GDPR - YOUR PRIVACY
Your Privacy Matters
Our approach to your privacy
Mindfully Active Physio is committed to protecting your personal information. The privacy and security of your personal information is very important to us. We want to assure you that your information will be properly managed and protected whilst in our hands.
The information we collect and how we collect it
This information may include
• Basic personal details such as your name, date of birth, age, address, email address and telephone numbers
• Sensitive personal information such as your current health, past medical history, family or personal history in relation to your health, prescribed medication, x-ray and scan reports
• Relevant information about your health, lifestyle, weight, sports, hobbies, social circumstances
• Information collected from 3rd parties – GP’s, specialists, other health professionals and private medical insurers who we will always seek your permission to contact if necessary
• Details about the signs and symptoms you are presenting with and what we find on examining you
How we use your personal information: the legal basis and purposes
We’ll process your personal data:
• as necessary to help us reach a diagnosis of your presenting problems and draw conclusions in order to tailor a treatment programme to you.
as necessary for our own legitimate interests, for good governance, accounting, managing and auditing our clinic activities
to document emails, calls, other communications and activities
• as necessary for compliance with legal and regulatory requirements, related disclosures and establishing and defending of legal rights
based on your consent e.g. when you allow us to disclose your personal data and health information to another health professional, G.P, specialist, medical insurer, school (in the case of a child)
Sharing of your personal data
Subject to applicable data protection law, your information may be shared with:
• G.P’s, Consultants and other health professionals. This may be by letter, which is given to you, so the protection of its contents becomes your responsibility. If the information is sent by email, it will be protected via secure email and we will take all reasonable precautions to transmit the information securely
• Other physios at our clinic or other physiotherapy clinics for teaching purposes eg. case presentations
• Our legal and other professional advisors
• Courts, to comply with legal requirements
• In an emergency or to otherwise protect your vital interests
• To protect the security and integrity of our clinic practices
We will not provide your personal information to any third parties for the purpose of direct marketing
Keeping your personal information secure
We work hard to keep your personal information safe. We are committed to protecting the confidentiality and security of the information you provide to us. We use a combination of technical, physical, administrative and organisational security measures to maintain the security of your personal data, to protect against unauthorised access to, disclosure of, unlawful processing/alteration of, accidental damage to, unlawful destruction of or loss of your personal information. All patient’s clinical notes are either in paper format and kept securely in locked filing cabinets, only accessed by the practicing physiotherapists, or in electronic format on cloud based software with password protection. We are subject to a duty of confidentiality and will only process your information in an authorised manner. However, no method of transmitting or storing data is completely secure.
We have procedures in place to deal with any suspected data security breach. We will notify you of any suspected data security breach where we are legally required to do so.
We have a legal obligation to keep your personal information on file for 8 years after the date of your last attendance. After this time, all patient’s clinical notes held in paper format are securely shredded. If the record relates to a child or young person, the records must be kept until their 25th birthday.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
• request access to your personal data and information about how we process it. This enables you to receive a copy of the personal information we hold and check that we are lawfully processing it.
• object to processing of your personal data, where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
• have your personal data corrected if inaccurate and have incomplete data completed. We may need to verify the accuracy of any new data you provide to us.
• request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal data in the following scenarios: where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• have your personal data erased. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it; where you have exercised your right to object to processing; where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• move, copy or transfer your personal data. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use.
you have the right to withdraw consent at any time eg. for us to communicate with your G.P. or to decline certain treatments, but this will limit how we can help you/what we can offer you. We will advise you if this is the case at the time you withdraw your consent. Withdrawing your consent will not affect the lawfulness of any processing carried out before you withdraw your consent.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. You will not have to pay a fee to access your personal information. However, we may charge a reasonable fee if your request for access is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Please let us know if your information changes as it is important that the information we hold about you is accurate and up to date.
You can contact James Boyd (Chartered Physiotherapist, Practice Manager and Data Protection Officer) at firstname.lastname@example.org to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for. Or write to:
James Boyd, Mindfully Active Physio, Koru Gym, Peek Business Park, Woodside, Bishops Stortford, Herts, CM23 5RG.
For further information about your rights, including circumstances in which they apply, see the guidance from the Information Commissioners Office (ICO) on individual’s rights under the General Data Protection Regulation.