This Privacy Notice sets out the principles and practices adopted by Protec Physiotherapy & Acupuncture Clinic (“PPAC”) for assuring our compliance with the General Data Protection Regulation (GDPR). This Notice explains what Personal Data we collect from you and how we use it: how it is collected, how it is held and how it is processed. It also ex-plains your rights relating to your Personal Data.
Our registered address is: Tŷ Gwair, Llanwnda, Caernarfon, Gwynedd. LL54 5SD
The person responsible for Data Protection at PPAC is Alison Smith, who can be contacted at firstname.lastname@example.org.
Personal Data is defined by the GDPR as ‘any information relating to an identifiable per-son who can be directly or indirectly identified in particular by reference to an identifier’.
Personal Data is, in simpler terms, any information about you that enables you to be identified. For example, this could be your name or contact details.
We aim to provide you with the highest quality of health care. To do this, we must collect and keep information about you, your health and the care we have provided, or plan to provide. This could include:
• Your name, home address, email address, telephone number
• Your date of birth and gender
• GP details
• Job title and employer details
• Contact we have had with you, such as clinic visits
• Notes, letters and reports about your health
• Information about your treatment and care
• Results of x-rays and other tests
• Information that you provide in a health questionnaire
• Relevant information from people who care for you and know you well, such as health professionals and relatives
• Financial information in order to process payments
We use Google Analytics software to collect information about how you use our site. This includes IP addresses. The data is anonymised before being used for analytics pro-cessing. We do not store your personal information through Google Analytics (for exam-ple your name or address). We will not identify you through analytics information, and we will not combine analytics information with other data in a way that would identify who you are.
Your Personal Data is collected in a number of different ways. If you make a booking with us online via the online booking system, your Personal Data is collected on our behalf by a third party booking and management system. We may also collect Personal Data from you in person during your appointment, over the telephone or by email. If you are under 18, we may collect your Personal Data from your parent or guardian.
If you are referred to us, we may receive some of your Personal Data directly from a third party, for example from your GP or other health professional, or from your employer.
You either give your card details to us to process the payment on your behalf or these de-tails are entered by you directly into Stripe’s payment platform. We do not store your card details.
We rely on the following legal bases for collecting and using your Personal Data:
• To enter into a contract with you and to carry out our obligations to you under that con-tract
• Consent - you provide your consent for us to collect and store you Personal Data when you provide us with information whether online or in person
• Compliance with a legal obligation - we have a legal duty to record some of your Personal Data such as medical information in order to meet professional standards
• To pursue our legitimate interests - in order to keep our own internal records and in or-der to provide the best service and treatments available.
We use your Personal Data to:
• Communicate with you in order to provide the service you have requested under a con-tract or to take steps at your request prior to entering into a contract
• Make sure that decisions about your care and treatment are always based on accurate up-to-date information
• Investigate any concerns or complaints raised by you or your family
• Make sure your care is safe and effective
• Work effectively with other care providers
• To maintain our own accounts and records
• In order to comply with a legal obligation or in legal proceedings
• To inform you, with your consent and/or where permitted by law, about news, offers and changes to our services. We will always comply with our obligations under the Data Protection Legislation and you have the right to ask us to stop contacting you for marketing purposes at any time. We will not share your Personal Data with third parties for marketing purposes.
• In any other way where you have given your consent for that particular purpose
We remove your name and other details that could identify you so that we can use the information in your record anonymously to:
• Monitor and improve the quality of our service
• Make sure that the treatments and services we provide are meeting patients’ needs
• Train and educate staff
Some information will be held for statistical purposes. If so, we will take strict measures to ensure that patients cannot be identified.
To make sure you receive the care and treatment you need, we may need to share your Personal Data with other staff and organisations. We will not share your Personal Data with these third parties unless there is a medical need or legal obligation for us to do so. This may include:
• Your GP, pharmacies and dentists
• Hospitals, walk-in centres, out of hours doctors, NHS direct
• Community services such as nurses, midwives and therapists
• Local authority departments, including social services, education and housing
• Voluntary care organisations
• Private sector organisations such as private hospitals, care homes and hospices
In some limited circumstances, we may be legally required to share certain Personal Data, which might include yours, if we are involved in legal proceedings or to comply with our legal obligations.
We are always seeking to improve patient care. On occasion, we may carry out research or contribute to research to find the most effective ways of treating and delivering ser-vices.
Research that involves patients or their Personal Data requires written, informed consent. If applicable, you will be informed exactly what information will be collected and who will have access to it. Where possible, personal identifiable information will be removed and/or records anonymised.
Under the Data Protection Legislation, you have the following rights:
a) The right to be informed about our use of your Personal Data. This Privacy Notice should tell you everything you need to know, but you can contact us if you have any questions about your Personal Data and our use of it.
b) The right to be provided with a copy of the Personal Data we hold about you. Any requests should be made in writing to the email address provided.
c) The right to have your Personal Data rectified if it is inaccurate or incomplete.
d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dis-pose of any of your Personal Data that we hold.
e) The right to restrict the processing of your Personal Data.
f) The right to object to us using your Personal Data for a particular purpose.
g) The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your Personal Data, you are free to withdraw that consent at any time.
h) The right to receive your Personal Data in order to transmit it directly to an-other data controller (known as the right to data portability). This right only applies where we are processing your Personal Data with your consent or for the performance of a contract with you and in either case we are pro-cessing the data by automated means.
i) Rights relating to automated decision-making and profiling. We do not use your Personal Data in this way.
j) The right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first.
We will not keep your Personal Data for longer than is necessary in light of the reasons for which it was first collected. We will process your Personal Data during the period of your treatment and will keep the Personal Data that we are legally required to keep for a period of 8 years after the end of our contract with you. After eight years your Personal Data will be deleted, unless there are some basic details that we are obliged to keep. Records concerning minors who have received treatment will be retained until the child has reached the age of 25. We may keep your Personal Data for longer if there are actual or potential legal proceedings that require the use of your Personal Data or if there is an-other regulatory or legal duty on us to do so.
Everyone working for PPAC has a legal duty to keep information about you confidential. We also have a duty to:
• Maintain full and accurate records of the care we provide to you
• Keep records confidential, secure and accurate
Help us keep your Personal Data up to date and safe
• Let us know of any changes to your name or contact details
• Keep a note of your unique NHS number
• Tell us if any information in your record is incorrect
• Tell us if you change your mind about consenting to sharing the information in your record
• Don’t let anyone - insurers, mortgage lenders, employers, solicitors - look at your records unless you are sure it is necessary
We may change this Privacy Notice from time to time. This may be necessary, for exam-ple, if the law changes, or if we change our business practices in a way that affects personal data protection.
Any changes will be made available on our website.
For more information about your rights under the GDPR visit www.ico.gov.uk, call 0303 123 1113 or write to:
Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF
To exercise all relevant rights, or with queries or complaints, contact Alison Smith at email@example.com