This privacy notice is about how we store your personal data. It aims to provide clear and understandable information about how we collect, store and protect information about you. It also provides information about your rights that relate to the data we process. New EU legislation is known as General Data Protection Regulation (GDPR) alongside the Data Protection Act and Privacy and Electronic Communications Regulations (PECR), seek to protect and enhance the rights of EU data subjects. These rights cover:
- The safeguarding of personal data
- Protection against the unlawful processing of personal data
- Unrestricted movement of personal data within the EU and its storage within the EEA.
NB: Data is defined as information concerning any living person (a natural person who hereafter will be called the Data Subject) that is not already in the public domain.
WHO ARE WE/ SCOPE OF OUR SERVICES
- Sudhir Daya of Rabstone Ltd t/a Integrated Health
- Nicky Ellis of Nicky Ellis Ltd
We are the appointed Data Protection Officers and are registered with the Information Commissioner’s Office (IOC). For the purposes of this Privacy Notice, we will be referred to as the ‘Therapists’ from this point on. As Therapists, it is our role to diagnose and treat health conditions. Treatments are carried out in accordance with our regulatory bodies:
- The Chartered Society of Physiotherapy (http://www.csp.org.uk)
- The Health and Care Professions Council (http://www.hcpc-uk.co.uk)
- The General Osteopathic Council (https://www.osteopathy.org.uk/home/)
- The Institute of Osteopathy’s patient charter http://www.iosteopathy.org/osteopathy/the-patient-charter/.
NB: The practice may also provide other treatments, about which our staff will be pleased to provide more details.
If you have any questions about our privacy notice or would like to know more about how we hold your personal information please contact:
HOW WE SECURE YOUR PERSONAL DATA
By law we are responsible for ensuring the safety of your data, and take appropriate technical measures to prevent unlawful access or processing of your personal information. Below is a list of some of the measures we have put in place to protect your data.
- Regularly change our passwords.
- Use two factor authentication key systems where possible.
- All the systems we use are to the best of our knowledge GDPR compliant.
- Regularly update software, and lock our screens when away.
- Any of our hardware that stores your personal data is password protected.
- Use Egress Switch (a type of encryption technology) which allows us to email your personal data to you and other health care professionals securely.
- Where reasonably possible, we seek advice, support and training to keep abreast of changes in the data protection laws on how we are required to handle personal information and respond to data breaches.
- The technology we use enables us to manage any potential data breaches in an effective manner.
- Where we use third-party providers of systems for processing your personal information, we ensure they are compliant with relevant data protection laws. We also ensure their systems provide appropriate mechanisms for the secure storage and recovery of your data.
HOW WE HOLD YOUR PERSONAL DATA
a) For the purposes of providing treatment, the Therapists may require detailed medical information. We will only collect what is relevant and necessary for your treatment. When you visit our practice, we will make notes, which may include details concerning your medication, past medical history, treatment and other issues affecting your health (Health Act 1999, Health Professionals Order 2001, Health and Social Care Act 2008), alongside standard personal information i.e. name, address, D.O.B, contact details (phone/email). This data is always held securely, it is not shared with anyone not involved in your treatment, although for data storage purposes it may be handled by vetted staff who have all signed an integrity and confidentiality agreement. To be able to process your personal data it is a condition of any treatment that you give:
- Your explicit consent to allow the Therapists to document and process your personal medical data.
- Contact details provided by you such as telephone numbers, email addresses, postal addresses to be used to remind you of future appointments, provide reports and/or other information concerning your treatment.
- As part of our obligations as primary healthcare practitioners, there may be circumstances related to your treatment, on-going care or medical diagnosis that will require the sharing of your medical records with others, e.g. Healthcare practitioners e.g. GPs, consultants, surgeons and/or medical insurance companies. Where this is required we will always inform you first unless we are under a legal obligation to comply.
- If you are a minor, consent to share your personal information with a parent or legal guardian. Where this is required we will always inform you first unless we are under a legal obligation to comply
- Sharing your personal information with people or organisations when required by law or by our regulatory bodies; or with the police or other law enforcement agencies, when required by law or a court order.
- Any person that you have authorised us to share information with.
b) The Therapists will only collect the information needed so that they can provide you with the services you require. The business does not sell or broker your data.
c) For administration purposes, the Therapists use Real Time Reception LTD to manage their appointments. Real-Time Reception record telephone calls for legitimate interest to allow our businesses to function, to optimise processes and to resolve any client complaints regarding appointments.
d) The Therapists may occasionally also act on behalf of its patients in the capacity of the data processor, when we may promote other practitioners based at our premises, who may not be employed by us. We will discuss a possible referral to another practitioner with you.
e) The Therapists may maintain a marketing dialogue with your consent until you either opt out (which you can do at any time) or we decide to desist in promoting our services.
f) Some basic personal data may be collected about you from records of our correspondence and phone calls and details of your visits to our website.
LEGAL BASIS FOR PROCESSING PERSONAL DATA
To meet our contractual obligations obtained from explicit Patient Consent and legitimate interest to respond to enquiries concerning the services provided, and to enable our business to function.
LEGITIMATE INTERESTS PURSUED BY THE THERAPISTS
To promote treatments for patients with all types of health problems indicated for care.
Through agreeing to this privacy notice you are consenting to the Therapists processing your personal data for the purposes outlined. You can withdraw consent at any time by using the postal, email address or telephone number provided at the beginning of this Privacy Notice, or the websites listed above. Lack of consent may mean that the therapist has a right to refuse to treat you.
The Therapists will keep your personal information safe and secure, only staff engaged in providing your treatment will have access to your patient records. Our administration team will have access to the contact details you provide over the phone so that they can make appointments and contact you about appointments. The Therapists will not disclose your Personal Information unless requested to, in order to meet legal obligations, regulations or valid governmental requests. The practice may also enforce its Terms and Conditions, including investigating potential violations of its Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of its staff. We will be using an encryption program when an e-mail contains personal and medical information.
The Therapists will process personal data for the duration of any treatment and will continue to store only the personal data needed for eight years after your final treatment, to meet our legal obligations. As an adult, the 8-year period may increase in specific circumstances. After eight years all personal data will be deleted, unless basic information needs to be retained by us to meet our future obligations to you, such as erasure details. Records concerning minors who have received treatment will be retained until the child has reached the age of 25. Please refer to the Medical Records Act.
All hardcopy data is held in the United Kingdom in secure storage. The Therapists use a software system called Cliniko. Cliniko’s servers are based in Australia. The therapists have an agreement with Cliniko that forms the legal basis for the transfer of data between us. Cliniko has terms and policies in place to ensure they meet GDPR requirements around data that is processed outside the EEA. Hardcopy records will be destroyed confidentially and softcopy records can be deleted permanently from the Cliniko software system. Other software used includes MailChimp, Survey Monkey and Dropbox – all of which are GDPR compliant.
YOUR RIGHTS AS DATA SUBJECT
At any point whilst the Therapists are in possession of, or processing your personal data, all data subjects have the following rights:
- The right to be informed: this privacy notice serves to inform you how we collect and use your personal data.
- The right of access: you have the right to request a copy of the information that we hold about you.
- The right of rectification: you have a right to correct data that we hold about you that is inaccurate or incomplete.
- The right to be forgotten: in certain circumstances, you can ask for the data we hold about you to be erased from our records.
- The right to the restriction of processing: where certain conditions apply you have a right to restrict the processing.
- The right of portability: you have the right to have the data we hold about you transferred to another organisation.
- The right to object: you have the right to object to certain types of processing such as direct marketing.
- The right to object to automated processing, including profiling: you also have the right not to be subject to the legal effects of automated processing or profiling.
In the event that the Therapists refuse your request under rights of access, we will provide you with a reason as to why which you have the right to legally challenge. At your request, the Therapists can confirm what information it holds about you and how it is processed.
TO ACCESS WHAT PERSONAL DATA IS HELD, IDENTIFICATION WILL BE REQUIRED
The Therapists will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If the Therapists dissatisfied with the quality, further information may be sought before personal data can be released. All requests should be made to firstname.lastname@example.org or email@example.com or in writing to us at the address above.
In the event that you wish to make a complaint about how your personal data is being processed by the Therapists, please contact Sudhir Daya firstname.lastname@example.org or Nicky Ellis email@example.com.
If you do not get a response within 30 days, you can complain to the ICO: Wycliffe House, Water Lane, Wilmslow, SK9 5AF. Telephone +44 (0) 303 123 1113 or email: https://ico.org.uk/global/contact-us/email/
Rabstone Ltd t/a Integrated Health ICO registration number: Z3035489
Nicky Ellis Ltd ICO registration number: ZA215286
DATA BREACH (theft, corruption, authorised deletion and disclosure)
We will acknowledge a data breach and inform affected parties. We will investigate the cause of the breach and seek to address the case of the breach. If there is a risk to the rights and freedoms of the person/s involved, then we will report it to the ICO especially regarding discrimination, damage of reputation, financial loss, loss of confidentiality and/or social or economic disadvantage.
The police will need to submit a Section 29 Disclosure Request form to access a telephone recording. The Police will need to submit a Court Order to obtain patient data unless there is a compelling reason to do otherwise.