The General Data Protection Regulations (GDPR) come into force on 25th May 2018. This privacy notice has been produced in response to these new requirements for us to be transparent in the way in which we process your personal information. This notice explains what data we collect, the purposes for which it is used and how we keep your information private when you attend our clinic for physiotherapy.
The Data Controller is Medileve Limited, a private limited company registered in England trading as Witney Physiotherapy Centre.
Any enquiry regarding Data Protection should be made to
Michelle Dinmore, Director, Witney Physiotherapy Centre,
Suite 1 Bridge Street Mill,Witney,OX28 1FX.
Please note that if you are having treatment with an independent practitioner who uses a room at our practice, they are the data controller for your information and will have their own policy.
What information we collect and why
We collect personal information from you when you either register online with our booking system through our web-site or telephone to book an appointment. This will include contact information including name, home address, contact telephone numbers, email address and date of birth. This enables us to respond to your enquiry and schedule appointments.
When you book an appointment our booking system will send you an automated email appointment confirmation. If you choose to book your appointment online, the email confirmation is necessary. However, if you prefer not to receive appointment emails you may book by telephone without giving your email information.
When you first attend the clinic, or return at a later date for a new episode of care you will be asked to complete a registration form which ensures that the information that we hold remains correct and up to date and ensures that the appropriate consents are documented where applicable.
During your consultation and subsequent follow-up appointments we are bound by our professional duty of care to ask you about and record your symptoms and relevant past and present medical information to enable us to safely and thoroughly evaluate and treat your health condition. It may also be appropriate to record details of your occupation and recreational pursuits if they are relevant to your problem. This information is normally given by you but we may also receive information from the medical professional or insurance company who has referred you.
We will also ask for details regarding your preferred method of payment for your treatment and record this on your registration form. If you are self funding you may wish to pay by credit or debit card, in which case we will take make card transactions using a third party provider for this service. We comply with PCI DSS (payment card industry data security standards) and currently use Payzone and Barclaycard to process our card transactions. We securely store card receipts for 6 months, after which they are shredded. If you pay by telephone with your card no information is stored for use at a later date.
We also keep financial records using accounting software in order to maintain accurate accounts and fulfil our legal accounting and taxation obligations. This information includes your name and address, accounts payable, dated invoices or receipts of payment, payee details and insurance membership numbers or claim numbers.
From time to time we may use the information collected from you to carry out internal audit of our business; for quality control purposes, statistical information, business performance or to assess the effectiveness of certain treatment approaches. Data that is gathered in this way would become anonymous at the point at which it is pooled.
Our Lawful Bases for processing personal data
GDPR requires that we identify and inform you of the lawful bases that permit us to process your information.
We have identified that the processing of your personal information is carried out in line with the legitimate interests of running our private physiotherapy business.
As registered Health Professionals we are required by law to keep records of our assessment and treatment of your physical health condition and medical history. Therefore, in addition to our legitimate interest we also have a legal obligation under GDPR to keep and maintain clinical records.
Where physiotherapy is being funded by a third party insurance company such as Bupa or AxaPPP, we are also processing data as dictated by the terms of our contract with the insurer, therefore the contractual lawful basis will apply.
From time to time there may be important changes that happen within our organisation that we think that you would wish to know about. We will correspond with you if we consider that it is in your legitimate interest to do so.
Occasionally we would like to inform you about new services, special offers or events. We will seek your consent to be put on our e-mailing list.
Health records are considered under GDPR to be “special category data” and therefore we must also satisfy a specific condition under Article 9(2) for processing heath related data.
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional
Who do we share your information with?
We currently use a telephone answering service for the purpose of booking appointments or handling enquiries. They only have access to information that is required for appointment scheduling and do not process payments or have any access to physiotherapy records.
IT Consultant. We use a trusted application developer to provide and update the software which provides the functionality of the appointment booking system. Access to the contents of the database is not permitted.
Your physiotherapy records are accessed by the physiotherapist who is treating you at the time, the Practice Principal and our in-house administrative staff.
It is often in your best interests to share information regarding your treatment or condition with other health professionals involved in your care such as your GP or Medical Consultant. Sometimes we will recommend that we refer you for further investigations or to a different health professional. We will seek your consent before we pass on your information.
If an insurance company is funding your treatment they require us to disclose details of your assessment, attendance and treatment as a condition of funding. Therefore it is important that you understand that in order to have your treatment funded by a third party we are required to share your information with the insurer.
There are some circumstances where we would be obliged to share your information without your permission. For example if there were safeguarding concerns or there was an immediate threat to your life, in which case we would share information in order to protect your vital interests.
If your physiotherapy treatment is not paid for despite our reasonable efforts to correspond with you regarding your outstanding account, we may use the services of a debt collection agency. In this circumstance your contact details and unpaid fees would be passed on. No clinical details would be shared.
We may be required by law to disclose your personal data for the purpose of investigation or prevention of crime or fraud.
We may be required to disclose your data to regulatory bodies (such as the Health & Care Professions Council or Chartered Society of Physiotherapy) in the event of an investigation regarding the professional conduct of one of our practitioners or a governance issue.
In the event that Witney Physiotherapy Centre’s business is bought by a third party, the patient data would be one of the assets that would become the property and responsibility of the new owner. However any such transfer would require continued compliance under GDPR.
How long do we keep your information?
We are required by law to retain physiotherapy records for a minimum of eight years, or until children reach 25 years old. Records that are disposed of are done so securely by shredding in-house.
How is your data stored and protected?
Your contact details and appointment history are stored on our appointment booking system. You will only have access to your own appointment data and must provide your own password and verified email address to access this information. Password security is your own responsibility. The information is stored on a hosted online database within the European Union provided by 1and1. The security features on this web-hosting service include SSL encryption, Georedundancy and DDoS protection, The 1&1 Data Centres are among the safest and most modern in Europe - verified with ISO-27001:2013 certification from TÜV Nord. The web-hosting providers are data processors but do not have access to your information.
Physiotherapy clinical records are stored securely as hard copies in locked filing cabinets within the clinic and not removed from the premises.
Accounting software is stored on our clinic computers and has restricted access control, the data is encrypted and password protected. All our clinic computers are password protected and our premises have controlled access.
We take the protection of your information seriously. We have put in place appropriate technical and organisational measures to mitigate the risk of a data breach. However, it is recognised that no system is 100% fail-safe. If we become aware of a data breach this will be investigated promptly and the required action taken as soon as practicable. It will be assessed and reported to ICO if necessary.
You have the right to
- request what information we hold about you
- to have your information kept up to date and rectify any errors.
- ask us to stop processing some of your data. However this is not an absolute right and may be overridden by our legal or contractual obligations to retain the data.
- to withdraw your consent at any time for those purposes for which it has been explicitly sought.
You may request details of the information that we hold about you by writing to Michelle Dinmore at the address given.
Witney Physiotherapy Centre May 2018.