The purpose of this document is to explain to our patients and staff the lawful purpose of storing your personal data, and how we keep your information safe and secure.
The General Data Protection Regulation (GDPR), is EU wide legislation, and is currently being enacted into UK law and will become the 2018 Data Protection Act. This legislation will affect every business that handles personal data for customers or staff. Personal data has been defined by the act as ‘any information relating to an identifiable person who can be directly or indirectly identified’, this will include such data as name and contact details.
The changes don’t alter what we use your personal information for but make it easier for you to
- find out how we use and protect your information, and
- understand your increased rights in relation to the information we hold about you.
Our Privacy notice makes reference to a number of third-party systems that assist us in the management and security of your data. The privacy policies relating to these third party suppliers (data processors) may be viewed in more detail here. All third party systems that we used are GDPR compliant and are not authorised by us to share your data.
Data We Collect
Sensitive information relating to your health, relevant medical history, and lifestyle is in part collected on the registration form in the clinical notes our practitioners make during your appointments. Clinical notes collected by our practitioners are based on the information you have provided during your appointments and held on our practice management system. Clinical notes made during your appointments can only be accessed by the practitioners at our clinic. Our support staff (receptionists) can access your contact information but they cannot access your clinical notes.
The Practice management system is also used to generate invoices and receipts. Therefore details of your fee accounts are stored electronically. Your contact details and appointment history is shared with health insurance companies that may be funding your treatment.
Occasionally, medical records from other sources will be requested by your practitioner, with your signed consent. Any medical reports you have passed to us will be scanned and held on our practice management system.
You can view a sample registration form here
How We Use Your Data
We use your personal data in the following ways
- To accurately index your contact data, clinical notes, and fee account. The ability to quickly access the correct information for you is essential for continuity of care and for ensuring your fee account is accurate.
- To make clinical decisions about your diagnosis and treatment plans.
- To communicate with you about your appointments and treatment.
- To send exercise prescriptions to you.
- To comply with your various data requests for clinic notes, clinical reports, receipts, and so on.
- To generate invoices for any third parties that may be funding your treatment – such as health insurance providers.
- To send you communications relating to matters that affect the services we provide, such as changes to opening times during holidays, updates to booking procedures, or updates to our terms of business and policies.
- To send you communications relating to our services, special offers, and useful content. These communications will allow you to manage opt-in and opt-out preferences.
We conduct privacy impact assessments periodically to review and refine our data collection process. This will ensure that we are only collecting information relevant to the service we provide.
Website & Social Media Policy
Our website does not currently utilise cookies or lead generation pages.
Data Retention Policy
Our retention policy for clinical notes is determined by 4 factors
- The statute of limitation on bringing litigation cases to court
- The requirements for record keeping, set by our Medical Malpractice Insurer
- The professional standards set out by the General Osteopathy Council who are our statutory regulators.
- Record keeping requirements set out by HMRC for taxation purposes.
The retention of your records is also a valuable resource for you, especially if you return to the clinic after a long period.
As a result of the above considerations, your records (personal data and clinical notes) shall be kept for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, records will be kept for at least 7 years after they reach the age of majority (age 18).
How We Share Data
Access to your data within the clinic is restricted depending on the role of the employee/practitioner in the clinic. In this way, only practitioners have access to your clinical notes. Your contact information and fee accounts are accessible by all staff and practitioners at the clinic.
Best Reception, is a virtual reception service that we retain to answer calls and book appointments on our behalf. They have access to your contact information and our diary for the sole purpose of booking and rescheduling appointments over the phone. At our request, they may call you to make appointment changes.
With your signed consent, we may write to other health professional requesting them to share medical reports relevant to the treatment you receive at this clinic.
With your consent, we may write referral letters to your GP or other health care professionals whenever this is appropriate to your case.
Health Insurance and Cash Plan providers
From time to time, health insurance and cash plan providers call to verify your claims for fee reimbursement. As long as they can correctly identify you (name, date of birth and postcode) we will share information about the dates of your appointments. Any requested reports or clinic notes will only be given with your written consent.
Data access request
You may make a request to see a copy of the information we hold in our data systems. This is known as a subject access request. These copies are provided free of charge and take up to 30 days to process from the date of receiving your signed request form. Call the clinic on 020 8991 5280 to have a data access request form emailed or posted to you. You may also walk into the clinic and request one.
Clinic notes are usually written in short form, which would be decipherable by any practitioner of the same discipline or similarly qualified health professional. If you require the notes to be transcribed into long form (ie without abbreviation and jargon) then there will be a charge for the practitioner’s time taken to prepare any transcripts or reports. You will be notified of the charges at the time of making the request.
The requested information will be sent to you by email as a password protected PDF document. There is no charge for information sent by email. When you make a request you will be asked to confirm that you want your information sent to the email address that we currently hold. If a paper copy is requested, it can be collected by hand, or sent by post via the “signed for” Royal Mail service. There will be a charge to cover the cost of postage.
Third party requests for your clinic notes or reports must be accompanied by your original signed authorisation form. This form will usually be provided by the third party or you can request a form by calling the clinic on 020 8991 5280.
Staff competency and training
All staff are required to demonstrate the skills required to accurately and securely collect and process data. We review data collection procedures and staff training is provided where necessary. A copy of our Staff Data Security Declaration is available to view here. All staff are required to comply with the declaration.
All staff have access to the practice management system with security group settings appropriate for their roles. All staff have their own login credentials. They are instructed how to set strong passwords and are required to change them periodically. The user accounts of staff who no longer work here are immediately deactivated.
Devices connected to the Internet
All devices used in the clinic are firewalled, have up to date operating systems and are virus protected. Staff who have the privilege of remote access connection must give the same considerations as they do to onsite connections. Access to PracticePal is set up to disconnect automatically after 30 minutes of inactivity.
We have two cameras in the clinic, both of which are in the retail area. They cover the front door and the reception desk. These low definition cameras primarily act as a deterrent to theft and violent behaviour. They also provide a remote view into the clinic when the burglar alarm is raised. The footage is stored on a hard drive for one month. We have the facility to save clips of footage if needed for evidence. All views of footage must be for a stated reason and logged. CCTV footage can only be viewed by the clinic management.
Card Payment Machine
Debit or credit card payment made in the clinic are processed by Worldpay. The chip and pin terminal is managed and maintained by WorldPay. Staff regularly perform visible examinations for tampering of the machine and WorldPay run remote testing of the card machine. Card payments for bookings made using the online facility are processed by Stripe. Both companies are worldwide leading card payment handlers. Any mass data associated with card payments are captured and stored by Worldpay and Stripe. See privacy policies for Worldpay and Stripe here
To comply with HMRC requirements, we retain payment card receipts for all transactions at the clinic. These are stored separately from any paper records containing your personal data. These receipts are kept for a maximim of 7 years.
Practice Management System
Your personal data clinical notes are stored electronically on the previously mentioned practice management system known as PatientPal. PatientPal uses a 256-bit secure socket layer certificate for their clients to access firewalled data. The PatientPal application is hosted on RackSpace cloud servers within the EU. RackSpace prides themselves on being a world-class data center with state of the art security. RackSpace and PatientPal are compliant with the governmental body which enforces data security, the Information Commissioner’s Office.
The online booking system is also powered by the PracticePal software used at the clinic. Therefore, any personal data captured when making online bookings are kept on a common platform to data captured at the clinic.
You can find the link to Practicepal’s Data Protection Policy here
We use Google email at the clinic which, by default, creates a contact database. There is an email account for the reception and administration staff – email@example.com, and for individual practitioners eg firstname.lastname@example.org.
Text messages (often appointment confirmations and reminders) are sent from the practice management system – PracticePal. The IT administrator at the clinic has the ability to view emails on all accounts. The Head of Practice is the current IT Administrator.
Feedback forms are powered by Google Apps and are returned to us without your personal information. You may add your name, but this is optional.
You may also be contacted by email, requesting that you write a review about your customer experience on media platforms such as Google Maps. These requests will not be excessive.
Any bulk information downloaded for accounting or business analysis purposes will have any associated personal data removed from the dataset. Any reports from the practice management system containing patient data – ie receipts are downloaded to a temporary folder which is deleted weekly. Any files uploaded to the practice management system – ie medical reports, are saved to the same temporary folder.
Content and Marketing Systems
Our Marketing communications include the following preferences. You will be able to manage whether you receive some, all or none of them.
- Birthday vouchers sent by SMS in the month of your birthday
- Useful articles about health and lifestyle matters
- Special Offers prices for treatments
- Clinic events
If you were registered as a patient before the 25th May 2018, and we have your consent to opt into marketing communications, you will continue to receive these.
All patients will have the facility to opt in or out of our marketing communications at any time. You will also be able to manage preferences for the content you chose to receive.
We have a vulnerability management policy which involves assigning a risk ranking to our data and device security. We run internal and external vulnerability tests after any significant network changes and bi-annually as standard. The card payment company, Worldpay, run their own remote vulnerability tests on our payment device. Any suspicious events are logged and investigated.
The Information Commissioner’s office will be notified if an attempted data breach is found to be successful, whether it was by an outside malicious party or an internal staff error.
If you suspect that we are the source of any data security breach or compromise, please let the practice leader – Lola Phillips – know immediately.
Choice and Access
You have choices regarding our use of your personal data. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails you will continue to receive communications necessary to continue providing our services to you. These may include emails regarding your appointments and treatments, text reminders, and notifications regarding disruptions to service.
How you can access or change your Personal Data.
If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by contacting us. If emailing us your request, please make clear in the email what personal data you would like to have changed. For your protection, we may only implement requests with respect to the personal data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as possible.
Right to Erase
A can make a request to exercise your right to have your data erased from our databases. In these cases, electronic data will be permanently erased, and hard copies of data will be securely destroyed. A request form must be submitted and we will give you our decision in up to 30 days. Your request will be considered in light of our retention policy and your circumstances.
We have a specialist contractor who will securely destroy paper records for us. Our practice management system has a permanent erase feature.
This document was compiled by:-
Lola Phillips – Head of Practice
Eds Chesters – Practice Manager
Original post 12/05/2018
Updated post 04/06/2019 – Email requests for customer experience reviews