2018 Dale Chappell Physiotherapy - Clinic Patient Privacy Statement
Our privacy statement is to let you know how we promise to look after your personal data. It explains how we collect, process, protect, store, manage and share any personal data (information used to identify an individual, including, but not limited to first & last name, date of birth, a home or other physical address, email address or other contact information and bank details) you share with us.
All data collected within the clinic (whether orally, via paper records or messages received over the answerphone system) is kept fully confidential, not left unattended and stored in locked areas if unattended by a physiotherapist. Any data transferred to the clinic computer is only accessed by the owner and is password protected. Any information shared (with consent) is done so via secure email. Emails received via btinternet are done so within their secure network and only sent to the owners password protected computer and iphone.
How we obtain your personal data
Information provided by you
You provide us with personal data, either on your registration form (filled in by you or collected verbally within your physiotherapy session by your physiotherapist), via our website ‘contact us’ link, via our clinic email address or over the telephone. Additionally, you may provide us with details of your bank card or account via a cheque or debit/credit card payment.
We use this information to manage and administer your treatment course with us and related payment account / record.
We may also keep information contained in any correspondence you may have with us, or provide us with (whether by hand, post, email or phone text messaging). We also record answer phone messages.
Information from other sources
We may obtain sensitive medical information directly from you, your medical practitioner or other related health care professionals (the provision of this information is subject to you giving express consent).
Why we process your personal data
Under the new data protection law, it states that we can use and process personal information if we have an appropriate and lawful reason to do so. The law states that we must have one or more of the lawful reasons listed here:
• If a contract is in place
• If it is a legal obligation to do so to comply with the law
• If we have been given clear, concise consent to process your data• If it is in our legitimate interests to do so.
We must be able to identify you individually to ensure correct clinical records, appropriate treatment, attendance trails and payment records. We also need to communicate with you during the course of your treatment. We only ask for data that is relevant these points and we will not further process your data in a manner which is not compatible with those purposes.
How we use your personal data
We use your personal data to manage and administer your physiotherapy course / input and related payment account / record. As a clinic / clinicians we act as data controllers. Currently only the chartered & HCPC physiotherapists working within the clinic could have access to your personal data.
We document the clinical records / information in paper format and it is used and stored (when not in direct use) securely. We also store typed letters and patient videos (when taken with express consent for clinical purposes) in computer folders protected with a password. All emails are sent from the clinic are sent via a secure email through egress switch.
At all times we undertake to reasonably protect your personal data (including within storage) and this data is treated confidentially, privately and securely under the Chartered Society of Physiotherapy’s codes of professional values and behaviour, the Health & Care Professions Council standards of performance, conduct and ethics and within the requirements of the General Data Protection Regulation (GDPR) law.
We do not use any data provided for marketing purposes.
We will keep information about you confidential and only disclose your information with other third parties (for example doctors, other health care professionals and insurance companies) with your express consent, with the exception of the following categories.
Categories of third parties
• insurance companies, loss assessors, regulatory authorities and other fraud prevention
agencies for the proposes of fraud prevention and to comply with any legal and regulatory
issues and disclosures
any contractors or advisors who provide a service to us or act as our agents on the
understanding that they keep the information confidential
anyone to whom we may transfer our rights and duties under any agreement we have with you
any legal or crime prevention agency and/or to satisfy any regulatory request (including
recognised practitioner bodies) if we have a duty to do so or if the law allows us to do so.
Transfer of your data outside the European Economic Area (EEA)
We do not currently transfer your personal data outside the EEA. If in future we transfer your personal data, in accordance with the terms of this policy outside the EEA we will make sure that the receiver agrees to provide the same or similar protection as we do and that they only use your personal data in accordance with our instructions.
How long do we keep your data for?
In line with current policies and legislation, we keep your personal information / records for a minimum of 8 years after the conclusion of treatment. Obstetric records must be held for 25 years. Records relating to children and young people must be kept until the patient’s 25th birthday or 8 years after the last entry if longer.
Once data is no longer needed, we securely shred the records.
Data Subject Rights
Subject access requests
The GDPR grants you “the data subject” the right to access particular personal data that we hold about you. This is termed a ‘subject access request’. We shall respond promptly and within one month from the point of receiving the request. Our formal response shall include details of the
personal date we hold about you including the sources from which we acquired the information, the purpose for processing the information and persons / entities with whom we are sharing the information.
Right to rectification
You shall have the right to obtain from us without any undue delay the rectification of any inaccurate personal data we hold concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure
You shall have the right to obtain from us the erasure of personal data concerning you without undue delay allowing for the above data retention policies and legislation. There may be a legitimate reason or legal obligation as to why we cannot remove or delete some of your personal information, which would be fully explained should that situation arise.
Right to restrict processing
Subject to exemptions, you shall have the right to obtain from us restriction of processing where one of the following applies :
the accuracy of your personal data is contested by you and is restricted until the accuracy of the data has been verified
the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction in it’s use
we no longer need the personal data for the purposes of processing, but it is required by you for the establishment, exercise or defence of legal claims
you have objected to processing of your personal data pending the verification of whether there are legitimate grounds for us to override these objections.
Notification obligation of rectification or erasure of personal data or restriction of processing
We shall communicate any rectification or erasure of persona data or restriction of processing as described above to each recipient to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort. We shall provide you with information about those recipients if you request it.
Right to data portability
You shall have the right to receive your personal data, which you have provided to us in a structured, commonly used and machine readable format and have the right to transmit this data to another controller, without hinderance from us.
Right to object
You shall have the right to object on grounds relating to your particular situation at any time to the processing pf personal data concerning you, including personal profiling unless this relates to processing that is necessary for the performance of a task carried out in the public interest or an exercise of official authority vested in us. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.
Invoking your rights
If you would like to invoke any of the above data subject rights, please write to the Data Protection Officer at The Dale Chappell Physiotherapy Clinic, 17a South Hawksworth Street, Ilkley, West Yorkshire, LS29 9DX or email .
Accuracy of information
In order to provide the highest level of customer service, we need to to keep accurate personal data about you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information we obtain. We ensure that the source of any personal data or sensitive information is clear and we carefully consider any challenges to the accuracy of the information. We also consider when it is necessary to update the information such as name or address changes and you can help us by informing us of these changes as the occur.
Questions / Queries / Concerns
If you have a complaint about the use of your personal data or sensitive information, then please write to the Data Protection Officer at The Dale Chappell Physiotherapy Clinic, 17a South Hawksworth Street, Ilkley, West Yorkshire, LS29 9DX or email . If your complaint is not resolved to your satisfaction, you can make a formal complaint to the Information Commissioners Office (ICO) by telephoning 01625 545745 or 0303 123 1113. You also have the right to judicial remedy against a legally binding decision of the ICO where you consider that your rights under this regulation have been infringed as a result of the processing of your personal data. your have the right to appoint a third party to lodge the complaint on your behalf and exercise your right to seek compensation.