WEBSITE PRIVACY POLICY

Practice Name: Finlayson Street Surgery

Website: https://www.finlaysonstreetsurgery.co.uk

Hosting provider: My Surgery Website

Online Consultation Tool: Engage Consult

Data Protection Officer (DPO): Mrs Dawn Arnott (Practice Manager)

Contact: Tel 01346 518088 Email gram.finlaysonadminstrator@nhs.scot

Last Updated: January 2026

 

WHO WE ARE AND SCOPE OF THIS NOTICE

We are an independent GP practice providing NHS primary care services in Frasderburgh, Aberdeenshire.  This notice explains how we handle personal data collected via our website, including online forms, Engage Consult submissions and cookies/technical data.  It complements our Patient Privacy Notice describing how we process data in your GP medical record for direct care.  Under UK law, you have the right to be informed in a clear, accessible way about how we use your data.

 

THE LEGAL FRAMEWORK WE FOLLOW

We process personal data in accordance with the UK General Data protection Regulation (UK GDPR) and the Data Protection Act 2018, and we apply the Privacy and Electronic Communications Regulations (PECR) for cookies and similar technologies.  The core principle include fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality and accountability.

 

WHAT DATA WE COLLECT VIA THE WEBSITE

Depending on the page or service you use, we may collect:

• Identity and contact details – name, date of birth, address, phone number, email (e.g. Engage Consult)
• Message details – information you submit in queries, admin requests or feedback through our online forms or Engage Consult
• Technical data – IP address, device/browser type and version, pages visited, date/time collected via cookies or similar technologies
• Preferences – cookie consent choices and communication preferences

We collect only what is adequate, relevant and limited to what is necessary for the stated purpose.

 

WHY WE USE IT (PURPOSE) AND OUR LAWFUL BASIS

We use your website-collected data for:

• Responding to website enquiries or admin requests and routing submissions correctly.

Lawful basis – public task (providing NHS primary care services) or legitimate interests for general website administration.  Where submissions relate to care, we process special category data under Article 9 (2) (h) (health or social care)

• Online messaging via Engage Consult (linked from or embedded within our site)

Lawful basis – public task, special category data under Article 9 (2) (h) for health information

• Operating and securing the website (e.g. security logs, service availability, troubleshooting)

Lawful basis – legitimate interests (operate a secure service)

• Analytics and performance measurement (if used)

Lawful basis – consent via the cookie banner, non-essential analytics only set after opt in in line with PECR.  (We currently do not use analytics.  If this changes, we will update this notice and seek consent)

 

COOKIES AND SIMILAR TECHNOLOGIES

Our website uses cookies and similar technologies.  We always obtain consent for non-essential cookies (e.g. analytics or tracking) and set these only after you opt-in via our cookie banner.  We use essential cookies only where they are strictly necessary for the service you request (e.g. session management, load balancing). These do not require consent under PECR

 

Manage cookies: You can change your preferences at any time via the cookie banner link (Manage my cookies) and through your browser settings.

 

WHO WE SHARE WEBSITE-COLLECTED DATA WITH

We may share limited website-collected data with:

• Engage Consult (the online consultation platform you choose to use), to deliver the service you request.  We only send the information necessary for your submission
• My Surgery Website (our website host and support provider), acting under contract as a data processor
• Authorities where we are required by law (e.g. to prevent or detect crime/fraud, or where disclosure is legally mandated)

We ensure any sharing is lawful, proportionate and documented, consistent with UK GDPR accountability and NHS Scotland confidentiality standards.

 

INTERNATIONAL TRANSFERS

If a supplier hosts or accesses data outside the UK, we will apply the appropriate safeguards (e.g. International Data Transfer Agreements and transfer risk assessments before any transfer. We keep a record of these safeguards.

 

HOW LONG WE KEEP WEBSITE-COLLECTED DATA

We keep data no longer than necessary for the purpose it was collected.  Retention depends on the nature of the request (e.g. general enquiries vs clinical/admin requests_.  Where a website submission becomes part of your clinical record, we retain it in line with NHS retention schedules for health records.

 

SECURITY

We apply appropriate technical and organisational measures) access controls, secure hosting, encryption in transit, staff training, documented contracts/DPIAs where needed) to protect your data.  This supports UK GDPR security requirements and NHS Scotland confidentiality standards (including Caldicott principles)

 

YOUR DATA PROTECTION RIGHTS

Under UK law, you have rights to:

• Be informed about how we use your data (this notice) and to receive information in clear language
• Access your personal data, rectification of inaccuracies, erasure (where applicable), restriction and objection, data portability (where applicable)
• Withdraw consent for non-essential cookies/analytics at any time
• Complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data: 0303 123 1113 or visit ico.org.uk

 

NHS SCOTLAND CONFIDENTIALITY (WHERE SUBMISSIONS RELATE TO CARE)

If your website submission relates to your care, we treat it under NHS Scotland’s confidentiality code of practice and the Scottish common-law duty of confidentiality.  In limited cases, information may be used or shared without consent where required by law or in the public interest (e.g. safeguarding, serious risk)

 

LINKS TO OTHER WESBITES (INLCUDING FACEBOOK)

Our site may link external websites (e.g. NHS Inform, Health Board pages and our Facebook page).  We do not control those sites, their content or their privacy practices.  If you visit them, their own privacy notices will apply.

Facebook disclaimer: By clicking the link to our Facebook page, you will leave the Finlayson Street Surgery website and visit an external site.  Please note that Facebook may collect data about you, use cookies, and track your interaction according to its own privacy policy.  We do not control Facebook’s content or privacy notices.  We recommend reviewing their privacy notice before interacting with our page

 

OUR DATA PROTECTION OFFICER (DPO) AND CONTACT

The DPO for Finlayson Street Surgery is Mrs Dawn Arnott, Practice Manager. For any data protection queries (including exercising your rights), please contact us via the details at the top of this notice.  Certain organisations must designate a DPO. We will keep this section up to date to reflect governance changes

 

CHANGES TO THIS NOTICE

We review and update this notice periodically and when services or guidance/law change (e.g. ICO cookie guidance or PECR updates).  Significant changes will be highlighted on the website.

 

COOKIE BANNER

We use cookies to make our site work and to help us improve it.

• Essential cookies are always active for security and basic functions
• Analytics cookies (if introduced) will only be set after you accept

You can change your preferences at any time via Cookie Settings