On 25th May 2018, the General Data Protection Regulation (GDPR) comes into effect. GDPR regulates the processing of personal data and introduces significant changes compared with the existing data protection legislation. As a result of the changes, we have needed to make some amendments to our current data collection and storage processes. Whilst these will not affect your treatment, they do affect what, how and why we keep your personal data.
Under data protection law you, as client of Harrogate Physiotherapy Practice (HPP), have specific rights. It is our responsibility to communicate these rights to you in a clear and concise manner. This Privacy notice is designed to clarify how we will handle your data.
Your data will be processed lawfully, fairly and in a transparent manner. Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
GDPR & the terminology
- GDPR - General Data Protection Regulation
- Data Controller - A person or organisation who determines s the purpose s for which and the manner in which any personal data is, or is to be, processed.
- Personal Data - Any information relating to an identifiable person who can be directly or indirectly identified. For example: name, address, telephone numbers.
- Data Subject - A person whose data is collected, processed, s tore and/or used.
- Data Processor - Any person or organisation that is not an employee of the Data Controller who processes data on behalf of the Data Controller (Harrogate Physiotherapy Practice).
- Consent - Freely given, specific, informed and unambiguous indication of the data subject’ s wishes , by a clear affirmative action, signifies agreement to the use and processing of their personal data.
- Data Protecion Officer (DPO) - A person appointed by the Data Controller who will be involved in all areas of data protection.
We Harrogate Physiotherapy Practice, (Therapywise Treatment Rooms, Harrogate Sports And Fitness Centre, Hookstone Wood Road, Harrogate, HG2 8PN, Telephone number 01423 544004, E-mail address: firstname.lastname@example.org.) For the purposes of processing your personal data we are the Data Controller.
The Personal Data We Process and What We Do with It
We record and use the following categories of personal data which include: name, date of birth, address, telephone numbers, e-mail address, GP details, your full medical history, diagnosis and treatment.
The information HPP collect will only be used for the purposes of providing physiotherapy services and appointment management services i.e. booking appointments, re-arranging appointments and follow-up communication to ensure the contract has been completely fulfilled. Personal data is also used for financial processing.
This data processing is necessary for us to deliver our physiotherapy service to fulfill the Patient/ Physiotherapy contract with the understanding that HPP will provide a service in exchange for payment. We will only process your data if you have given us consent to do so.
Sharing Your Personal Data
We only share your personal data with your explicit consent, where, for example we need to contact a third party and give them your contact details in order to process ongoing medical care, onwards referral (i.e. GP, private consultant) further private investigations i.e. private MRI scanning and/or other investigations. If referrals are e-mailed the documents are password protected and send via secure systems.
Where third parties are used by us to store your personal data i.e. Practice Management Systems and Accountancy Systems, we ensure that they are compliant with the data protection law. Where third parties are used for financial processing data is made anonymous.
All patient data including hardcopy (patient records), non-cloud based and could-based data are stored according to Data Protection regulations.
Retaining Your Personal Data
Whilst you are a patient of us we will continue to store and use your personal data. We will retain your treatment records for a statutory* period no greater than 8 years from the date of the last treatment. If you are 17 years or younger on the date of you last treatment we will keep your records till your 26th birthday.
Limited information will be retained within our accounts systems indefinitely, to maintain the integrity of the data.
Cloud-based personal data (online storage) relating to appointment management or treatment i.e. e-mail correspondence, will be deleted after you are discharged from your physiotherapy treatment.
*NHS Records Management Code of Practice for Health and Social Care 2016
As we process your personal data, you have certain rights. These are a right of access, a right of rectification, a right of erasure and a right to restrict processing.
- You may request a copy of your data at any time.
- Please make such a request in writing or by email to us, at the address shown above.
- Please provide the following information: your name, address, telephone number, email address and details of the information you require.
- If you believe any of the personal data we hold on you is inaccurate or incomplete, please contact us directly and any necessary corrections to your data will be made.
- If you believe we should erase your data, please contact us, at the address shown above.
- If you wish us to stop storing or using your data, please contact us at the address shown above.
- Where you have provided explicit consent for us to use your data you have a right to withdraw this consent at any time.
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay. We will give you the contact details of the person who is dealing with the breach; explain to you the nature of the breach and the steps we are taking to deal with it.
Should You Wish to Complain
You can contact the Information Commissioners Office (ICO) via their website: www.ico.org.uk should you wish to make a complaint about the way we are processing your personal data.
Automated Decision Making and Profiling
We do not use any system, which uses automated decision making or profiling in respect of your personal data.