Privacy policy.
GDPR: Data Protection Policy for Physiotherapy-To-Your-Home (PTYH)
Chartered and State Registered Physiotherapists Martina Kaucka Registered LLP at 9 Stratfield Park, Elettra Avenue, Waterlooville, Hampshire, PO7 7XN Correspondence office address: 13 Church Road, Woolston, Southampton, SO199FR Email: info@physiotherapy-to-your-home.co.uk Tel: 07810876399 ICO registration reference: ZA324298 DPO officer: Martina Kaucka
Privacy policy:
Your privacy At Physiotherapy-to-your-home we are committed to high privacy standards. We will only collect data that is necessary for us to deliver the best possible service and any other data that is needed and is relevant for your ongoing care. This policy provides detailed information on when and why we collect your personal information, how we use it and in what circumstances we may disclose it to others.
Collection of your personal information:
We hold your general personal information that we collect at the time of initial consultation and these include your name, D.O.B., address, telephone number and email, next of kin contact details, your GP contact details. In addition to this we collect relevant information about your current medical status, past medical history, drug history, social history and a detailed comprehensive physiotherapy assessment details. We also hold information about each treatment session that you receive from us. We may also store associated information received from other health care professionals as part of your ongoing care. Where appropriate we also hold your payment details.
Photographs and videos In some occasions it might be helpful and useful to take photographs or videos of you or your body parts to monitor your progress in order to demonstrate a particular exercise to you for home practise or when liaising with other healthcare professionals. We might use your photographs for publicity purposes in leaflets and on our website. This will be explained to you together with the main purpose and an informed written consent will be sought that will be filled together with your notes.
How we use this information:
The information we collect about you is used to ensure we provide you with the best and most appropriate service and care. We only use the information to form our treatment plans and to give the most appropriate advice to you, our client. Where appropriate and based on our professional opinion and if in the best interest of you, we will share the information with other healthcare disciplines to facilitate better communication between professionals that are also involved in your treatment. We will only do this by a prior discussion and consent from you. In addition to your ongoing care, we might use your contact details to contact you about change of appointments or treatment plan. We use your contact information to respond to queries from you and from any other health care professionals that might be involved in your care. We only share this information by prior consent from you.
Our policy on storage, processing and retention of your information:
To provide and manage our services, your data is stored and processed on a personal laptop that is securely locked away at the office address. The data on the laptop are stored on an iCloud and an external drive that is placed in our office. Access is secured by a pin that is changed regularly and is only know to the clinical and managing director of PTYH. Some of your information is stored on a company’s iPhone, which is also secured with a pin that is changed regularly and only known to the clinical and managing directors of PTYH.
Any third-party company is only permitted to process your data for specified purposes and in accordance with our instructions and by prior consent by you.
In addition we retain your data on paper records, which are locked securely in our clinical filing system at 13 Church Road, Southampton. This system is securely monitored to prevent unauthorised access.
We ensure that personal data that we hold remains accurate and up to date. We also ensure that client information is kept up to date after each treatment and will update clients information as we are informed of any changes. Once a year we will also have a wholesale review of all data.
We retain your information for as long as is necessary to comply with legal requirements and to satisfy tax purposes.
We keep all data for claims occurring insurance: for which we are required to keep your records for 7 years after the last treatment. By law regarding children’s records for which we are required to keep records until the child is 25, or if 17 when treated then until the age of 26. For registration with the HCPC,CSP and STAT for which we are required to keep information for 8 years
How and when we may share your personal information:
Where necessary we may disclose your information to health care professionals including the NHS and private care agencies. We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers and if our business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.
Your rights with respect to the personal information we hold:
You are entitled to access the personal information that we hold on you; any such request should be made using our contact details below. If any data we hold is inaccurate, this will be corrected promptly on request. In certain circumstances you can request that we erase your data which we will do where this would not prevent us meeting our legal and regulatory obligations.
Privacy Policy Updates:
We reserve our right to make any changes and updates to this privacy policy without giving you notice as and when we need to. Our most up to date privacy policy is always available on our website.
The lawful bases to process personal data and special categories of data:
We process the personal data under legitimate interest. We are required to retain the information about our clients in order to provide them with the best possible treatment and advice. We also process data under a special category data, therefore the additional condition under which we hold and use this information is for us to fulfil our role as a health care professionals bound under the HCPC, CSP and STAT codes of practice and ethics.
Information about risks management:
The potential risks associated with our data are firstly theft of electronic devices (laptop and iPhone). Both have password locks, which are changed regularly and are only know to the clinical director and managing director. There is a risk of theft of these devices from home or from a car while on home visit. The car is fitted with a burglar alarm and home is secured with a lock. Secondly the risk of break into the office. All paper files are stored in a locked filing cabinet in a locked house. The key to the filling cabinet is only available to the clinical and managing director.
Privacy notice Individuals need to know that their data is collected, why and how it is processed and who is it shared with. This information is included in our privacy notice on our website “Physiotherapy-to-your-home” and within any forms and letters send to individuals, including our first consultation with a client. We have ensured that our privacy notice includes all of the information included in the ICO privacy notice checklis t
How do we respond to client’s requests to access their personal data:
All individuals will need to submit a written request to access their personal data, either by email or by a letter. We will provide this information within one calendar month of receipt. We can extend this period by a further two months for complex or numerous requests, in which case the individual will be informed and given explanation. We will identify the client by a photographic ID. We will keep a record of any requests to access personal data.
How do we dispose of various categories of data in a secure way:
Once a year we will review all our clients data and place dormant clients in a separate file. We will also review yearly data that is no longer required to be kept under GPDR, we will dispose of them securely.
How do we respond to a client’s request to restrict the processing of their personal data:
We only hold data in order to provide treatments and to liaise with other healthcare professionals to make referrals in the best interest of our clients. We cannot envisage a situation where we would receive a request to restrict processing of an individual’s personal data. However, if we do, we will respond to that request within one calendar month, explaining clearly what we currently do with their data and that we are legally obliged to hold their data but will ensure that it is not processed.
Processes to allow clients to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. Should you wish your data to be copied or transferred we would work with you, our client to ensure that this is done in a way that is most appropriate for you - for example this could be an electronic summary of treatments received and progress reports made, copies of individual treatment records. We will do our best to get this done ASAP and certainly within 1 month of a request.
Procedures to handle an individual’s objection to the processing of your personal data:
We will inform our clients of their right to object “at the point of first communication” and have clearly laid this out in our privacy notice.
Data Protection Policy:
This document forms our data protection policy and shows how we comply with GDPR requirements. This is a live document and will be amended as and when any changes to our data processing takes place, at the very least it will be reviewed annually.
Data Breach Policy:
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. We understand that we only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those concerned directly and without undue delay. In all cases we will maintain records of personal data breaches, whether or not they were notifiable to the ICO.
Data Protection Policy created: May 2018
Date of Next Review: May 2021
For more information on Data Protection in general, or if you wish to make a complaint relating to how your personal data has been used, please contact the Information Commissioner Office: Website: https://ico.org.uk Phone helpline: 0303 123 1113 Email: casework@ico.org.uk