processed that cannot be resolved with Vala Health, you have the right to complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office at Information Commissioner’s Office website

    4. Where your personal data is being corrected or erased, or Vala Health is contesting the lawfulness of the processing, you can apply for its use to be restricted while the application is made. In this case please contact Shellane Crisostomo, Clinical Operations Manager.

  11. Resources

    1. Information Commissioner’s Office website


    2. NHS Employers guidance on criminal checks


    3. Medical Records Policy

    4. Computer and Data Security Procedure


bottom of page