Privacy Policy

Privacy Notice for GPUK Support Services Ltd;

GPWales, Locum Hub Wales,

1. Introduction

GPUK Support Services Limited, trading as GPWales and Locum Hub Wales is a Limited Company, and is contracted by NHS Wales Shared Services Partnership (NWSSP) for the provision of a range of services and functionality found and

As GPs and spouses of GPs, the GPWales Founders are personally and professionally committed to bringing improvement to General Practices and helping staff within General Practices to ultimately save time, money and improve patient care. Any following references to ‘we’ and ‘us’ refers to the GPWales.

Any data we handle is only ever given or shared with your consent. In registering as a user, you give consent for us to handle the data you provide, and we seek to keep the sharing of that data to the minimum required to enable the functionality of GPWales.

We recognise the need to treat Personal information in a fair and lawful manner. Personal information held by us will not be processed unless the requirements for fair and lawful processing can be met. This Privacy Notice provides a summary of how we will ensure that we do that, by describing:

· The purpose(s) for which it is being processed;

  • The person(s) it may be shared with.

· The categories of personal information we handle;

This Notice also explains what rights you have to control how we use your information.

2. How we get the information and why do we have it

The Personal information we process is provided to us directly by you, your Practice Enabled Users or sourced from automatic extraction from the Wales Medical Performers List (MPL) database.

  • All users are able to provide and edit their own personal data and preferences at any time. This includes how widely their data is shared with Practices/OOH (if at all). Users have complete control over exactly which Practices/OOH can view any of their information. By default nothing is available until the user chooses to connect to them for notifications or by applying for a shift.
  • Some users have additional permissions to access and manage Practice data , and data relating to personal users (Locums) working or applying to work with the Practice. These users are by default Partners and Practice Managers in each Practice, though they can add other staff to this list at their own will.
  • Health Boards have extremely limited personal data and are enabled to access Managed Practices, Out of Hours Locations or 111 Regions.

We gather and retain your data to enable each user to use the functionality of GPWales, be that finding or being notified of Permanent Jobs, applying for, managing and booking Locum Shifts or accessing various resources. For example, without the name, uploaded certificates/CVs and offered fee of a Locum, a Practice would be unable to assess if the Locum should be accepted for a shift.

In Wales, the legal basis for Welsh Government to collect and process data on the GP workforce is laid out in the National Health Service (Wales) Act 2006. The Welsh Ministers, in accordance with their powers contained in the NHS (Wales) Act 2006, may collect and process data on the general practice workforce in Wales.

Under the General Data Protection Regulation (GDPR) Article 6 (Lawfulness of Processing), the lawful bases we rely on for processing this information are:

a) Processing is necessary for the performance of a contract that the data subject is party to;

b) Processing is necessary for compliance with a legal obligation to which the controller is subject;

c) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

d) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

3. What we do with the information

We use the information that you have given us in order to:

· Enable users to filter, be notified, find and apply for Permanent Jobs or Locum Shifts. Users personal details will not be shared with any Practice until the user either;

a. applies for a Locum Shift (Permanent Jobs applications are made via NHSJobs) (which enables practice enabled users to view their name, GMC number, attachments and fee offered)

b. adds the Practice to their ‘Favourites List’ (which enables practice enabled users to view their name, GMC number, attachments and fee offered)

· Enable Users to access a range of functionality and resources

· Enable Practices, OOH Locations or 111 Regions to assess, book and manage candidates for Locum shifts

· Enable the use and update of other NWSSP databases, such as MPL, All Wales Locum Register (AWLR), General Medical Practice Indemnity (GMPI).

· Enable anonymised and aggregated reports to be generated for NWSSP*

*When providing reporting data to NWSSP, all data will be anonymised and aggregated. NWSSP may share this information with internal departments, Welsh Government, Health Education and Improvement Wales (HEIW), NHS Wales Health Boards (Primary Care Leads) and NHS Wales Informatics Service (NWIS).

There are a number of reasons why we share information, such as our duty to comply with contractual arrangements with NWSSP to the extent explained here, our duty to comply with the need to perform a public task, our duty to comply with any Court Order which may be imposed and to ensure smooth running and transition of services

Any disclosures of Personal information are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your Personal information to such persons.

Each NHS organisation in Wales and Welsh Government is responsible for protecting the public funds it manages. To do this we may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds. We will not routinely disclose any information about you without your express permission unless we are obliged to due to a legal / statutory duty.

4. What information we have and who can view it

In order to carry out functionality of the GPWales website, both for users, and for NWSSP we currently collect and process the following information. As this data is used for different functions and different visibility to other users/reporting we’ve grouped it based on accessibility/usage:

Data visible to Practice Enabled Users about other users if the user has applied for a Locum Shift, or adds the Practice to their ‘Favourites List’

  • Title
  • Forename
  • Surname
  • Ability to offer sessions in Welsh Language
  • Ability to offer sessions in [Other] Language (if completed by user)
  • GMC Number
  • Welsh Medical Performers List status

· English Medical Performers List inclusion or not

· Scottish Medical Performers List inclusion or not

· Northern Ireland Medical Performers List inclusion or not

  • Medical Indemnity status
  • Willingness to do Home Visits (if completed by user)
  • Willingness to do telephone consultations (if completed by user)
  • Willingness to do Admin (if completed by user)
  • Willingness to do On Call (if completed by user)

· Days of the weeks and time of day you’re normally willing to work (subject to opt-in being selected by user)

  • Pension Eligibility
  • Next of Kin information
  • Email (subject to opt-in being selected by user)
  • Phone (subject to opt-in being selected by user)
  • Data relating to your offered fees (subject to opt-in being selected by user)
  • Profile Photo (if completed by user)
  • Uploaded CV (if completed by user)
  • Uploaded Insurance Certificates (if completed by user)
  • Uploaded Additional Documents/Certificates (if completed by user)

· Additional Invoicing information if opted-in to this service

Data visible to Practice Enabled Users about the Practice preloaded from NWSSP or entered by Practice Users

· Practice Image, Name, W Code, Address, Postcode, Website

  • Description of practice visible to applicants
  • Local Health Board
  • Number of Patients
  • Number of Doctors
  • Number of Nurses
  • QOF Achievement
  • Dispensary on Site
  • Parking Available for Staff
  • Clinical System

· Additional Software: DocMan, INR Star, AccuRX, Attend Anywhere, DAWN, Other

  • Practice User Requests Name(s), Date Requested

· Practice User Enabled Name(s), Date Enabled, Enabled by whom

  • Branch Name, W Code, Address, Postcode

· Locum Shift(s) Date, Start & End Time, On Call, Number and duration of face to face appointments, number and duration of telephone appointments, number of home visits, guide fee, Notes, type of cover, application method, Status

· Applicant information as seen in list described above

· Permanent Job(s) Type, Title, Speciality/Function, Band, Salary, Closing Date, Interview Date, Qualifications required, Staff Group, DBS Level required, Advert Text, Job Description/Job Specification attachments, recruiting manager name/phone/email, Status

  • Other Staff names and functions

Data held by GPWales for ease of use for the user, reporting or functionality of the website. This is only ever visible in an identifiable way to yourself, GPWales staff or Website support/development contractors, all reporting is anonymised and aggregated.

  • Other names previously known by
  • Telephone
  • Address
  • Sex
  • Date of Birth
  • Ethnicity

· Welsh Language Reading, Writing, Speaking, Preference of use

· [Other] Language Reading, Writing, Speaking, Preference of use

  • Job Type
  • Employing Practice
  • Wider roles beyond Practice
  • Registered Interests
  • Special Interests

· If you’re looking for Permanent Jobs, distance willing to travel, opt-in notifications/emails of new postings

  • Willing to work out of hours
  • Government Survey questions

· All Wales Locum Registration number (if applicable)

· Qualification date as a GP (if applicable and in future)

5. How we store and the security of your information

We will store data electronically and will dispose of information by deleting it securely. As we hold data for you as an individual and for practices, it is advised that records are maintained in line with local Records Management Policy, and retention and destruction schedules that determine the minimum length of time records should be kept.

For the purposes of General Medical Practice Indemnity (GMPI) cover, we will retain information on Locum shifts relating to the user working each shift.

Your information is securely stored in Amazon Web Services Servers. These are some of the most secure servers in the world, and we take the security of data extremely seriously. The servers are backed up on a second by second basis, and all data is held in encrypted form.

Bank Details, if using the Automated Invoicing system is stored in a permanently encrypted state, and a separately encrypted database, only connectable by the User and related invoice Practice. For additional security, these invoices ae not saved within the site but generated ‘on the fly’ by the user when they wish to view their invoices.

Any data extracted from the system into reports will not be identifiable to the individual.

We take our duty to protect your Personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of Personal information for which we are responsible. We will treat your data as if it were our own, because as GPs ourselves, it is!

Your Personal information will not be sold on to any third party by us, or any agency that holds it for the purposes listed above.

Under the NHS Confidentiality Code of Conduct, we are also required to protect your information, inform you of how your information will be used, and where appropriate to allow you to decide if and how your information can be shared. Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and consented to by yourself, unless it is required or permitted by the law.

Completion of regular Information Governance training is a requirement of Data Protection Legislation. The training will ensure that staff are aware of their responsibilities regarding the safe and appropriate use of Person-identifiable, confidential information.

6. Your data protection rights

Under data protection legislation, you have rights including:

1. Your right of access - You have the right to ask us for copies of your personal information.

2. Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

3. Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

4. Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.

5. Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.

6. Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. If you wish to make a request please contact us at:

GPWales, 62 High Street, Merthyr Tydfil, CF47 8DE

0333 0111 899

Information Governance Manager: TJ Wheeler

7. How can I complain

In the first instance, you should contact GPWales who will try to help resolve your complaint.

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane




Helpline number: 0303 123 1113

8. What laws are relevant to the handling of personal information?

The law determines how organisations can use personal information. The key legislation governing the use of information is listed below:

  • UK Data Protection Act 2018
  • General Data Protection Regulation 2018
  • Human Rights Act 1998
  • Freedom of Information Act 2000
  • Computer Misuse Act 1998
  • Regulation of Investigatory Powers Act 2000

In relation to the use of GPWales information the law is primarily set out in Data Protection Legislation.

9. Changes to our privacy notice

We aim to keep our Privacy Notice under regular review and will revise as guidance and law changes, and issue a notification to all users if it changes.