GDPR Data Controller
Under the terms of The General Data Protection Regulation (GDPR) 2018 the data controller is: Jenny Mears.
How to contact us:
Sarum Physiotherapy Centre
213 Devizes Road
Telephone: 01722 415055
Why we need and how we use your personal information
We only collect, use and store your information where we have lawful grounds and legitimate reasons to do so.
We need your contact details as well as sensitive personal information about your medical history and current medical conditions are necessary for treatment.
We collect and process information when you telephone the clinic to make an enquiry or appointment, when you email us, when you access our online booking system via our website or if you visit the clinic in person.
At the point of enquiry or booking we may ask you for; your name, your date of birth, your address, your telephone number, your e-mail address.
At your appointment at the clinic, we will ask for information regarding your general health, your previous health and information regarding the condition you are seeing advice about.
We will also ask for information regarding any activities you undertake your employment and any medication you take.
We will also record the findings of a physical examination.
We also collect, use and store your financial details from cheques or BACS payments.
We may also use it to notify you about changes to our service and to notify you of new products and services.
We may monitor emails, text messages and other communications with you. When you contact us, we may keep a record of that correspondence and any information provided to us during that or any subsequent communication.
Nature of personal information
Personal data is any information that may identify a living individual.
We collect personal information such as name, contact details, date of birth, gender, marital status, financial details, employment details and other personal details relevant to the treatment we offer.
We may collect, use and store sensitive personal information such as medical conditions as necessary in relation to treatment. This information may be shared with your GP, Consultant, health insurers, and occasionally solicitors and third-party service health providers. Where necessary, we shall obtain your consent to the processing of such information.
We use this information:
- To provide a legal record of any treatment or advice we provide
- To ensure continuity of care
- To contact you in regard to your ongoing treatment including sending exercises by e-mail. We use a third party for this service (PhysioTek)
- To contact you if new information or treatments become available that may be of benefit to you.
- We may pass information with your permission to other medical professionals who may be involved in your care; this may include GPs, consultants, occupational health departments or other Health and Care Professions.
- We may use your information for quality feedback purposes.
- We may use your information for audit purposes.
We do not pass on your information for commercial purposes.
We take all reasonable steps to ensure that our information is kept up to date and rectified if necessary. It is also your responsibility to inform us if any personal information changes.
Will we disclose your information to or share it with other organisations?
We will only supply your personal information to other parties where such a transfer is a necessary part of the activities that we undertake, where you give us consent or where we are required to do so by law or regulation.
We only share your information if we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.
We may also disclose personal information to new owners of our business in the event that we are subject to a merger or acquisition. Disclosure may also be made to enable company audits, regulatory inspections or to investigate a complaint, suspicion of fraud or a security threat.
We never share your information outside our organisation for marketing purposes.
You understand that we may disclose the information you provide to relevant other parties for the purposes described in this Notice.
How long we keep information about you
We will keep your information for as long as it is legally required to enable us to provide treatment. This will usually be a minimum period of eight years or otherwise as determined by law or regulation.
We have a legal obligation to retain records for 8 years after the conclusion of treatment.
If the record relates to a child or young person, the records must be kept until the patient’s 25th birthday or 8 years after death.
Once we decide that we no longer need your information it will be securely and confidentially destroyed.
We would like to keep you updated about our relevant products and services by email. If you wish us to stop using your information for this purpose or any other purpose then please contact us.
We will not disclose your information to any third party for such purposes.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your information.
Sharing of personal data outside
As a private organisation, we do not share data with other organisations unless the law permits us to do so. We do not sell individual information. We will share it only with our authorised Data Processors, who must act at all times on my instructions as the Data Controller under The General Data Protection Regulation (GDPR) 2018. Before you submit any information, we will notify you as to why we are asking for specific information and it is up to you whether you provide it.
Your data protection rights
You have certain legal rights under UK data protection law and regulations, summarised as follows:
- The right to be informed about our data processing activities, including through Privacy Notices such as this.
- The right of access to the personal information we hold about you. To request a copy of this information you must make a subject access request in writing to us.
- The right of rectification. You may ask us to correct any inaccurate or incomplete data within one month.
- The right to erasure and to restrict processing. You have the right to have your personal data erased and to prevent processing except where we have a legal obligation to process your personal information. You should bear in mind that by exercising this right you may hinder or prevent our ability to provide treatment.
- The right to data portability. On your request, we will provide you with your personal data in a structured format.
If you want to invoke any of these rights please write to us at the address above.
Withdrawal of consent
You may remove consent for the use of personal data, at any time by contacting us at the address above.
How to make a complaint
If you wish to make a complaint about how we hold or use your data, please contact us at the address above
If you are dissatisfied with how we deal with your complaint, you may contact the Information Commissioner’s Office:
The Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire, SK9 5AF; Phone: 08456 30 60 60 Website: www.ico.gov.uk
Information from other sources
We may also obtain information about you from GPs, consultants, Insurance Companies and third party health providers. Some personal information may be provided to us by third parties such as insurance companies, other insurance intermediaries. In some cases, you will have previously submitted your personal information to them and given them approval to pass this information on for certain purposes.
Such information will only be obtained from reputable sources which operate in accordance with the General Data Protection Regulation.
We may use your information for research purposes such as statistical and trend analysis which may include computerised processes which profile you.
Data Controller and Partner
Sarum Physiotherapy Centre
21 May 2018