JURASSIC COAST OSTEOPATHY PRIVACY STATEMENT - HOW WE COLLECT & USE YOUR PERSONAL DATA AND KEEP IT SECURE AND CONFIDENTIAL (UPDATED JANUARY 2021)
WHO OR WHAT IS JURASSIC COAST OSTEOPATHY? It is an osteopathic practice in Weymouth; the principal is Helena Greenwood Registered Osteopath and Vitor Abreu Da Costa, Registered Osteopath, works at the clinic as an Associate. As an osteopathic practice, we diagnose & treat health conditions and treatments are carried out according the standards of our registering body the General Osteopathic Council http://www.osteopathy.org.uk/standards/osteopathic-practice/. In addition, our Osteopaths are members of the Institute of Osteopathy and work in accordance with their patient charter http://www.iosteopathy.org/osteopathy/the-patient-charter/.
WHY AM I READING THIS? Under the General Data Protection Regulations (GDPR) 2018, all European businesses must tell you what ‘personal data’ they hold about you, their data protection policies to ensure that it is not used (‘processed’) in an illegal way and your rights to access it.
WHAT IS ‘PERSONAL DATA’ AT JURASSIC COAST OSTEOPATHY? Anything we store on paper or electronically about you that is not already in the public domain that could identify you eg your full name, address, telephone number, email address, medical history, ip address (from visiting our website), payment card details (by using our card payment machine). Medical details are 'special category' data i.e. considered sensitive which puts even greater requirements on us to ensure they are kept safe & secure.
HOW DO YOU USE MY PERSONAL DATA?
For the purpose of providing treatment, we may require detailed medical information, we will only collect what is relevant and necessary for your treatment. When you visit our practice, we will make notes which may include details concerning your medication, treatment and other issues affecting your health. This data is always held securely and is not shared with anyone not involved in your treatment without your consent. Older notes are held securely on paper and from November 2020 we have held notes online with practice management software Cliniko. We cannot treat you if you do not give us explicit consent to create and store these notes.
Contact details provided by you such as telephone numbers, email addresses, postal addresses may be used to remind you of future appointments & provide reports or other information concerning your treatment. Contact details (but not medical records) are accessed by Reception Staff at Lynch Lane Offices who have signed GDPR and confidentiality agreements as 'Data Processors' and similar arrangements will be put in place with any 3rd party remote reception service we engage in future.
For marketing purposes, we ask for your consent to use your email address for our occasional (quarterly) newsletter in our online consent form prior to attending for your first appo. If you do give us consent to use your email address for this purpose, you can ask at any time to be removed from our marketing database by emailing or phoning the practice using the contact details provided at the end of this Privacy Notice, or using the ‘unsubscribe’ link in one of our newsletters.
Some basic personal data may be collected about you from the marketing forms and surveys you complete, from records of our correspondence and phone calls and details of your visits to our website, including but not limited to, personally identifying information like Internet Protocol (IP) addresses, we do not use this information for profiling. We may occasionally also act on behalf of patients in the capacity of data processor, when we may promote other practitioners based at our premises, who may not be employed by us.
Jurassic Coast Osteopathy will only collect the information needed so that we can provide you with the services you require, the business does not sell or broker your data.
WHAT IS YOUR LEGAL BASIS FOR DATA PROCESSING?
Our ‘legitimate interest’ as a provider of osteopathic care is to promote treatments to patients with all kinds of health problems, to do that we hold your name & contact details to respond to your enquiries and if you have opted in to our email marketing list or emailed us an enquiry, we will send you relevant information.
We process data to pursue this legitimate interest and to meet our ‘contractual obligation’ when you come to us for help to provide safe & effective osteopathic care by taking a full medical history and keeping records that meet GDPR and our professional obligations with the registering body for osteopaths, the General Osteopathic Council.
WHAT AM I GIVING YOU PERMISSION TO DO WITH MY DATA?
Through agreeing to this privacy notice you are consenting to Jurassic Coast Osteopathy (and those companies mentioned above) processing your personal data for the purposes above. You can withdraw consent at any time by using the postal, email address or telephone number provided at the end of this Privacy Notice (with exceptions as outlined below in relation to legal requirements of holding medical notes).
HOW WILL YOU KEEP MY INFORMATION SAFE?
Jurassic Coast Osteopathy will keep your personal information secure, only therapists engaged in providing your treatment will have access to your patient records, our Reception service will have access to your contact details so that they can make appointments only. We will not disclose your Personal Information unless compelled to in order to meet legal obligations, regulations or valid governmental requests. The practice may also enforce its Terms and Conditions, including investigating potential violations of its Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of its staff.
HOW LONG DO YOU KEEP IT?
Jurassic Coast Osteopathy will store only the personal data needed for eight years after the contract (treatment) has expired to meet any legal and professional obligations. After eight years all personal data will be deleted, unless basic information needs to be retained by us to meet our future obligations to you, such as erasure details. Records concerning minors who have received treatment will be retained until the child has reached the age of 25. These are a requirement of our registering body, the General Osteopathic Council.
WHERE DO YOU KEEP IT?
All paper-based patient notes are held securely at the clinic in a locked cabinet in a locked room that only Helena Greenwood & any osteopaths working as associates or locums for Jurassic Coast Osteopathy have access to. Electronic notes are stored by Cliniko on UK servers. In the event of Helena's incapacity or death, associate Vitor Abreu Da Costa has access to Cliniko electronic notes and arrangements have been made with another local Osteopath (Jenny Glover, Weymouth) for paper archives to be transferred to her for the sole purpose of storage to meet the requirements of holding files for 8 years after the last consultation as above should Vitor be unable to store them.
All online personal data is held in the UK with the following exceptions, which are US Privacy Shield and EU GDPR compliant unless otherwise stated – Mailchimp (marketing), Google Mail (mail); Yola (website & mail); Sitewit (site optimisation for Jurassic Coast Osteopathy – does not store identifiable personal data so is outside the terms of the GDPR see https://www.sitewit.com/privacy-policy/). Jurassic Coast Osteopathy uses iZettle and SumUp for payments; if you provide your email address for receipt purposes, it will not be used for any other reason.
WHAT ARE MY RIGHTS?
At any point whilst Jurassic Coast Osteopathy are in possession of, or processing your personal data, you can
- Request a copy of the information we hold about you or that we correct anything that is inaccurate or incomplete.
- In certain circumstances you can ask for the data we hold about you to be erased from our records (excluding paper notes as above) or restrict the processing.
- You have the right to have the data we hold about you transferred to another organisation – because our records are held on paper, this will either be as a paper copy or as a scanned file of the paper copy
- You have the right to object to certain types of processing such as direct marketing – you can withhold your consent or withdraw it as explained previously
- You have the right not to be subject to the legal effects of automated processing or profiling – Jurassic Coast Osteopathy does not do either of these things
In the event that Jurassic Coast Osteopathy refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge. At your request Jurassic Coast Osteopathy can confirm what information it holds about you and how it is processed.
HOW DO I ACCESS MY DATA?
We ask that you (or your representative) complete a subject access request form & provide appropriate identification. Jurassic Coast Osteopathy will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport orbirth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If Jurassic Coast Osteopathy is dissatisfied with the quality, further information may be sought before personal data can be released. All requests should be made to firstname.lastname@example.org or by phoning +44 (0) 7805 650667.
HOW DO I COMPLAIN ABOUT HOW MY DATA IS BEING PROCESSED?
In the event that you wish to make a complaint about how your personal data is being processed by Jurassic Coast Osteopathy you have the right to complain to us. If you do not get a response within 30 days, you can complain to the ICO. The details for each of these contacts are:
Data Controller: Helena Greenwood, Jurassic Coast Osteopathy, Telephone: 07805 650667 or email: email@example.com
ICO - Wycliffe House, Water Lane, Wilmslow, SK9 5AF Telephone +44 (0) 303 123 1113 or email: https://ico.org.uk/global/contact-us/email/