We are a Data Controller under the terms of the General Data Protection Act 2018 and the requirements of the EU General Data Protection Requirement. This Privacy Notice explains what personal data the Practice holds, why we process it, who we might share it with and your legal rights and freedoms.
Types of Personal Data
The Practice holds personal data in the following categories; Patient clinical and health data and contact details (name, address, email and telephone). Practitioner and other contractor’s data and contracts are also held.
Why we process Personal Data
‘Process’ means we obtain, store, update and archive data.
Patient data is held for the purpose of providing patients with appropriate, high quality, safe and effective massage care and treatment. Information collected is sufficient for the purpose of making informed clinical decisions. Practitioner and other contractor’s data is held for the purpose of fulfilling contractual obligations.
What is the lawful basis for processing patient’s personal data?
We use the lawful basis of fulfilment of contract and legitimate interest for processing your medical record and sending you health information and exercises relating to your condition. Your medical record is processed as Special Category Data under Article 9 2(h) of the GDPR.
How do we collected and store your personal data?
Your contact details are collected when you make an appointment, either by phone or on-line. They are used to send you an appointment confirmation or when you subscribe to the mailing list (which you can unsubscribe from at any time). Medical information is collected by practitioners during the first visit/telephone consultation; ongoing treatment notes will be taken at subsequent appointments.
How long do we keep your records for?
Practitioners will process Patient’s medial and treatment data during the duration of any treatment and will continue to store only the personal data needed for eight years after the contract has expired and to meet legal obligations. After this time all personal data will be deleted, unless basic information needs to be retained by us to meet our future obligations to you. The Law also requires that records concerning minors receiving treatment will be retained until the child has reached the age of 25.
We must store practitioner data for six years after they have left and we must store contractor data for seven years after the contract has ended.
At your first appointment you will be asked to verbally confirm ‘Consent to Treatment’. Patient data may also be used from time to time to give you information about the Practice. You can opt in/out to this at any time. Parents must give consent for communication with children under 16 years of age.
Who might we share the data with?
We can only share data if it is done securely and it is necessary to do so; your permission will always be sought first. Patient data might be shared with other healthcare professionals who need to be involved in your care, for example your GP.
All electronic data is password protected and access to information can be restricted as appropriate. Systems are kept updated and and antivirus security systems are in place and updated. Any documentation gathered paper-based, will be stored in a secure locked container. Any data breaches will be investigated and reported to the Information Commissioner’s Office within 72 hours by the appointed person (see below). Patients will be informed if we believe a data breach as occurred.
You have the right to:
be informed about the personal data we hold and why we hold it
access a copy of our data that we hold by contacting us directly; we will acknowledge your request and supply a response within one month or sooner check the information we hold about you is correct and make corrections if not have your data erased in certain circumstanced (due to our legal obligation we cannot delete your health record but we can remove you from our mailing list if you so request)
transfer your data to someone else if you tell us to do so and it is safe and legal to do so
What if you’re not happy or wish to raise a concern about our data processing?
You can raise any concerns our data processing with our Data Controller who may be contacted at Holly’s Sport Massage at firstname.lastname@example.org for the attention of Holly Rolfe and we will do our best to resolve the matter.
If either I or someone I know have been in contact with someone who is positive with Covid-19 or have been contacted by NHS test & trace I will inform you.