PRIVACY NOTICE
GDPR 2018 - PRIVACY NOTICE
CLINIC DATA PROTECTION PROCEDURE
Appointed person with responsibility for data protection: Vida Amarteifio
Registered with the Information Commissioners Office: Yes
Clinic Data Protection Policy/ Statement
Information Held
The following information is collected: Patient name, address, date of birth, email address, phone numbers, GP details, past medical history, family medical history and case history for treatment carried out at clinic on arrival. All information is given by the patient or their carer, parent or legal guardian.
Data Collection
Administrative data is collected orally on the phone by reception staff or practitioners to book appointments and take contact details, as part of the contract prior to the service of providing treatment.
Medical information is collected in the first instance by completing a pre-consultation form, as part of the registration process prior to seeing the practitioner. This is then handed to the practitioner who will then orally at a face to face appointment ask further clinically relevant questions. Information collected is sufficient for the purpose of making informed clinical decisions, under the legal basis of provision of health.
Patient contact details and appointments are stored manually. Patient clinical records are held manually with the exception of letter correspondence held on a computer, exercise prescriptions which in some cases may be on Physiotools (server in Finland) and or Physiotech (server in UK)
Data Storage
Information is stored in filing cabinets which are not accessible to the public and are locked. Archived notes are locked in a cupboard.
In the event of the business changing ownership there would be a new data controller who will become the appointed person who will hold records for the periods of 8 years or 25 years for children.
Data disposal (minimum 8 years, 25 years of age for children)
Records cannot be deleted before statutory requirements for data retention – 8 years or up to 25 years of age for children.
Notes are archived after 1 year. They are then securely stored at named appointed person ‘s home in a locked cupboard.
Notes are destroyed by shredding/incineration after 8 years or 25 years of age for children.
Electronic records are deleted from the system after 8 years or 25 years of age for children.
Consent
Patient data is also used for appointment reminder text messages, a newsletter and marketing which patients opt in to with a tick box/verbally on their first visit. We check patients still want to receive communications on a regular basis.
Parents must give consent for communication with children under 16 years.
Data Sharing
Medical Information is only shared with other persons with patient’s permission. This would usually be with other health professionals. Patient information is never passed on to other practitioners, persons or companies.
Data would extremely rarely be shared without consent if there was a legal order or in cases of serious safety risks.
Data Checks
Every year we perform checks on a small percentage of our patient’s data records to make sure they are accurate.
When a patient returns after a period of a year or more we check all active patient data is correct and up to date.
Security
Access to paper records is restricted to practitioners and admin staff who have signed a confidentiality agreement.
All electronic data is password protected and access to information can be restricted. Systems are kept updated and antivirus security systems are in place and updated.
Passwords are changed every year.
Data breaches will be detected by observing signs of unauthorized entry to storage areas, monitoring communications or becoming aware of a security breach (e.g. a virus or unauthorized log on or change to permissions) on the computer system. Data breaches will be investigated and reported to the Information Commissioner’s Office by the appointed person. Patient’s will be informed if we believe a data breach has occurred.
Patients may contact the Information Commissioner’s Office if they believe a data breach has occurred. Information Commissioner’s Office: 0303 123 1113
Subject Access Requests
All staff know that subject access requests must be responded to within a month and no charge can be made.
Data is only released on receipt of a signed request from patients or in exceptional circumstances. Any data sharing is detailed in the patient record.
Rights you have as a data subject
At any point whilst Osteopaths are in possession of, or processing your personal data, all data subjects have the following rights:
In the event that Osteopaths refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge. At your request Osteopaths can confirm what information it holds about you and how it is processed.
You can request the following information:
Complaints
In the event that you wish to make a complaint about how your personal data is being processed by Osteopaths you have the right to complain to us.
Vida Amarteifio
HS Osteopaths
Forest Therapy Centre
The Old Forge
Station Passage
South Woodford
London
E18 1JL
Telephone: 07403 879248
Email: hsosteopaths@gmail.com
If you do not get a response within 30 days, you can complain to the ICO.
CLINIC DATA PROTECTION PROCEDURE
Appointed person with responsibility for data protection: Vida Amarteifio
Registered with the Information Commissioners Office: Yes
Clinic Data Protection Policy/ Statement
Information Held
The following information is collected: Patient name, address, date of birth, email address, phone numbers, GP details, past medical history, family medical history and case history for treatment carried out at clinic on arrival. All information is given by the patient or their carer, parent or legal guardian.
Data Collection
Administrative data is collected orally on the phone by reception staff or practitioners to book appointments and take contact details, as part of the contract prior to the service of providing treatment.
Medical information is collected in the first instance by completing a pre-consultation form, as part of the registration process prior to seeing the practitioner. This is then handed to the practitioner who will then orally at a face to face appointment ask further clinically relevant questions. Information collected is sufficient for the purpose of making informed clinical decisions, under the legal basis of provision of health.
Patient contact details and appointments are stored manually. Patient clinical records are held manually with the exception of letter correspondence held on a computer, exercise prescriptions which in some cases may be on Physiotools (server in Finland) and or Physiotech (server in UK)
Data Storage
Information is stored in filing cabinets which are not accessible to the public and are locked. Archived notes are locked in a cupboard.
In the event of the business changing ownership there would be a new data controller who will become the appointed person who will hold records for the periods of 8 years or 25 years for children.
Data disposal (minimum 8 years, 25 years of age for children)
Records cannot be deleted before statutory requirements for data retention – 8 years or up to 25 years of age for children.
Notes are archived after 1 year. They are then securely stored at named appointed person ‘s home in a locked cupboard.
Notes are destroyed by shredding/incineration after 8 years or 25 years of age for children.
Electronic records are deleted from the system after 8 years or 25 years of age for children.
Consent
Patient data is also used for appointment reminder text messages, a newsletter and marketing which patients opt in to with a tick box/verbally on their first visit. We check patients still want to receive communications on a regular basis.
Parents must give consent for communication with children under 16 years.
Data Sharing
Medical Information is only shared with other persons with patient’s permission. This would usually be with other health professionals. Patient information is never passed on to other practitioners, persons or companies.
Data would extremely rarely be shared without consent if there was a legal order or in cases of serious safety risks.
Data Checks
Every year we perform checks on a small percentage of our patient’s data records to make sure they are accurate.
When a patient returns after a period of a year or more we check all active patient data is correct and up to date.
Security
Access to paper records is restricted to practitioners and admin staff who have signed a confidentiality agreement.
All electronic data is password protected and access to information can be restricted. Systems are kept updated and antivirus security systems are in place and updated.
Passwords are changed every year.
Data breaches will be detected by observing signs of unauthorized entry to storage areas, monitoring communications or becoming aware of a security breach (e.g. a virus or unauthorized log on or change to permissions) on the computer system. Data breaches will be investigated and reported to the Information Commissioner’s Office by the appointed person. Patient’s will be informed if we believe a data breach has occurred.
Patients may contact the Information Commissioner’s Office if they believe a data breach has occurred. Information Commissioner’s Office: 0303 123 1113
Subject Access Requests
All staff know that subject access requests must be responded to within a month and no charge can be made.
Data is only released on receipt of a signed request from patients or in exceptional circumstances. Any data sharing is detailed in the patient record.
Rights you have as a data subject
At any point whilst Osteopaths are in possession of, or processing your personal data, all data subjects have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
In the event that Osteopaths refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge. At your request Osteopaths can confirm what information it holds about you and how it is processed.
You can request the following information:
- Identity and the contact details of the person or organisation (Osteopaths) that has determined how and why to process your data.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of Osteopaths and information about these interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- How long the data will be stored.
- Details of your rights to correct, erasure, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority (ICO).
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
Complaints
In the event that you wish to make a complaint about how your personal data is being processed by Osteopaths you have the right to complain to us.
Vida Amarteifio
HS Osteopaths
Forest Therapy Centre
The Old Forge
Station Passage
South Woodford
London
E18 1JL
Telephone: 07403 879248
Email: hsosteopaths@gmail.com
If you do not get a response within 30 days, you can complain to the ICO.