GDPR (UK) Compliant Privacy Policy
1. Introduction
The General Data Protection Regulations (GDPR) came into force on 25th May 2018. This privacy notice explains what data we collect, the purposes for which it is used, and how we keep your information private when you attend the clinic for physiotherapy.
Data Controller:
Remedi Physiotherapy & Acupuncture Clinic
Contact for Data Protection:
David Gibbons, Practice Principal
Remedi Physiotherapy
828 Liverpool Road, Ainsdale, Southport, PR8 3SL
2. What Information We Collect and Why
2.1 Contact Information
We collect personal information when you:
- Register online with our booking system.
- Telephone, text, or email to book an appointment.
- Use our website contact form or 3rd party website contact forms.
The information collected includes:
- Full Name
- Home address & Postcode
- Contact telephone numbers
- Email address
- Date of birth
- Gender
- Insurance Membership Number and Authorisation Code (where applicable)
This information enables us to respond to your enquiries and schedule appointments.
2.2 Clinical Information
During your consultation and subsequent follow-up appointments, we collect information to safely and thoroughly evaluate and treat your health condition, including:
- Symptoms
- Relevant past and present medical information
- Details of occupation and recreational pursuits (if relevant)
This information is essential for delivering appropriate care and ensuring patient safety.
2.3 Payment/Funding Information
We collect details regarding your preferred method of payment and may store information related to:
- Contactless or chip and pin payments.
- Online banking details for payments.
We also keep financial records, including:
- Your name and address
- Accounts payable
- Dated invoices or receipts of payment
- Payee details
- Insurance membership numbers and/or claim numbers
This information is necessary for processing payments and maintaining accurate financial records.
3. Our Lawful Bases for Processing Personal Data
Under GDPR, we process your information based on the following lawful bases:
- Legitimate Interests: For the operation of our private physiotherapy business, ensuring we can provide and manage our services effectively.
- Legal Obligation: As registered Health Professionals, we are required by law to keep records of your physical health condition and medical history.
- Contractual Obligation: When physiotherapy is funded by a third-party insurance company, we process data as dictated by our contract with the insurer.
- Consent: We seek your explicit consent to be put on our e-mailing list for updates on services, special offers, or events. You can withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us directly.
- Special Category Data (Article 9(2) GDPR): Health records are considered special category data, and we process this information under the condition that processing is necessary for the purposes of providing healthcare or treatment.
-
4. Who Do We Share Your Information With?
- Admin Team: Access to information required for appointment scheduling but not to physiotherapy records.
- Other Health Professionals: With your explicit consent, information may be shared with your GP or other health professionals involved in your care to ensure comprehensive treatment.
- Insurance Companies: If your treatment is funded by an insurer, details of your assessment, attendance, and treatment may be shared as a condition of funding. You will be asked to sign a consent form for this.
- Legal Obligations: Information may be shared without your permission in circumstances such as safeguarding concerns, a threat to life, or legal requirements. For example, if required by law enforcement or regulatory authorities.
- Debt Collection: In the event of unpaid treatment, your contact details and unpaid fees may be passed to a debt collection agency. No clinical details would be shared.
- Regulatory Bodies: Information may be disclosed to regulatory bodies (such as the Health & Care Professions Council or Chartered Society of Physiotherapy) in the event of an investigation regarding professional conduct.
- Business Transfers: If Remedi Physiotherapy’s business is acquired by a third party, patient data would become the property and responsibility of the new owner under GDPR compliance. The new owner would be required to continue to protect your data in line with GDPR.
-
5. How Long Do We Keep Your Information?
We retain physiotherapy records for a minimum of eight years, or until children reach 25 years old, in compliance with legal requirements. Records that are disposed of are done so by deletion from WriteUpp and any associated servers.
6. How Is Your Data Stored and Protected?
- Contact Details and Appointment History: Stored on our WriteUpp appointment booking system, secured by SSL encryption, Georedundancy, and DDoS protection.
- Clinical Records: Typed and stored on a password-protected computer, anonymized with a WriteUpp generated code, and stored in a military-grade, cyber-secure Dropbox cloud storage app. The notes are password protected, with access restricted to authorized personnel only.
- Additional Security Measures: All applicable software used for the physiotherapy service is stored on a password-protected computer, with the password changed regularly. The premises have double-locked and alarmed access, and windows are double locked for additional security.
-
7. Data Breach
We take the protection of your information seriously and have implemented technical and organizational measures to mitigate the risk of a data breach. In the event of a breach, it will be promptly investigated, and if necessary, reported to the Information Commissioners Office (ICO). We will inform you of any breach affecting your personal data as required by law.
8. Your Rights
You have the right to:
- Request Access: To know what information we hold about you.
- Rectify: To have your information updated or corrected.
- Stop Processing: To ask us to stop processing some of your data, subject to legal or contractual obligations.
- Withdraw Consent: At any time for purposes where consent has been explicitly sought.
To request details of the information we hold about you or to exercise any of your rights, please write to:
David Gibbons, Practice Principal
Remedi Physiotherapy
828 Liverpool Road, Ainsdale, Southport, PR8 3SL