To carry out our work it’s necessary for us to collect, process and store certain information about you. Some of this information can be used to identify you, e.g. your name, address, date of birth, and some of it will also be sensitive e.g. health records, other people’s information, your credit card and financial details.
Recent changes in legislation require us to inform you
- What data we process and where we obtain it
- What is the legal basis under which we process the data
- How we intend to use your data
- How long we will keep the data
- Your rights regarding the data we hold about you
- Your right to complain to the Information Commissioner’s Office
Please be confident that Pocklington Osteopaths takes the security and confidentiality of your personal data very seriously.
- What data do we process, and where do we get it from?
The data we process includes, but is not necessarily limited to, your name, address, date of birth, telephone numbers, email addresses, and medical and personal information; it may also include financial information, medical information about other family members, details of your insurance company, your employer or details of your work history.
This information will be collected from personal communications with you, such as phone conversations, email exchanges, letters, text messages and during consultations or meetings.
We may receive information from third parties, if, for instance, we get a referral letter from another practitioner.
If you book an appointment online or visit our website, other information may also be collected about you by our website provider or our practice management software. This information may include your location, your internet service provider, your IP address and the type of device and software you are using to access the website.
- What is the legal basis for processing your data
The new legislation provides different legal bases for the processing of data, and we are required to identify which legal basis suits each purpose. The bases include consent, legitimate interest, contract and legal requirement. Some types of data may be processed under different legal bases depending on its use, e.g. your name may be required as part of a contract between us when you ask us to carry out a service, or used to fulfil legal obligation if required by the law, or used for marketing purposes with your consent, or used under legitimate interest when used for record keeping in the administration of the business.
- Contractual information
This is likely to include personal information you provide to us in the formation of the contract between us, as detailed in our terms and conditions. We will continue to process this information until our contract ends or is terminated by either party under the terms of the contract.
- Information we process with your consent
This may include information which you pass on to us when there is no contractual relationship between us, such as when you use our website, or when you give us personal information so that we can reply to enquiries about our services.
This basis will be used for the processing of your medical data and that of your family. If you need us to contact third parties on your behalf, such as your employer, your medical insurance company, or other health practitioners these processes would also be carried out using consent as the legal basis. Your data will never be shared with third parties without your consent unless we are required by law to release the information without it.
This basis will be used to allow us to contact you for marketing purposes.
We will continue to process your information on this basis until you withdraw your consent or it can be assumed your consent no longer exists. You may withdraw your consent at any time by writing to us or emailing us at the addresses above, but please be aware that we may not be able to provide our services if you withdraw this consent.
- Information we process for the purposes of legitimate interests
Data is likely to be processed under this basis for the purpose of business administration and record-keeping, for example the production of invoices or receipts, or in the pursuit of our legitimate interest to carry out the diagnosis and osteopathic treatment of our patients.
- Information we process as a legal requirement
This is data we are required to process to comply with the law or a statutory obligation.
- How we use your data
Your data is collected from you in ways detailed above, and these are some of the purposes it is used for
- Identifying you in our communications with and about you and for the purposes of your medical records.
- Establishing a diagnosis and keeping a record of treatments and outcomes.
- Communicating with you for the purposes of creating appointments, sending appointment reminders, sending invoices / receipts, sending exercise plans.
- Communicating with you for the purposes of sending you information of interest, or information about new services we may provide or products we may introduce.
- Communicating with others on your behalf, for example in a referral letter to another health care practitioner.
- Carrying out transactions such as processing credit card payments
- Carrying out necessary processing within the business such as bookkeeping
- Anonymised data may be used for the purpose of internal audit to improve our services or to improve our ways of communicating with you.
- How we store your data, who has access to it, and how long do we keep it?
Your personal data may be stored on paper records within the practice or on electronic devices and in computer software packages to help in the practice management. Some of these trusted software providers use international cloud-based technology so your information will always be available when required. Where possible, we have contracts with suppliers ensuring that they treat your data with the same level of care as we do, and where we can, we try to ensure that our suppliers are GDPR compliant.
These suppliers include but are not restricted to:
- Practice Management Software provider
- Exercise Therapy Software provider
- Telephone and email providers
- Website provider if website used, or online booking carried out
- Credit card processor
Within the practice your records can only be accessed by practitioners involved with your care and, if necessary, administration staff for clerical purposes. All practice personnel with access to your records have signed an agreement upholding the strictest confidentiality standards.
Your data will be stored for the shortest time according to legal requirements, i.e. 8 years after the date of your last appointment, or until a minor has reached the age of 25, providing 8 years have elapsed since their last appointment, unless information needs to be retained by us to meet our future obligations to you, such as basic data on the erasure details.
- Your rights in relation to your data
You have the following rights in relation to your data which is held by us:
- Right of Access – at any time you can request a copy of the information we hold about you.
- Right of Rectification – You have a right to have data corrected if there is an error in any data we hold about you
- Right to be Forgotten – In certain circumstances you can ask for the data we hold about you to be erased from our records
- Right to Restriction of Processing – in certain conditions you have a right to restrict the processing of your data
- Right of Portability – You have the right to have the data we hold about you transferred to another organisation
- Right to Object – You have the right to object to certain types of processing, e.g. direct marketing
- Right to Object to Automatic Processing, such as automated profiling.
If there are any problems with us fulfilling your request, we will let you know.
- General data protection policies
We have systems in place to ensure that we protect your data as far as is reasonably practicable. These include
- Ensuring that all software is up-to-date with latest versions and patches.
- Up-to-date virus and malware protection on all devices.
- All personal or medical data held in electronic devices is protected by passwords, including any data sent by email.
- Practice management software which includes medical data is protected by 2-part authentication.
- Paper records are kept in a locked cabinet with the key removed from the premises overnight.
- In the rare event that your paper records are removed from the practice, they will be transported in a locked case.
- Usage of our website
- Further information
The following information can be provided on request
- Detailed information on the types of information we hold, what purposes we use it for, where it is stored, who it may be shared with and the legal basis on which it is held
- The name of the data controller
- Who to complain to within the business, and how
- If you feel that your data has not been processed fairly or appropriately and your complaint has not been dealt with to your satisfaction by Pocklington Osteopaths, you have the right to complain to the ICO, more information can be found at www.ico.org.uk