GDPR Compliant Text Messaging Policy

GDPR-Compliant Text Messaging Policy for Old Kilpatrick Medical Practice

  1. Purpose

The purpose of this policy is to ensure that Old Kilpatrick Medical Practice complies with the General Data Protection Regulation (GDPR) when sending text messages (SMS) to patients. This policy outlines the procedures for obtaining consent, data protection, and security measures.

  1. Scope

This policy applies to all staff members at Old Kilpatrick Medical Practice involved in the collection, processing, and dissemination of patients' personal data via text messaging.

  1. Legal Basis for Processing

Old Kilpatrick Medical Practice will only send text messages to patients if at least one of the following conditions is met:

  • Explicit consent has been obtained from the patient.
  • The text message is necessary for the performance of a contract to which the patient is a party.
  • The text message is necessary for compliance with a legal obligation.
  • The text message is necessary to protect the vital interests of the patient or another person.
  • The text message is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  1. Obtaining Consent
  • Patients must provide explicit consent to receive text messages.
  • Consent must be documented and stored securely.
  • Patients must be informed about the types of messages they will receive (e.g., appointment reminders, health information, prescription notices).
  • Patients must be informed of their right to withdraw consent at any time and the process for doing so.
  1. Data Minimisation
  • Only essential information will be included in text messages to ensure data minimisation.
  • Sensitive personal data will not be included in text messages.
  1. Data Security
  • Text messages will be sent through a secure messaging service that complies with GDPR.
  • Access to the text messaging system will be restricted to authorised personnel only.
  • Appropriate technical and organisational measures will be implemented to ensure the security of personal data.

 

  1. Patient Rights
  • Patients have the right to access their personal data, request rectification or erasure, and object to processing.
  • Patients must be informed of their rights and how to exercise them.
  1. Data Retention
  • Personal data processed for text messaging will be retained only as long as necessary for the purposes for which it was collected.
  • A data retention schedule will be maintained and regularly reviewed.
  1. Data Breach Notification
  • In the event of a data breach, the practice will follow its Data Breach Policy, including notifying the Information Commissioner's Office (ICO) and affected patients where required.
  1. Training and Awareness
  • All staff involved in sending text messages will receive regular training on GDPR compliance and data protection best practices.
  1. Review and Updates
  • This policy will be reviewed annually or when there are significant changes in data protection laws or practices.
  • Updates to the policy will be communicated to all relevant staff.
  1. Contact Information

For any questions or concerns regarding this policy, patients can contact us at:

  • Phone: 01389 315800
  • Email: ggc.gp40065clinical@nhs.scot
  • Address: Erskine View, Old Kilpatrick, G60 5JG