Data Privacy PolicyPrivacy policy updated 11/06/2020Privacy Information   IntroductionExplaining the legal bases we rely onWhen do we collect your personal data?What sort of personal data do we collect?How and why do we use your personal data?How we protect your personal dataHow long will we keep your personal data?Who do we share your personal data with?What are your rights over your personal data?How can you stop the use of your personal data for direct marketing?Right to EraseHealth Insurance and Cash Plan providersSecurityApplications and third party software used   Introduction ​ We know that there’s a lot of information here but we want you to be fully informed about your rights, and how Health in Motion uses your data.   The purpose of this document is to explain to our patients and staff the lawful purpose of storing your personal data, and how we keep your information safe and secure.  The General Data Protection Regulation (GDPR), is EU wide legislation, and is currently being enacted into UK law and will become the 2018 Data Protection Act.  This legislation will affect every business that handles personal data for customers or staff. Personal data has been defined by the act as ‘any information relating to an identifiable person who can be directly or indirectly identified’, this will include such data as name and contact details.  The changes don’t alter what we use your personal information for but make it easier for you to find out how we use and protect your information, and understand your increased rights in relation to the information we hold about you. We will only use your data for the purpose it was collected, which is explained in this privacy policy.  Our Privacy notice makes reference to a number of third-party systems that assist us in the management and security of your data. The privacy policies relating to these third-party suppliers (data processors) may be viewed in more detail here.  All third party systems that we used are GDPR compliant and are not authorised by us to share your data. ​ ​   2.  Explaining the legal bases we rely on  The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.   There are several bases for which we collect your data: ​ Consent   In specific situations, we collect and process your data with your consent. For example, when you tick a box to receive email newsletters in our first consultation form.   Legal compliance   If the law requires us to, we may need to collect and process your data.  For example, we have to collect your personal data to process and retain payment details for osteopathy treatments, as these constitute financial transactions. We also have a legal requirement to collect, process and retain medical or clinical data about you, when you attend for treatments.   Special Category Data   If you are a patient, medical and clinical data about you is classified as Special Category Data. When we collect this data, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services ​ When do we collect your personal data?  We collect personal data when you initially book and attend appointments.  Limited personal data is collected when you make your first booking, such as name, email address, date of birth and mobile telephone number. This data allows us to send you text confirmations and reminders for all your appointments.   What sort of personal data do we collect?  If you attend one of our clinic appointments or treatments, we record details such as your name, address, gender, date of birth, email, telephone number and any relevant medical history. We also record details of the appointment, what happened, what treatment and advice was provided or recommendations made. If you provide us with any medical documentation, we may also record a copy of this in our system.   Sensitive information relating to your health, relevant medical history, and lifestyle is in part collected on the registration form in the clinical notes our practitioners make during your appointments.  Clinical notes collected by our practitioners are based on the information you have provided during your appointments and held on our practice management system. Clinical notes made during your appointments can only be accessed by the practitioners at our clinic.  Our support staff (receptionists) can access your contact information but they cannot access your clinical notes.  The Practice management system is also used to generate invoices and receipts.  Therefore details of your fee accounts are stored electronically.  Your contact details and appointment history is shared with health insurance companies that may be funding your treatment.  Occasionally, medical records from other sources will be requested by your practitioner, with your signed consent.  Any medical reports you have passed to us will be scanned and held on our practice management system. ​ How and why do we use your personal data?  We want to give you the best possible customer experience. In addition, we have legal obligations in respect of financial data and medical or clinical data. Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for. For example, if you’ve asked us to let you know when an event is happening, we can’t do that if you’ve withdrawn your general consent to hear from us.   Here’s how we’ll use your personal data and why:   To accurately index your contact data, clinical notes, and fee account.  The ability to quickly access the correct information for you is essential for continuity of care and for ensuring your fee account is accurate. To make clinical decisions about your diagnosis and treatment plans. To communicate with you about your appointments and treatment. To send exercise prescriptions to you. To comply with your various data requests for clinic notes, clinical reports, receipts, and so on. To generate invoices for any third parties that may be funding your treatment – such as health insurance providers. To send you communications relating to matters that affect the services we provide, such as changes to opening times during holidays, updates to booking procedures, or updates to our terms of business and policies. To send you communications relating to our services, special offers, and useful content. These communications will allow you to manage opt-in and opt-out preferences.   We conduct privacy impact assessments periodically to review and refine our data collection process.  This will ensure that we are only collecting information relevant to the service we provide. ​ How we protect your personal data  We know how much data security matters to all our customers and patients. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it. We insist that access to all transactional areas of our websites and systems use ‘https’ technology.   Access to systems containing your personal data is password-protected, and sensitive data such as payment card information is secured to ensure it is protected. We limit the number of people that have access to our systems and your data and only give access to those who absolutely require it. We work with the suppliers of our business systems to regularly monitor our system for possible vulnerabilities and attacks. ​ How long will we keep your personal data?  Our retention policy for clinical notes is determined by 4 factors  The statute of limitation on bringing litigation cases to court The requirements for record keeping, set by our Medical Malpractice Insurer The professional standards set out by the General Osteopathy Council who are our statutory regulators. Record keeping requirements set out by HMRC for taxation purposes.  The retention of your records is also a valuable resource for you, especially if you return to the clinic after a long period.  As a result of the above considerations, your records (personal data and clinical notes) shall be kept for at least 7 years following the last occasion on which treatment was given.  In the case of treatment to minors, records will be kept for at least 7 years after they reach the age of majority (age 18).  Who do we share your personal data with?  Access to your data within the clinic is restricted depending on the role of the employee/practitioner in the clinic. In this way, only practitioners have access to your clinical notes. Your contact information and fee accounts are accessible by all staff and practitioners at the clinic.  Best Reception, is a virtual reception service that we retain to answer calls and book appointments on our behalf.  They have access to your contact information and our diary for the sole purpose of booking and rescheduling appointments over the phone.  At our request, they may call you to make appointment changes. With your signed consent, we may write to other health professional requesting them to share medical reports relevant to the treatment you receive at this clinic. With your consent, we may write referral letters to your GP or other health care professionals whenever this is appropriate to your case.​  What are your rights over your personal data?  Data access request  You may make a request to see a copy of the information we hold in our data systems. This is known as a subject access request.  These copies are provided free of charge and take up to 30 days to process from the date of receiving your signed request form. Call the clinic on 020 8991 5280 to have a data access request form emailed or posted to you.  You may also walk into the clinic and request one. Clinic notes are usually written in short form, which would be decipherable by any practitioner of the same discipline or similarly qualified health professional. If you require the notes to be transcribed into long form (i.e. without abbreviation and jargon) then there will be a charge for the practitioner’s time taken to prepare any transcripts or reports.  You will be notified of the charges at the time of making the request. The requested information will be sent to you by email as a password protected PDF document.  There is no charge for information sent by email. When you make a request you will be asked to confirm that you want your information sent to the email address that we currently hold.  If a paper copy is requested, it can be collected by hand, or sent by post via the “signed for” Royal Mail service.  There will be a charge to cover the cost of postage.  Third party requests for your clinic notes or reports must be accompanied by your original signed authorisation form.  This form will usually be provided by the third party or you can request a form by calling the clinic on 020 8991 5280. You can contact us to request to exercise these rights at any time as follows: To ask for your information please contact osteopath@healthinmotion.org.uk . To ask for your information to be amended or deleted please update your own account on our online portal or contact our administration team on the above email.  If we choose not to action your request we will explain to you the reasons for our refusal.  Your right to withdraw consent:  Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.   Where we rely on legal complianceIn cases where we are processing your personal data on the basis of legal compliance, we may not be able to delete or amend your data. Where we rely on our legitimate interest In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.  We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.   Checking your identity   To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. Health in Motion will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If Health in Motion is dissatisfied with the quality, further information may be sought before personal data can be released. In the case of a child, identity will be confirmed for both the child and their parent or guardian making the access request. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.  ​ How can you stop the use of your personal data for direct marketing?  You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails you will continue to receive communications necessary to continue providing our services to you. These may include emails regarding your appointments and treatments, text reminders, and notifications regarding disruptions to service. Click the ‘unsubscribe’ link in the email communication that we send you. We will then stop any further emails from that particular system.  Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.  Right to EraseA can make a request to exercise your right to have your data erased from our databases. In these cases, electronic data will be permanently erased, and hard copies of data will be securely destroyed.  A request form must be submitted and we will give you our decision in up to 30 days. Your request will be considered in light of our retention policy and your circumstances. We have a specialist contractor who will securely destroy paper records for us.  Our practice management system has a permanent erase feature.  Health Insurance and Cash Plan providersFrom time to time, health insurance and cash plan providers call to verify your claims for fee reimbursement.  As long as they can correctly identify you (name, date of birth and postcode) we will share information about the dates of your appointments.  Any requested reports or clinic notes will only be given with your written consent.   Security Staff competency and training All staff are required to demonstrate the skills required to accurately and securely collect and process data. We review data collection procedures and staff training is provided where necessary. A copy of our Staff Data Security Declaration is available to view here.  All staff are required to comply with the declaration. All staff have access to the practice management system with security group settings appropriate for their roles.  All staff have their own login credentials.  They are instructed how to set strong passwords and are required to change them periodically.  The user accounts of staff who no longer work here are immediately deactivated.  Devices connected to the Internet All devices used in the clinic are firewalled, have up to date operating systems and are virus protected. Staff who have the privilege of remote access connection must give the same considerations as they do to onsite connections. Access to PracticePal is set up to disconnect automatically after 30 minutes of inactivity.   CCTV We have two cameras in the clinic, both of which are in the retail area. They cover the front door and the reception desk. These low definition cameras primarily act as a deterrent to theft and violent behaviour. They also provide a remote view into the clinic when the burglar alarm is raised. The footage is stored on a hard drive for one month. We have the facility to save clips of footage if needed for evidence.  All views of footage must be for a stated reason and logged. CCTV footage can only be viewed by the clinic management.  Card Payment Machine Debit or credit card payment made in the clinic are processed by Worldpay.  The chip and pin terminal is managed and maintained by WorldPay. Staff regularly perform visible examinations for tampering of the machine and WorldPay run remote testing of the card machine. Card payments for bookings made using the online facility are processed by Stripe.  Both companies are worldwide leading card payment handlers.  Any mass data associated with card payments are captured and stored by Worldpay and Stripe. See privacy policies for Worldpay and Stripe here. To comply with HMRC requirements, we retain payment card receipts for all transactions at the clinic.  These are stored separately from any paper records containing your personal data.  These receipts are kept for a maximum of 7 years.  Applications and third party software used  Practice Management System Your personal data clinical notes are stored electronically on the previously mentioned practice management system known as PatientPal. PatientPal uses a 256-bit secure socket layer certificate for their clients to access firewalled data. The PatientPal application is hosted on RackSpace cloud servers within the EU. RackSpace prides themselves on being a world-class data center with state of the art security. RackSpace and PatientPal are compliant with the governmental body which enforces data security, the Information Commissioner’s Office.  The online booking system is also powered by the PracticePal software used at the clinic.  Therefore, any personal data captured when making online bookings are kept on a common platform to data captured at the clinic.  You can find the link to Practicepal’s Data Protection Policy here  Email System We use Google email at the clinic which, by default, creates a contact database. There is an email account for the reception and administration staff – osteopath@healthinmotion.org.uk, and for individual practitioners eg lola@healthinmotion.org.uk.  Text messages (often appointment confirmations and reminders) are sent from the practice management system – PracticePal.  The IT administrator at the clinic has the ability to view emails on all accounts.  The Head of Practice is the current IT Administrator.  Feedback forms Feedback forms are powered by Google Apps and are returned to us without your personal information. You may add your name, but this is optional. You may also be contacted by email, requesting that you write a review about your customer experience on media platforms such as Google Maps.  These requests will not be excessive.  Database downloads Any bulk information downloaded for accounting or business analysis purposes will have any associated personal data removed from the dataset.  Any reports from the practice management system containing patient data – ie receipts are downloaded to a temporary folder which is deleted weekly.  Any files uploaded to the practice management system – ie medical reports, are saved to the same temporary folder.  Whatsapp We have set up a WhatsApp chat facility that can be accessed from our website. This is synchronised with our google contact database. WhatsApp will allow you to chat with a clinician outside of clinic hours. You could also be able to receive broadcasts through the chat, in case you opted in to receive this service. You can find the link to WhatsApp privacy policy here.   Exercise Prescriptions  We use a cloud-based application called Rehab My Patient to generate your exercise prescriptions. The application stores your name and email address along with the history of exercise programs we have compiled for you.  Rehab My Patient is GDPR compliant.  You can find the link to their privacy policy here.  Video consultation In case a face to face cannot be carried out, we use Zoom for telehealth consultations. You can find the link to their privacy policy here  Content and Marketing Systems Our Marketing communications include the following preferences.  You will be able to manage whether you receive some, all or none of them.  Birthday vouchers sent by SMS in the month of your birthday Useful articles about health and lifestyle matters Special Offers prices for treatments Clinic events  If you were registered as a patient before the 25th May 2018, and we have your consent to opt into marketing communications, you will continue to receive these. All patients will have the facility to opt-in or out of our marketing communications at any time. You will also be able to manage preferences for the content you chose to receive.  Vulnerability Management We have a vulnerability management policy which involves assigning a risk ranking to our data and device security. We run internal and external vulnerability tests after any significant network changes and bi-annually as standard. The card payment company, Worldpay, run their own remote vulnerability tests on our payment device.  Any suspicious events are logged and investigated.  The Information Commissioner’s office will be notified if an attempted data breach is found to be successful, whether it was by an outside malicious party or an internal staff error. If you suspect that we are the source of any data security breach or compromise, please let the practice leader – Lola Phillips – know immediately.   Updates to this privacy policy We may change this privacy policy to reflect improvements and changes in legislation. The title of this privacy policy indicates when this privacy policy was last revised. Any changes are effective when we post the revised privacy policy on our website. Electronic updates of this policy have the same meaning and effect as if we had provided you with a hard copy.  This document was compiled by:-Lola Phillips – Head of PracticeEds Chesters – Practice ManagerOriginal post 12/05/2018Updated post 11/06/2020 – Email requests for customer experience reviews