GENERAL DATA PROTECTION & PRIVACY INFORMATION
Effective Date: May 2018
We may amend this Data Protection Policy from time to time. Please check this Data Protection Policy regularly to ensure you understand the practices which will apply at that time for Chiswick Physio.
Chiswick Physio is a trading name of Nathan Carter Ltd. For future reference in this document ‘NC Ltd’’ relates to Chiswick Physio. This Data Protection Policy applies to all personal data NC Ltd holds about data subjects, whatever its source.
NC Ltd is a registered data controller under the Data Protection Act 1998. NC Ltd maintains a data protection notification with the Information Commissioner’s Office (the independent authority responsible for overseeing compliance with the Act) which means that the Information Commission is notified of the types of Personal Data processed by NC Ltd, the purposes for which the NC Ltd processes data and whether or not NC Ltd transfers personal data outside the European Economic Area. NC Ltd register entry number is ZA346514 and may be found by searching the Information Commissioner’s site at https://ico.org.uk/esdwebpages/search.
The information in this policy is a broad description of the way NC Ltd processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances. If direct contact is needed to modify or access any personal data that NC Ltd may hold, please send an email to email@example.com or phone 07900603617. Please request contact with our data protection officer, Nathan Carter.
Processing of Information
NC Ltd collects and processes Personal Data about employees, patients and other individuals (collectively ‘data subjects’). Data subjects include suppliers, other medical professionals including GP’s, medical consultants, therapeutic practitioners including physiotherapists, chiropractors, massage therapists, exercise specialists including Pilates instructors, personal trainers, yoga instructors.
‘Personal data’ means data relating to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, NC Ltd. When processing or using such information, NC Ltd, including its employees and contractors, strive to comply with the Data Protection Act 1998.
‘Processing’ means virtually any dealing with personal data, such as obtaining, accessing, recording, holding, disclosing, destroying or using the data in any way. NC Ltd will usually only process a data subject’s personal data where the data subject has given his/her consent or where processing is necessary to comply with the NC Ltd legal obligations. NC Ltd process’s personal information to enable us to provide health services to our patients, to maintain our accounts and records, promote our services and to support and manage our employees.
Physiotherapists have a professional and legal obligation to keep an accurate record of their interaction with patients. A record can be in paper or electronic format, or a mixture of both, and includes all the information relating to the health status and management of the individual patient. Depending on the needs of the patient and the care setting involved, the record may be maintained by any one of the healthcare professionals within NC Ltd who is treating the patient. The record may contain information about the current episode of care only, or may be a compilation of every episode of care for that individual in a given time frame. These time frames are listed below in ‘Right to Request Erasure’.
NC Ltd processes information relevant to the above reasons/purposes. This information may include; Name, Address, Date of Birth, Telephone Number, Email address, GP details, Lifestyle and social circumstances, Employment details, Family details, Physical and mental health details, Private Medical Insurance (PMI) details (if applicable). The PMI details are used to bill your insurer as appropriate or to communicate directly with them if appropriate. None of your information is passed to a third party unless under your explicit consent to release details. Your PMI may ask for reports of your sessions but this will only occur with your consent. You may request us to write a letter to your school, a consultant or another person of interest to you. In doing so we will use your name, DOB and relevant medical details on that letter. You will also receive a copy of the letter should you choose.
NC Ltd sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required NC Ltd may share information with:
- healthcare professionals
- social and welfare organisations
- central government
- family, associates and representatives of the person whose personal data we are processing
- suppliers and service providers;
NC Ltd will only process sensitive personal data (for example, information relating to ethnic origin, religious or similar beliefs, health, sex life, criminal proceedings or convictions) when a further condition is met (for example, the data subject has given his/her explicit consent, or that the processing is legally required for employment purposes). NC Ltd strives to comply with the data protection principles outlined in the Act when processing personal data. NC Ltd has practices and procedures in place to ensure that personal data is:
- processed fairly and lawfully,
- obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose,
- adequate, relevant and not excessive for the purpose,
- kept accurate and up-to-date,
- not kept for longer than necessary for the purpose,
- processed in accordance with the data subject’s rights,
- kept secure,
- Not transferred to people or organisations situated in a country outside the European Economic Area, unless that country and/or organization has equivalent levels of protection for Personal Data.
Your Rights as a Data Subject
If you are an individual in respect of whom NC Ltd processes Personal Data, you have the following rights. Please note that this is a summary of your rights. If you wish to understand your rights in detail you should read the relevant laws, guidance and regulations for a fuller explanation.
Right of Access to your Personal Data
Staff, patients and other data subjects have the right to access any of the personal data that the NC Ltd is processing about them. Any data subject may exercise this right by submitting a request in writing to firstname.lastname@example.org. NC Ltd reserves the right to make a charge of £10 for each subject access request under the Act.
NC Ltd aims to comply with requests for access to personal information as quickly as possible, but will ensure that a response is provided within 40 calendar days from receipt of the request and all necessary supporting information (and the £10 fee, if applicable), unless there is a valid reason for delay. In such cases, the reason for the delay will be explained in writing to the data subject making the request.
To make a request for access to your personal data, please include the following information:
- your full name, address and contact telephone number;
- any information used by the organisation to identify or distinguish you from others of the same name (date of birth);
- details of the specific information you require and any relevant dates, for example: your personnel file; emails between ‘A’ and ‘B’ (between 1/6/11 and 1/9/11); your medical records (between 2006 & 2009)
In the case of a deceased person, his or her health records form part of his or her estate, and records may only be released to the person with the authority to access the records, such as the Legal Executor or Administrator of the Estate, or a potential beneficiary with a claim to the Estate. Applications to access the records must be made under the Access to Health Records Act and the Access to Health Records (Northern Ireland) Order 1993. Occasionally, family members may ask to see records, but records will not be released until NC Ltd is satisfied that an application has been made by a person with a legitimate claim to see the records.
There are circumstances where NC Ltd may withhold the supply of your Personal Data – for instance where the rights and freedoms of others may be affected or where we are permitted by law.
Right to Request the Rectification of Your Personal Data
NCLtd wishes to ensure that any Personal Data it processes is accurate and up to date. If you think we hold inaccurate or incomplete Personal Data please contact Nathan Carter at email@example.com to update or correct the information.
Right to Request Erasure of Your Personal Data
Under Article 17 of the GDPR individuals have the right to have personal data erased. The GDPR also specifies two circumstances where the right to erasure will not apply. NC Ltd falls under the second of these special categories, as listed below:
‘If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).’
The Health and Care Professions Council (http://www.hcpc-uk.org/) and Chartered Society of Physiotherapy (http://www.csp.org.uk/) which NC Ltd is governed by, specifies the length of time that records must be kept. A summary of minimum retention periods for personal health records (electronic or paper-based, and concerning all specialties, including GP medical records) is listed below.
- Children and Young People
- Retain until the patient’s 25th birthday or 26th if young person was 17 at conclusion of treatment, or 8 years after death.
- Mentally disordered persons within the meaning of the Mental Health Act
- 20 years after the date of last contact between the patient/client/service user and any health/care professional employed by the mental health provider, or 8 years after the death of the patient/client/service user if sooner
- Maternity records
- 25 years after the birth of the last child
- All other hospital records
- 8 years after the conclusion of treatment or death
Right to Request the Restriction on Processing Your Personal Data
In some cases, such as the processing of sensitive Personal Data, NC Ltd may require an individual’s consent to process certain personal data. In such cases, the data subject always has the right to withhold or, if already given, withdraw his/her consent. However, if the individual chooses to withhold his/her consent, then NC Ltd may not be in a position to perform its obligations and consequently not able to treat or employ the individual.
If an individual wishes to withhold their consent this would need to recorded in writing to Chiswick Physio or by email to firstname.lastname@example.org
Right to Object to NC Ltd’s Processing of Your Personal Data
You may object to NC Ltd processing of your Personal Data where;
- Processing is based on public interests or legitimate interests perused by us or by a third party; or
- Processing is direct marketing
If you object NC Ltd will stop processing the Personal Data unless NC Ltd;
- Has a compelling legitimate ground for processing the Personal Data; or
- Needs to process the Personal Data to establish, exercise, or defend legal claims
Right to Data Portability in Respect of Your Personal Data
In limited circumstances, you may have the right to request NC Ltd to
- Supply your Personal Data in a format so that you may store it for further personal use on a private device;
- Transmit the Personal Data to another data controller.
Right to Complain to ICO
If you believe NC Ltd processing infringes Data Protection Law, you have the right to lodge a complaint with a supervisory authority responsible for data protection.
Right of Notification of any Breach
In the unlikely event of a Personal Data breach which is likely to result in a high risk to your rights, NC Ltd will notify you of the breach without undue delay. However, if your Personal Data is encrypted or otherwise unintelligible NC Ltd will not be required to notify you of the breach.
Withdrawal of Consent
In cases where the legal basis for our processing of your Personal Data is consent, you have the right to withdraw consent at any time. Such withdrawal will not affect the lawfulness of any processing before you withdraw consent.
The protection of your personal information is vitally important to NC Ltd and we always act in accordance with the relevant UK and EU legislation. All electronic data is stored on a secure server as part of our website or clinical databases. Information stored electronically will be subject to access controls (including username and password based login details), where applicable, the use of secure FTP connection with insurers and applicable third parties and encryption software may be used to protect the data 'at rest'. NC Ltd will keep hard or paper copies of information in secure filing cabinets or equivalent secure storage.
In addition, NC Ltd takes the following security measures:
- making all employees and sub-contractors of NC Ltd aware of the rules and procedures laid down by NC Ltd from time to time in respect to the security of information and the importance of confidentiality;
- taking measures to ensure the proper training, supervision and instruction of employees dealing with your information;
- Requiring all sub-contractors to enter into confidentiality agreements in respect to information they have access to from NC Ltd.
NCLtd will strive to protect your Personal Information in all means reasonably required by us to do so. However, as no form of data transmission is 100% reliable we cannot guarantee its absolute security. Once NC Ltd has received your information, it will use the above procedures to try to prevent unauthorised access. NC Ltd looks to regularly review our security arrangements as technology advances.
Future marketing and newsletters may be sent to a client list to those that have consented, via direct contact with NCLtd. Marketing and newsletters will hold information of NCLtd with no third party information included in such correspondence. Marketing and newsletters of NCLtd will always contain what is deemed useful content (exercises, postural advice, do’s and don’ts, free lectures and talks..) and will not contain sales of products or services. Consent of the individual receiving marketing and newsletters will be gained by opting in via an email or written consent;
- Proof of written consent will be held in the patient’s notes and a record of consent will also be recorded on the front page of the patients notes and on an encrypted excel spreadsheet;
- Proof of consent of an ‘opt in’ via email contact will be stored within the database of the tool used for marketing. As of writing this policy on April 2018, the current tool used is https://mailchimp.com/
- Via direct contact with NC Ltd
On each marketing or emailing campaign the subscriber has the option to opt out of the email list with an ‘unsubscribe’ tag in the footer of the campaign. You can also ask us to stop sending you marketing messages and newsletters by contacting us at any time by emailing email@example.com
Visitors to our website
When someone visits www.chiswick-physio.co.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Our website search and decision notice search is powered by Square Space. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either NC Ltd or any third party.
NC Ltd may share a data subject's personal data with selected third parties if:
- The third party is providing a useful or essential service to the data subject, for example the PMI;
- NC Ltd is under a under a duty to disclose or share personal data in order to comply any legal obligation; or
- It is necessary to protect NC Ltd rights, property or safety of any third party.
NC Ltd will not otherwise disclose a data subject’s personal data to a third party without his/her consent.
Complaints and Retention
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint. The information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
Job Applicants and Employees
NC Ltd is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at firstname.lastname@example.org
What will we do with the information you provide to us?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary. We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us whether the information is in electronic or physical format. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do you ask for and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for.
Use of Data Processors
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
How long is the information retained for?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references. If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign. Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
Nathan Carter - Data Protection Officer | Chiswick Physio, The Gym Clinic, 129 Power Road, London, W4 5PY