Newbury Chiropractic Centre Patient Privacy Statement

 

Newbury Chiropractic Centre is aware of its obligations under the General Data

Protection Regulation (GDPR) and is committed to protecting the privacy and

security of your personal information. This privacy notice describes, in line with

GDPR, how we collect and use personal data about you during and after your time

as a patient of this clinic. It also sets out how we use that information, how long

we keep it for and other relevant information about your data.

This notice applies to current and former patients.

 

Data controller details

The Clinic is a data controller, meaning that it determines the processes to be used

when using your personal data. Our contact details are as follows:

 

Jane Jennings

Newbury Chiropractic Centre

21 Old Newtown Road

Newbury

Berkshire RG14 7DP

Tel: (01635) 48088

 

Data protection principles

In relation to your personal data, we will comply with data protection law. This

says that the personal information we hold about you must be:

• processed fairly, lawfully and in a clear, transparent way

• collected only for valid reasons that we find proper for the course of your

time as a patient and not used in any way that is incompatible with those purposes

• only used in the way that we have told you about

• accurate and up to date

• kept only as long as is necessary for the purposes we describe

• processed in a way that ensures it will not be used for anything that you are

not aware of or have consented to (as appropriate), lost or destroyed

• kept securely

 

Types of information we hold about you

Personal data or information means any information about an individual from

which that person can be identified. It does not include data where the identity

has been removed.

 

We hold many types of data about you, including:

• your personal details including your name, address, date of birth, email

address, phone numbers

• gender

• marital status

• personal medical or health information, including past medical history

• information concerning examination and treatment at your first and

subsequent visits

• letters of referral to or from the clinic regarding your treatment with us.

 

Special categories of data

There are "special categories" of more sensitive personal data which require a

higher level of protection, such as information about a person's health.

We will use your special category data:

• to ensure the care you receive at the clinic is appropriate to your condition

• to determine reasonable adjustments that should be made for access to the

clinic or to treatment

 

We must process special categories of data in accordance with more stringent

guidelines.

 

We will process special categories of data when the following applies:

• you have given explicit consent to the processing (on our consent form)

• we must process the data in order to carry out our legal obligations

• we must process data for reasons of substantial public interest

 

Less commonly, we may process this type of information where it is needed in

relation to legal claims or where it is needed to protect your interests (or someone

else's interests) and you are not capable of giving your consent, or where you have

already made the information public.

 

As with all cases of seeking consent from you, you will have full control over your

decision to give or withhold consent and there will be no consequences where

consent is withheld. Consent, once given, may be withdrawn at any time. There

will be no consequences where consent is withdrawn.

 

How we collect your data

We collect data about you in a variety of ways and this will usually start when you

make an enquiry to the clinic and continue when you attend your first and

subsequent appointments. At this clinic, we keep electronic records.

We may receive information about you from your GP or other health care provider

regarding your referral or, with your permission, additional information that will

help us continue with your treatment. We may also hold the results of tests that

you have undertaken and that are relevant to your treatment with the clinic.

Personal data (such as your name, address and contact details) is kept in the clinic

on a password protected computer and is processed on password protected

software. This data is backed up on a password protected portable flash drive

which remains at the clinic in a locked safe. Paper copies of medical records are

kept in a secure, locked filing cabinet in a private area of the clinic. No patient

medical records are taken off the business premises.

 

Why we process your data (How we will use information about you)

The law on data protection allows us to process your data for certain reasons only,

these are classified as legitimate interests. Most commonly, we will use your

personal information in the following circumstances:

• in order for us to carry out our contract with you (your requesting treatment

and our agreement to provide it constitutes a contract) which will include

confirming appointments, informing you of changes to appointments or

clinic arrangements, changes to facilities or services at the clinic.

• in order to provide you with the best possible treatment by recording health

and treatment information which would be in your best interest.

• in order to carry out legally required duties such as those required by me by

my government appointed regulator

• where it is necessary for our legitimate interests and your interests and

fundamental rights do not override those interests

 

We may use your personal information in these rare situations:

• where we need to protect your or someone else’s interests

• where it is needed in the public interest or for official purposes

 

Situations in which we will use your personal information

We need all the categories of information to primarily allow us to perform our

contract of treatment with you and to enable us to comply with legal obligations.

 

If you do not provide your data to us

One of the reasons for processing your data is to allow us to carry out our duties in

line with your contract of care with us. If you do not provide us with the data

needed to do this, we will be unable to perform that care to ensure your best

interests are being maintained. We may also be prevented from continuing with

your treatment with us due to our legal obligations.

 

Change of purpose

We will only use your personal information for the purposes for which we collected

it unless we reasonably consider that we need to use it for another reason and that

reason is compatible with the original purpose. If we need to use your personal

information for an unrelated purpose, we will notify you and we will explain the

legal basis which allows us to do so.

 

Please note that we may process your personal information without your

knowledge or consent, in compliance with the above rules, where this is required

or permitted by law.

 

Automated decision making

No decision will be made about you solely on the basis of automated decision

making (where a decision is taken about you using an electronic system without

human involvement) which has a significant impact on you.

 

Sharing your data

Your data will be shared with colleagues within the Clinic but only where it is

necessary for them to undertake their duties. This includes, for example, other

chiropractors working for, at or on behalf of the clinic, reception staff and other

healthcare practitioners such as Massage Therapists. Your medical notes may only

be viewed by members of NCC staff.

We may share your data with third parties in order to facilitate a referral to

another healthcare practitioner, investigation or to keep your GP informed about

your progress with treatment. An example would be a locum Chiropractor, that

may “cover” patients treatments during holiday times.

We may also share your data with third parties as part of a Clinic sale or

restructure, or for other reasons to comply with a legal obligation upon us. We

would always keep you informed of these situations.

 

Transferring information outside the EU

We do not share your data with bodies outside of the European Economic Area.

 

Data Security - Protecting your data

We have put in place measures to protect the security of your information against

accidental loss or disclosure, alteration, unauthorised access, destruction or

abuse. We have implemented processes to guard against such. In addition, we limit

access to your personal information to those employees, agents, contractors and

other third parties who have a business need to know. They will only process your

personal information on our instructions and they are subject to a duty of

confidentiality.

 

Your data (such as your name, address and contact details) is held on a secure

computer system with password access and a database with password access. The

computer is protected by a firewall, as well as up to date security software. It is

backed up on a password protected portable flash drive which remains at the

clinic and is locked in a safe. The patient contact database is backed-up to servers

hosted in highly-secure UK data centres which are ISO9001 and ISO27001 certified.

Furthermore, all data is encrypted (even when in transit) and is strong-password

protected on the servers.

Paper patient records are stored in locked cabinets in a private area of the clinic.

No patient medical records are taken off the business premises. The clinic is

protected by a security alarm.

 

Where we share your data with third parties, we provide written instructions to

them to ensure that your data are held securely and in line with GDPR

requirements. Third parties must implement appropriate technical and

organisational measures to ensure the security of your data.

 

How long we keep your data for

In line with data protection principles, we only keep your data for as long as we

need it for, which will be at least for the duration of your being a patient with us

and we are legally required, by the Chiropractic regulator, to keep this data for

eight years after your time as a patient has ended. To determine the 

appropriate retention period for personal data beyond eight years we consider the

amount, nature, and sensitivity of the personal data, the potential risk of harm

from unauthorised use or disclosure of your personal data, the purposes for which

we process your personal data and whether we can achieve those purposes through

other means and the applicable legal requirements.

 

Once we no longer have a lawful use for retaining your information, we will

dispose of it in a secure manner that maintains data security.

In some circumstances we may anonymise your personal information so that it can

no longer be associated with you, in which case we may use such information

without further notice to you.

 

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and

current. Please keep us informed if your personal information changes during your

time as a patient with us.

 

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold

on you.

• the right of access. You have the right to access the data that we hold on

you. To do so, you should make a subject access request.

• the right for any inaccuracies to be corrected. If any data that we hold

about you is incomplete or inaccurate, you can require us to correct it.

• the right to be informed. This means that we must tell you how we use your

data, and this is the purpose of this privacy notice. We also must inform you

of any changes to how we use your data.

• the right to have information deleted. If you would like us to stop

processing your data, you have the right to ask us to delete it from our

systems where you believe there is no reason for us to continue processing it.

• the right to restrict the processing of the data. For example, if you believe

the data we hold is incorrect, we will stop processing the data (whilst still

holding it) until we have ensured that the data is correct.

• the right to portability. You may request transfer the data that we hold on

you for your own purposes.

 

If you want to access your data, review, verify or correct your data, request we

erase your personal information, object to the processing of your personal data, or

request that we transfer a copy of your personal information to another party,

please contact: Data Protection Officer, Newbury Chiropractic Centre, 21 Old

Newtown Road, Newbury, Berkshire RG14 7DP in writing.

 

Fees

You will not have to pay a fee to access your personal information (or to exercise

any of the other rights). However, we may charge a reasonable fee for a second or

subsequent copy of information or if your request for access is clearly unfounded

or excessive. Alternatively, we may refuse to comply with the request in such

circumstances.

 

What we may need from you

We may need to request specific information from you to help us confirm your

identity and ensure your right to access the information (or to exercise any of your

other rights). This is a security measure to ensure that personal information is not

disclosed to any person who has no right to receive it.

 

Right to withdraw consent

Where you have provided consent to the collection, processing and transfer of your

data, you have the right to withdraw that consent at any time. There will be no

consequences for withdrawing your consent. However, in some cases, we may

continue to use the data where so permitted by having a legitimate legal reason

for doing so.

 

To withdraw consent, contact:

by email: [email protected]

 

or in writing:

Data Protection Officer

Newbury Chiropractic Centre

21 Old Newtown Road

Newbury, Berkshire RG14 7DP

 

Making a complaint

If you have any questions about this Privacy Notice or how we handle your

information, please contact the Clinic’s Data Protection Officer [Mr Philip Newman]

 

He can be contacted in writing at:

 

Philip Newman

Data Protection Officer

Newbury Chiropractic Centre

21 Old Newtown Road

Newbury, Berkshire RG14 7DP

 

You have the right to make a complaint at any time to the supervisory authority in

the UK for data protection matters, the Information Commissioner’s Office (ICO).

 

Date: 22.05.2018

 

 

You don't have to live your life in pain – arrange a consultation and see how we can help you

Contact us now