SURGERY OPEN Mon-Fri 7.30am-6.30pm. Walk-In 7.30am-10.30am.
Whiteladies Medical Group logo


Feedback to help us plan our services

Patient Participation Group

Our Practice Participation Group (PPG) is intended to develop a partnership with patients to help us understand what patients think about our services, what priorities we should be focusing on and to provide a forum for discussing new ideas.

A PPG provides an opportunity to give a patient’s view on our services, contribute to ongoing improvement of our care, improve communication between us and our patients, encourage greater participation and taking of responsibility in healthcare.

Please note: A PPG is not a forum for complaints. If you would like to join our Patient Participation Group then please contact us.

How to complain

We would like to resolve complaints and concerns as quickly as possible and ideally with the people involved.

If your concern of complaint cannot be resolved immediately and you wish to make a formal complaint, then please provide us with details about your concerns as soon as possible. If this is not possible a complaint can be made within 12 months from the date on which the matter occurred, or from the when the matter came to the attention of the complainant.

Please address your complaint to the Practice Manager or ask for an appointment with the practice manager.

You may also complain directly to the NHS Commissioning Board if you feel you cannot address your complaint with us.

what we do

We will contact you about your complaint within three working days and aim to investigate your complaint within 10 working days. This sometimes takes longer if the complaint is complex or the people involved are not available to talk to.

We will try to:

  • Find out what happened and what went wrong
  • Invite you to discuss the problem with the people involved, if you would like this
  • Give and apology where appropriate
  • Identify what changes we need to make to stop the problem from happening again.
Complaining on behalf of someone else

If you are complaining on behalf of someone else we will need to know that you have their permission and we will ask for a signed note from the person involved unless they are incapable of providing this.

What if you are still not happy

We hope to resolve all complaints to your complete satisfaction. However, if you are not happy with our response then you can contact NHS England Customer Contact Centre on 0300 311 22 33, email or write to:

NHS England
PO Box 16728
B97 9PT

If you remain unhappy then you can contact the Health service Ombudsman on 0845 015 4033 or write to

Millbank Tower

If you have any ideas about how we can do things better then we would like to hear from you. All complaints are treated in the strictest confidence. Making a complaint will not affect your care.

Practice Policies

Equality and Diversity Policy

The Practice is an equal opportunities employer. The aim of this policy is to ensure that no job applicant or employee receives less favourable treatment on the grounds of marital status, disability, race, colour, nationality, ethnic or national origins, or is disadvantaged by provisions, criteria or practices which can not be shown to be justified in law or relevant to the performance of the job. Where a job applicant or employee is disabled, the practice will attempt to comply with the duty to make reasonable adjustments.

The practice will do its utmost to ensure that all applicants and employees are treated fairly, and that the practice environment is free from discrimination and harassment.

The success of any policy depends on the degree of commitment of all employees, and you should be aware of the equal opportunities policy and of the obligations which fall upon you both to ensure its success and to comply with both it and the legislation relating to discrimination.

Selection criteria and personnel procedures will ensure that individuals will be selected, promoted and treated on the basis of their relative abilities and merits and according to the requirements of the job. Person and job specifications will be limited to those requirements which are necessary in order to be able to perform the job and selection procedures and interviews will be conducted objectively.

All employees will be given equal opportunity and where appropriate training and progress within the organisation.

All employees should appreciate that breach of the practice's equal opportunities policy is regarded very seriously. Such a breach is likely to lead to disciplinary action which is likely to result in dismissal.

The responsibility for ensuring that the Policy is implemented lies with the Manager.

It is the policy of the employer to meet the provision of the Sex Discrimination Act, the Race Relations Act and the Disability Discrimination Act. These statutes make it unlawful to discriminate on the grounds of sex, race or disability.

For the purposes of the Sex Discrimination and Race Relations Acts, discrimination can occur in two ways. There can be direct discrimination and indirect discrimination.

Direct Discrimination occurs where a person is treated less favourably, simply on the grounds of, for example, sex, race or marital status. It is not essential that direct discrimination is deliberate or with malice.

Direct discrimination applies particularly where it is considered that someone of a different sex or ethnic background to the existing workforce is rejected for a job because he or she might not ‘fit in'.

Another example is where a prospective female employee with young children is denied employment because it is felt that her child care commitments will make him/her unreliable. There are many other examples.

Indirect Discrimination arises when an unjustifiable provision, criterion or practice is applied equally to both sexes or to different racial groups, but which is such that it is to the detriment of a considerably larger proportion of one group than another. In other words, the supposedly neutral condition has a disproportionate impact upon one particular group/sex.

A particular example of this is where a woman with young children is denied flexible working arrangements and the employer is unable to justify its insistence upon, for example, full time working.

Disability Discrimination occurs where a person, because of a reason connected with his/her disability is disadvantaged in employment or recruitment.

The Disability Discrimination Act makes it unlawful to discriminate against disabled persons for reasons connected with their disabilities, unless the employer is able to justify such discrimination. Such discrimination cannot be justified unless the employer has complied with the duty to make reasonable adjustments.

The Acts make it unlawful for an employer when dealing with job applicants to discriminate against any person:

  • In the arrangements the employer makes in recruiting staff
  • In the terms of employment offered
  • By refusing or deliberately omitting to offer a person employment

The Acts make it unlawful for an employer to discriminate against any of that employer's employees:

  • In the terms of employment
  • By refusing or deliberately omitting to give access to opportunities for promotion, transfer, training and any other benefits or services
  • By dismissal or any other detrimental treatment.

The Practice is responsible for any act of discrimination committed by an employee in the course of his/her employment, whether or not it was done with the employer's knowledge or approval. It is a defence in proceedings for the employer to prove that such steps were taken as were reasonably practicable to prevent the employee from discriminating, e.g. by operating a clear policy of non-discrimination and equal opportunity.

Your information and data processing

Data Protection Policy

Practice name: Whiteladies Medical Group

Address: Whatley Road Clifton Bristol BS8 2PU

System Manager

Name: Sue Jones

Position: IT Manager

The System Manager is responsible for:

Notifying the Data Protection Commissioner of all new information use
Renewing the Data Protection Notification
Documenting and reviewing procedures and policies relevant to The Act.
Ensuring all staff (including contractors) sign a confidentiality agreement, either as a clause in their contract or as a separate agreement such as a code of conduct.

All staff will be aware of:
The Principles Of The Data Protection Act

These are attached to this policy.
Basic Security Considerations For Data Storage

A backup is performed every evening, all backup tapes are stored in a safe.
What Data Do You Want?

The act states that data about people must be adequate, relevant and not excessive.
Why Do You Want the Data?

Data can only be held if it is to be used for a specific reason. You cannot say ‘it might be useful at some point'. Ascertain exactly what information is required, and then request only this information.
How Long Do You Really Need To Keep the Data?

The patients medical record can be kept as long as the patient is still registered with us.
Who Wants the Data?

Do not disclose information to unknown applicants; Always request the details in writing so that their authenticity can be ascertained.

Do not be persuaded by the applicant's sense of urgency.
Protecting Practice Data

It is in your own interests to know the rules - it is a contractual part of your job to ensure confidentiality and data security. If you do not, and either deliberately or negligently divulge information, you will be subject to disciplinary action.

If you have any doubts, ask for advice
All staff must protect data:
From Other People

Supervise visitors.
Always ask the Practice Manager if not sure what you can tell people.
Password protect confidential documents if you copy them to a floppy disk
Use screensavers or log out to protect on-screen data from being viewed while you are away from your desk.
Do not send patient identifiable data in emails or faxes

From Accidents

Safeguard your computer from heat and water. Keep that coffee cup away from your computer!
Do not leave disks near magnetic fields, such as the top of a screen, near telephone.
Save and backup your data at regular intervals.
Ensure data cannot be corrupted/deleted in error
Do not leave disks in drives, store media carefully.

From Theft

Lock doors and windows
Do not leave paper, disks or tapes lying around. Store properly.
Password protect PCs and Laptops
Do not leave your laptop visible in your car. Travel with it in the boot if possible.
Do not write down your password and leave with the laptop!
Do not keep confidential data on a laptop (even deleted data can be retrieved) Save confidential data to a floppy disk
Remove files from floppy disks before reuse or disposal. Delete is not adequate for confidential data, the disk must be destroyed or reformatted
Confidential paper waste must be placed in Confidential Waste sacks or shredded.

The Eight Principles of the Data Protection Act 1998.
A guide to what it means
First Principle:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

at least one of the condition in schedule 2 is met, and
In the case of sensitive personal data, at least one of the conditions in schedule 3 is met.

You use data only when necessary and you must have legitimate grounds. The only legitimate grounds are those shown in schedules 2& 3, printed at the end of these eight principles.

Do the people on your system know exactly why you collect the data about them? They must be kept informed, and consent must be given if you want to use their details. They are also entitled to know who is responsible for their information in your practice.
Second Principle:

"Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes"

You cannot use or give away data you have collected for other purposes than those you have registered, and you must have good reason to do what you do.

Registering what you do (now called notification) does not automatically mean that you have complied with this principle. (Check against the schedules)

You must also think about how the people you give data to will use it. Are the people who use the data prevented from seeing the data that they don't need?
Third Principle:

"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed"

You can only request information that you specifically need. Do not request additional information unnecessarily.

Eg If you request data relating to how many times people visit the doctor, you would not need to know their marital status. If you did, you would need to show the specific purpose of this particular piece of information

Don't put in personal comments or additional information.
Fourth Principle:

"Personal data shall be accurate and where necessary, kept up to date"

You must take reasonable steps to ensure that all the information held is accurate, even if it is taken from the person directly.

If it is the kind of information that can change you have a duty to keep it up to date. You must correct errors and update any changes that you are aware of.

This applies even if you got someone else to collect the information for you: if you use data you have to check it.
Fifth Principle:

"Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes"

If you don't need the data any more, for the reason you registered, then you may not keep it. You cannot keep it for another reason, or in case it comes in handy.

If data has not been used for a long time, and is unlikely to be used again for the registered purpose, it should be deleted.

You must also think carefully before deleting data and document your reasons for destroying it.
Sixth Principle:

"Personal data shall be processed in accordance with the rights of data subjects under this act"

The data controller must respond properly to a data access request, or a request to prevent processing.

It someone wants to see all of the data (paper and computer) you hold about them, they have a right to see it in a user-friendly format with 40 days.
Seventh Principle:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental destruction of, or damage to, personal data"

You must ensure that data is kept safe from corruption, deletion, change, and the computers that it is stored on must also be protected from harm

Taking technology and cost into account, and also considering the reliability of staff, you must ensure that you take measures to protect your data appropriate to the amount of harm that could come from a breach of security.

Staff must not be able to see data that they don't need to.

You are obliged to offer guaranteed levels of security, take steps to make sure that measures are complied with, and that whoever processes data does so as part of a written contact with the data controller who is the only person allowed to instruct them.
Eighth Principle:

"Personal data should not be transferred to a country of territory outside the economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data"

Personal data should not be transferred out European Economic area, unless that area has an adequate level of data protection.
Schedule 2 conditions

One of these conditions (Schedule 2) must apply to all data processed:

The subject has given consent
The processing is necessary to carry out or enter into a contract with the subject
It is necessary due to a legal obligation
It is for a persons vital interest, that is a matter of LIFE OR DEATH,
The processing is necessary in the interests of justice, law, the crown or the public.
Is necessary for the pursuit of legitimate interests of the data controller and does not infringe upon the persons rights.

Schedule 3 Conditions

If data is sensitive, at least one of these Schedule 3 conditions applies:

The subject has given EXPLICIT consent
The process has to be carried out, as a legal duty
It is for a persons vital interest,
AND Consent could not be reasonably had, or the subject unreasonably withholds it against another's vital interest.
Processing is being done as part of the legitimate activities of a non-profit organisation, concerns only its own members and contacts, and doesn't involve disclosing information without the subjects consent.
The subject has deliberately caused the data to be made public
Processing is necessary for legal proceedings, advice, or rights
The processing is necessary in the interests of justice, law, or the crown
Is necessary for health purposes and is taken by a health professional or someone with an equivalent duty of confidentiality
Processing is necessary for the recording of ethnic origin , is necessary for monitoring of equal opportunities for racial and ethnic groups to promote equality AND considers the persons individual rights and freedoms

What is Sensitive Data?

Sensitive data is any personal data consisting of information about a person in any of these categories:

Racial or ethnic origin
Political opinions,
Religious beliefs or other beliefs of a similar nature,
Whether a member of a trade union
Physical or mental health or condition,
Sexual life,
Whether they have carried out or been accused of committing any offence
Any court proceedings for any offence committed (or accusation) including the sentence.

As you can see all Health Data is considered to be sensitive.

Even collecting data such as whether someone is Mr or Mrs can be considered sensitive.
Who are the people involved?
Data Controller

The practice that holds the data is the data controller.

The practice is responsible for deciding what information is collected, what that information is used for, and who by. This ca be he Practice Manager acting on behalf of the Senior Partner.
Data Processor

This term refers to the people who collect, store or use the information, and in the case of general practice usually refers to the staff in the practice.
Data Subject

The person that the information is about, usually your patients or the practice staff.
Data Protection Act 1998
Individuals' Rights (Right of Subject Access)
How requests for information should be made

Any request by an individual (data subject) for access to information that you hold about them must be made in writing (this includes transmission by electronic means).

The written request must contain sufficient information to enable you to undertake the search required (e.g. Name, Address and Date of Birth). You are not obliged to comply with individuals' request until the requester has given you adequate information.

You do not have to release the information until the request has been received in writing and the required fee has been paid.

You can charge a fee for the release of the information.
The fees that can be charged are:

£10.00 - Maximum fee for copies of computerised records only
£50.00 - Maximum fee for copies of manual health records, or part computer/part manual and other media
£10.00 - To read the records (where no copy is required) and no changes have been made to the records in the last 40 days.
No fee To read the record (where no copy is required) and changes have been made on the last 40 days.

The maximum fee that can be charged is £50.00 (this include photocopying and postage charges)

£50 must not be charged in all cases, but on a cost recovery basis. It has been suggested that we continue charging a rate per sheet.
What information are people entitled to?

You must comply with an individuals request within 40 days of receipt of the written request and the fee. Once this has been received the individual is entitled to:

Access to personal data about themselves which is held in either computerised or manual forms, from whenever the record was compiled. People have right access to all records irrespective of when they were created, unless where permitting access to the data would be likely to cause serious harm to the physical or mental health or condition of the data subject or another person (e.g. health professional).
A description on the data held, why the data is being processed and who has access to it (the leaflet "Your Records are Safe with Us" should help explain this to patients). If more information is requested it is advisable to offer the individual an appointment to see the individual responsible for controlling information flow such as a practice manager in the case of general practices.
Data that is not intelligible to be explained to them (explanation of codes and abbreviations).
Any information you hold as to the source of the data if held**

Information must be supplied in a permanent form, unless this causes disproportionate effort by you or the data subject agrees to the information being supplied in another form. This might apply if the printed version is very lengthy or is held in a remote archive.
Special conditions

Once the request has been received you must not make any amendments or deletions to the data that would not have otherwise been made.

The data must not be tampered with in order to make it acceptable.

You do not have to comply with a request where you have already complied with an identical or similar request by the same individual, unless a reasonable interval has elapsed. In deciding what a reasonable interval is you must take into consideration the nature of the data, why the data is used and the frequency which the data is altered

** If information is requested by a patient, and this identifies an individual as the source of the information (e.g. a relative has provided certain information), this can only be released if that individual consents to the release, or where it is seen as reasonable to comply to the request without that individuals consent (questions regarding the duty of confidence owed to the individual must be taken into consideration).
Other rights

An individual has a right to prevent processing of their data where the damage or distress is unnecessary.
An individual who suffers damage or distress as the result of any contravention to the Act is entitled to compensation.
They also have a right to ask for data to be rectified, blocked, erased or destroyed if the Courts find this data held is inaccurate.


You may wish to verify a person's identity by asking them to confirm their NHS number (if known). Further checks can be undertaken by asking the individual to produce a copy of their driving licence or credit card.

Solicitors and insurance companies will make requests. The person involved must sign a written consent form and this needs to be sent to you before any information is released.
Sharing Information with other Organisations
Response by doctors to request for notes - guidelines for doctors receiving requests from solicitors to release patients notes for litigation purposes.

Doctors are often approached by solicitors, seeking the release of patient's notes for court proceedings. The ethical and legal issues are complex. Unless required to release the information, by law, a doctor should not disclose information without the patient's consent.

It is often argued that when the solicitor writes to a doctor indicating that s/he has been instructed by the patient, consent can be regarded as implied by that original letter from the solicitor. Nevertheless, in some cases there may be confusion as to whether solicitors are working for the patient or for another party. It is advisable that patient consent be verified and, ideally, written authorisation to the release of records be obtained from the patient.
General Practitioners

When a GP receives a request for the release of records relating to the care of a patient from a solicitor acting for the patient, it is essential that written patient consent be included. If such a request is not accompanied by the patient's signed authorisation for the release of information, the doctor should inform the solicitor that the request cannot be considered until such authorisation is received. Depending on the object of proposed litigation, the doctor may also need to contact his/her Defence Society at this stage. Prompt contact at an early stage is certainly advised if the doctor or a colleague is the object of legal proceedings.

In general, similar considerations will apply as those outlined above for the release of hospital notes. If the matter raised in the solicitor's letter has sufficient substance to indicate it is not a "fishing expedition", early release of records can be agreed. If the doctor is unwilling to release the records, the solicitor may then seek a court order to obtain them. This may add unnecessarily to the cost of the case.

As mentioned above, an offer of a report instead of records would not be appropriate if the solicitor has made it clear it is the notes which are required and the patients has given written agreement. Efforts by a doctor to limit the information disclosed may lead the solicitor acting for the patient to assume there is information in the remainder of the notes which is in some way disadvantageous to the doctor or his colleagues. If the notes contain information which is irrelevant to the litigation and potentially embarrassing to the patient, it is strongly recommended to draw this to the patient's attention and confirm his/her consent to its release. It is similarly to be strongly recommended that the doctor contact the patient directly if there is any doubt concerning the validity of the patient's consent or the patient's understanding of what that consent implies.

The Association advises that the doctor should ensure that notes are released to a medical expert acting for the solicitor if the information in them represents, in the doctor's judgement, a danger to the patient's well-being. In other cases, the GP should not make this a requirement to the release of notes, as frequently patients and their solicitors will not agree to disclosure being limited in this way. Requests for records should be dealt with carefully but promptly, avoiding unnecessary delay.
Disclosure without patient consent

Difficulties will arise for all doctors when patient consent is not obtainable. If the patient is mentally incapable, the doctor must form a judgement of the patient's best interests and may also need specific legal guidance. In any doubtful situation doctors are advised to seek help before making decisions on these matters. Sources of advice are the BMA, Defence Bodies and LMC secretaries for GPs.

If solicitor's request information abuts a deceased patient, doctors should bear in mind the general principle that confidentiality to a patient extends beyond death. The Access to Health Records Act allows the deceased patient's representative access to certain information in the records. If such a request is made invoking the Act, doctors are advised to obtain the BMA guidelines on the Act, which are available on request to the Ethics Division.
Information concerning third parties

Just as information about a patient should not be disclosed without that patient's consent unless required by law (see below), so the release of information about a third party requires that person's consent.

Some hospital records will contain information about, or which identifies, a third party. If that third party is anyone other than a health professional involved in the care of the patient, the individual's consent to release of that information, should be sought.

There is no legal requirement for a doctor to consult medical colleagues who may be named or have provided information in the clinical record. However, as a matter of courtesy, doctors are advised to inform other colleagues who have contributed to the record of the solicitor's request for release of the information.

Similarly, the new GP contract obliges GPs to record, when known, medical conditions suffered by consanguineous relatives of the patient. Therefore, in time, many GP records will hold some details about third parties. Only where a court orders the release of such information can it be divulged without consent of the third party concerned unless as above, it concerns a health professional caring for the patient.
Disclosure required by law

There is no legal privilege for communications between patient and doctor. Courts can, therefore, compel a doctor to give evidence, and direct him to disclose confidential information when giving it. A refusal to comply with such a direction could constitute contempt of Court, punishable by fine or Imprisonment.

When asked by a Court to disclose information contrary to the patient's wishes, the doctor should refer to the obligation of professional confidence, as suggested by Lord Denning. The Court may take this into consideration, but if it nonetheless orders the doctor to answer the questions, s/he is advised to comply in the interest of justice. Doctors should take care to involve their Defence Body or legal adviser before this point is reached.

The law relating to the disclosure of medical records for the purposes of litigation in claims based on personal injury or death is now contained in Sections 33 and 34 of the Supreme Court Act 1981. Section 33 deals largely with pre-action disclosure when the custodian of the records, such as a health authority or doctor, is likely to become a party to subsequent court proceedings. Section 34 deals with a different situation when the medical records required are in the custody of a person or body who is not a party to the proceedings. This may happen, for instance, if the patient wishes to sue the hospital but his/her legal advisers think it prudent to see the GP notes even though the GP is not expected to become a party to the proceedings.

Broadly, these sections of the Supreme Court Act empower the Court to order the disclosure of medical records to:

a person who is an actual or potential litigant;
his/her legal adviser; or
his/her legal advisers and any medical or any other professional adviser nominated; or
if s/he has no legal adviser, to any medical or other professional adviser

Discretion in deciding which of these methods to use lies with the Court.

Litigation resulting from personal injury is the usual circumstances in which the court may authorise release of clinical notes. It may specifically order the release of medical notes in circumstances indicated in sections 33-35 of the Supreme Court Act, 1981. The court can, however, require evidence to be given on any matter which becomes material in the course of legal proceedings. A doctor may be a compellable witness in relation to such investigations, but this is a different matter from being required to produce clinical notes.

As mentioned previously, there may also be a statutory obligation to release information under the Access to Health Records Act 19990. The Act is intended to give patients a statutory right of access to their own records. In certain circumstances a patient's representative may exercise this right on the patient's behalf. A solicitor may be such a representative. In circumstances where the Act is invoked, doctors are advised to consult BMA guidance on the provision and limitations of the legislation.
Summary of points

Consent should be obtained from the patient before a doctor agrees to release information to solicitors. The doctor must not divulge information without patient consent unless so directed by a court.
Requests for release of records should be handled carefully and promptly. Once patient consent has been verified, delays should be avoided unless there are exceptional circumstances which require the doctor to seek further advice. Such advice should be quickly sought.
If a GP is the object of possible litigation, the relevant Defence Society should be consulted immediately.
Doctors should offer reports instead of notes if the solicitor indicates this is acceptable. Where it is clear that only notes are acceptable, the notes themselves or certified photocopies should be provided.
Information about or identifying a third party should not be released without that person's consent. The only exceptions to this occur when a court, having been informed that the confidentiality of a third person in question, orders the disclosure or if the person so identified is a health professional who has been involved in the patient's care.
As a matter of courtesy, doctors should inform medical colleagues who have contributed to the clinical record of the request for release of the records.
Doctors should remember that if subpoenaed, the Court has the discretion to decide what form the information released should take, and to whom it should be sent. The doctor is advised to consult either the Health Authority legal adviser or relevant Defence Body for advice if subpoenaed.
When the litigation concerns a deceased patient, the doctor's duty to confidentiality should still prevail unless the application for information is made under the terms of the Access to Health Records Act.

The Data Protection Register
Data Protection Act 1998. Register of Data Controllers

Registration Number: Z6952727

Date Registered: 17-JUL-02 Registration expires: 16-JUL-08




We received an annual renewal from the Information Commissioner.

The Information Commissioner should be informed of any changes made that involves patient data or patients privacy ie CCTV.
BS7799 - British Standard of Information Systems Security

BS 7799 is the internationally acclaimed British Standard that addresses the subject of Information Security Management. It is a common framework to enable organisations to develop, implement and measure effective security management practice. The standard is based on the best current information security practices of leading businesses.

The guidance given in BS 7799 provides a single reference point for identifying the range of controls needed for most situations where information systems are used.

BS 7799: 1999 is a superset of the 1995 version: it contains all the original controls and a set of new controls which extend and complement the scope of BS 7799 to provide even more elements of best practice. For example, the new version includes controls for areas such as electronic commerce, mobile computing, teleworking and outsourcing. The standard contains 128 controls categorised under 45 headings. For example:

Information Security Policy
Security Organisation
Information Security Infrastructure
Security of 3rd Party Access
Asset classification, control and accountability
Personnel Security
Security in job definition and resourcing
User training
Responding to security incidents and malfunction
Physical and environmental security
Secure Areas
Equipment and general controls
Business continuity management

BS 7799-1: 1999 Code of practice for information security management

This standard is intended for use as a reference document by those who are responsible for developing, implementing and maintaining information security within their organisation.
BS 7799-2: 1999 Specification for information security management systems

This part of BS 7799 specifies requirements for establishing, implementing and documenting information security management systems (ISMS). It specifies security controls to be implemented by an organization following a risk assessment to identify the most appropriate control objectives and controls applicable to their own needs.

This part of BS 7799 forms the basis for an assessment of the information security management system (ISMS) of the whole, or part of an organisation and is used as the basis for the BS 7799 c:cure Certification scheme.

Comments and Complaints

We make every effort to provide high standards of care and the best service possible to all of our patients. Complaints Procedure.

If you have a complaint or concern about the service you have received from us the please let us know.

If you would like to leave feedback, then please complete the below:

Your Name (required)

Your Email (required)


Your Comment or Complaint

Our Address

Whiteladies Medical Group
Whatley Road

Tel: 0117 973 1201
Fax: 0117 946 6850



To keep up to date with our news and views please subscribe below: