What is a Privacy Notice?
Highfield Chiropractic Clinic is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how we use that information, how long we keep it for and other relevant information about your data. This notice applies to current and former patients. Your personal data will NOT be used in ways to which you have not consented. We do NOT and WILL NOT pass your details to any third party unless you give us your permission to do so.
Data Controller Details
For the purposes of processing your personal data we are the Controller. We are: Highfield Chiropractic Clinic, 48 Kedleston Road, Derby, DE22 1GW. Telephone number: 01332-346760. Email address: email@example.com
Data Protection Principles
In relation to your personal data, we will comply with data protection law. This says that the personal information we hold about you must be:
- processed fairly, lawfully and in a clear, transparent way
- collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with those purposes only used in the way that we have told you about and is accurate and up to date
- kept only as long as is necessary for the purposes we outline
- process in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed – kept securely
Types of information we hold about you
Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed. We may hold many types of data about you, including:
- your personal details including name, address, date of birth, email address, telephone numbers
- gender and marital status, number/age of children where applicable
- details of your occupation and employer where applicable
- details of any insurance company or medico legal representative where applicable
- next of kin/parent/guardian where applicable and their contact details
- personal medical or health information, including past medical history
- information concerning examination and treatment at your first and subsequent visits
- letters of referral to or from the clinic regarding your treatment with us
Special categories of data
There are “special categories” of more sensitive data which require a higher level of protection, such as information about your health.
We will use your special category data to:
- ensure the care you receive at the clinic is appropriate to your condition
- determine reasonable adjustments that should be made to allow access to the clinic or to treatment
We must process special categories of data in accordance with more stringent guidelines. We will process special categories of data when the following applies:
- you have given explicit consent to the processing (on our consent form)
- we must process the data in order to carry out our legal obligations
- we must process data for reasons of substantial public interest
- we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving consent, or where you have already made the information public
How we collect your data
Highfield Chiropractic Clinic keep both paper and electronic records. Information you write down on paper may be transferred to our electronic system. We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic.
Personal data is kept in the clinic and is either electronically secured via password or if a paper-based file, is stored in a secure area. Highfield Chiropractic Clinic is protected by a security/burglar alarm.
How we will use information about you
The law on data protection allows us to process your data for certain reasons only, these are the following circumstances:
- in order for us to carry out our contract with you (your requesting treatment and our agreement to provide it constitutes a contract) which will include confirming appointments, changing appointments or clinic arrangements, changes to facilities and services at the clinic
- in order to provide you with the best possible treatment by recording health and treatment information which would be in your best interest
- in order to carry out legally required duties such as those required by me by my government appointed regulator
- where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests
Situations in which we will use your personal information
We need all the categories of information to primarily allow us to perform our contract of treatment with you and to enable us to comply with legal obligations.
If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of care with us. If you do not provide us with the data needed to do this, we will be unable to perform that care to ensure your best interests are being maintained. We may also be prevented from continuing with your treatment with us due to our legal obligations.
Change of purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision making
Highfield Chiropractic Clinic do not use any system which uses automated decision making or profiling in respect of your personal data.
Sharing your data
Your data will be shared with colleagues within the clinic but only where necessary for them to undertake their duties. This includes, for example, other chiropractors working for, at or on behalf of the clinic, reception staff and administrative staff and may include your medical notes where applicable.
We may share your data with third parties in order to facilitate a referral to another healthcare practitioner, investigation or to keep your GP/insurer/medico legal representative informed about your progress with treatment.
We may also share your data with third parties as part of a Clinic sale or restructure, or for other reasons to comply with a legal obligation upon us. We would always keep you informed of these situations.
We do not share your data with bodies outside of the European Economic Area (EU).
Data security – Protecting your data
We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Clinic computers are password-protected, backups are cloud-based through our clinic software Clinic Office and are encrypted, security software (AVG) is installed on all clinic computers, paper files are securely stored and the clinic has a security/burglar alarm installed.
Where we share your data with third parties, we provide them with written instructions to ensure that your data is held securely and in line with GDPR requirements.
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your being a patient with us and we are legally required, by the Chiropractic regulator, to keep this information for 8 years after your time as a patient has ended. To determine any appropriate retention period for personal data beyond eight years we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.
Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner that maintains data security.
Your duty to inform us of any changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you.
- the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request either in writing or by email to Highfield Chiropractic Clinic
- the right for any inaccuracies to be corrected
- the right to be informed. This means that we must tell you how we use your data and this is the purpose of this privacy notice. We must also inform you of any changes in how we use your data
- the right to have your information deleted. You have the right to ask us to delete information from our systems where you believe there is no reason for us to continue processing it
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
- the right to portability. You may request the transfer of the data that we hold on you for your own purposes
If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Louise Oliver (Practice Manager) in writing.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for a second or subsequent copy of information or if you request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so. To withdraw consent, please contact Louise Oliver (Practice Manager) in writing.
Making a complaint
You should contact the Information Commissioner’s Office (ICO) via their website www.ico.org.uk should you wish to make a complaint about the way we are processing your personal data.