This Privacy notice concerns how your personal data is recorded, processed and stored by Oxted Sports Therapy. The Data Protection Act 1998 is being replaced with the General Data Protection Regulations (GDPR) which comes into effect on 25th May 2018.
So why is this important?
This is important for you as this is about why, how we record, store and process your personal data in accordance with you consenting to receive physical therapy at our clinical or a home setting. Processing personal data refers to how this information about you is collected, recorded, organised, stored and destroyed. We are confident that your data is being cared for responsibly and in accordance with the law.
1) Lawfulness, fairness and transparency principle
- ‘Data Controller’: Rebecca Coomber, firstname.lastname@example.org, 07825 040310, working from 224 Pollards Oak Road, Hurst Green, Surrey, RH8 0JB.
- ‘Legitimate interest’refers to why we collect your personal data. This allows us to collect relevant medical and lifestyle data that allows us to carry out the best treatment possible for you. We never collect more data than is required to complete our role as Therapist.
- ‘Data Processing’ refers to the type of data we record. This will include your name, address, email and contact phone numbers, now including a next of kin. We will also conduct a lifestyle review, a medical questionnaire and details of your treatment requirements. All treatments will be recorded on this file and kept up to date. You can apply of copies of your details by written request. We will reply within 1 month from the receipt of the request. Charges are at the discretion of the therapist.
- ‘Consent’: with your signed consent, we are able to contact you via email/other means of communication to remind you of appointments, summarise care instructions/exercises etc. Your information will never be used beyond the boundaries of our scope of practice, with the exception of Article 9 Vital Interests, where your medical and contact details may be used in the case of an emergency situation, especially a life or death situation. Consent can be withdrawn in writing at any time.
- ‘Consent for Children’ for children up to the age of 16 years, proof of age will be required and consent signed by Parent or Guardian and comply with the Safe guarding of children (Article 8).
- ‘Contract’ by agreeing consent, you enter into a data contract with the therapist allowing your data to be recorded, processed and stored to allow the therapist to treat you in accordance with the GDPR.
- ‘Data storage’your data is recorded on paper, and stored in a locked facility within a secure locked premise. Your records will move from this location to the secure clinic environment where only the therapist has access to your medical record. Your medical record will then return to the locked secure facility with the therapist at the end of the working day. No other person/s has access to this storage facility.
- ‘Data retention period’ In accordance with the law, we are required to hold your medical files for 7 years from the date of your last treatment (or age 25 if this is longer). An adult is a person 18 years of age. Children up to age 21 assuming their last treatment was before their 18th After this period you can request that your details be destroyed. Where mental health conditions are involved, this retention period may be longer, up to an additional 3 years.
- ‘Data Erasure’in accordance with the legal requirements of holding medical data (see above), your data can be requested for erasure in writing to Rebecca Coomber.
- ‘Individuals Rights’ these are your individual rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- And the right not to be subject to automated decision making including profiling
2) Purpose Limitation Principle
If we collect information for a consultation process, we cannot and shall not share your data for marketing purposes.
3) Data Minimisation Principle
We shall never ask for more data than is required to carry out the duty of care to you as our client, allowing us to do our job.
4) Accuracy Principle
Information stored shall be accurate and up to date. Medical records will be updated within 48 hours post treatment. Any changes to personal details should be reported to the Data Controller (Rebecca Coomber).
5) Storage Limitation Principle
see section 1, Data Storage.
6)Integrity and Confidentiality Principle:
This refers to the protection of your personal data from unauthorised or unlawful processing and against accidental loss, destruction or damage of your data.
If you feel that your data is being mishandled you have the right to complain. Complaints must be addressed in writing to Rebecca Coomber. If you feel that this is not satisfactory, you have the right to complain to the Information Commissioners Office.