Since 25th May 2018, all businesses have become subject to data protection legislation known as the General Data Protection Regulation (GDPR). As such, we have a duty to tell you what personal data we collect and why, how we store it and who has access to it. Our detailed Privacy Statement is presented further down this page, after a summary of some of the key points.
When you visit us for your first consultation or treatment on or after the above date, we will have to ask you to fill in a consent form, so please arrive 10 minutes or so before your booked time to complete the paperwork without disrupting your appointment.
Information and Communication
When you supply your personal details to this clinic, they are stored and processed for 3 reasons:
- We have a legal obligation to maintain medical notes, in order to provide you with the most appropriate treatment.
- Provided we have your consent, we may need to contact you in order to confirm your appointments with us, or to update you or your doctor on matters related to your care. Under the GDPR, this is known as legitimate interest.
- Again, provided we have your consent, we may occasionally send you specific information relevant to your care, in the form of articles, advice or newsletters. This, too, constitutes legitimate interest under the GDPR.
Your records are stored on paper, in a locked filing cabinet, and the office is always locked out of working hours.
We have a legal obligation to retain your records for 8 years after your most recent appointment (or age 25, if this is longer), and they will usually be destroyed after this period.
If we contact you via an email address that you have given us, that address will be stored on the email service provider’s system.
We will never share your data with anyone who does not need access without your written consent, unless we are directed to do so by a legal authority.
Only the following people will have routine access to your data:
- Our reception staff will have access to your contact details, because they organise our practitioners’ diaries, and coordinate appointments and reminders. They do not have access to your medical history or sensitive personal information.
- Your practitioner(s), in order that they can provide you with appropriate treatment.
What follows is the detailed Privacy Statement for Wadebridge Osteopaths, as developed by the GDPR Compliance team at the Institute of Osteopathy.
GDPR 2018 PRIVACY NOTICE
This document refers to personal data, which is defined as information concerning any living person (a natural person who hereafter will be called the Data Subject) that is not already in the public domain.
The General Data Protection Regulation (GDPR) which is EU wide and far more extensive than its predecessor the Data Protection Act, along with the Privacy and Electronic Communications Regulations (PECR), seek to protect and enhance the rights of EU data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU and its storage within the EEA.
1 – Your Practice
Wadebridge Osteopaths, based at 48 Molesworth Street, Wadebridge, Cornwall, PL27 7DP, which hereafter for the purposes of this Privacy Notice will be referred to as the Osteopaths, is pleased to provide the following information:
2 – Care standards The Osteopaths diagnose and treat health conditions. Treatments are carried out in accordance with the Institute of Osteopathy’s patient charter http://www.iosteopathy.org/osteopathy/the-patient-charter/. The practice also offers other types of treatment and these are all subject to similar standards of care.
4 – Legal basis for processing any personal data To meet our contractual obligations obtained from explicit Patient Consent and legitimate interest, to respond to enquiries concerning the services provided.
5 – Legitimate interests pursued by the Osteopaths To promote treatments for patients with all types of health problems indicated for osteopathic care.
6 – Consent Through agreeing to this privacy notice you are consenting to the Osteopaths processing your personal data for the purposes outlined. You can withdraw consent at any time by using the postal, email address or telephone number provided at the end of this Privacy Notice.
7 – Disclosure The Osteopaths will keep your personal information safe and secure, only staff engaged in providing your treatment will have access to your patient records, although our administration team will have access to your contact details so that they can make appointments and manage your account. The Osteopaths will not disclose your Personal Information unless compelled to do so, in order to meet legal obligations, regulations or valid governmental requests. The practice may also enforce its Terms and Conditions, including investigating potential violations of its Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of its staff.
8 – Retention Policy The Osteopaths will process personal data during the duration of any treatment and will continue to store only the personal data needed for eight years after the contract has expired, to meet any legal obligations. After eight years all personal data will be deleted / destroyed, unless basic information needs to be retained by us to meet our future obligations to you, such as erasure details. Records concerning minors who have received treatment will be retained until the individual has reached the age of 25.
9 – Data storage All Data is held in the United Kingdom. The Osteopaths do not store personal data outside the EEA.
10 – Your rights as a data subject At any point whilst the Osteopaths are in possession of, or processing, your personal data, all data subjects have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply, you have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing, such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
If the Osteopaths refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge. At your request the Osteopaths can confirm what information it holds about you and how it is processed.
11 – You can request the following information (much of which is explained within this notice):
- Identity and the contact details of the person or organisation (the Osteopaths) that has determined how and why to process your data.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing, as well as the legal basis for processing.
- If the processing is based on the legitimate interests of the Osteopaths and information about these interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- How long the data will be stored.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority, the Information Commissioners Office (ICO).
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
12 – To access what personal data is held, identification will be required The Osteopaths will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If the Osteopaths is dissatisfied with the quality, further information may be sought before personal data can be released. All requests should be made to firstname.lastname@example.org, or by phoning +44 (0) 1208 812048, or by writing to us at the address below.
13 – Complaints In the event that you wish to make a complaint about how your personal data is being processed by the Osteopaths, you have the right to complain to us. If you do not get a response within 30 days, you can complain to the ICO.
The details for each of these contacts are:
Lloyd Pope at Wadebridge Osteopaths Telephone +44 (0) 1208 812048 or email email@example.com
ICO Wycliffe House, Water Lane, Wilmslow, SK9 5AF Telephone +44 (0) 303 123 1113 or email: https://ico.org.uk/global/contact-us/email/