Grantham Physiotherapy Practice


General Data Protection Regulation (GDPR)

Privacy Policy for Grantham Physiotherapy Practice

Introduction

As of the 25th May 2018, all UK businesses that store consumer data will legally be required to adhere to the General Data Protection Regulation (GDPR). Grantham Physiotherapy Practice is committed to complying with these regulations. In order to achieve compliance a series of steps have been undertaken, which are documented in this document. It is understood that compliance will require continuous audit in order to ensure that compliance is maintained.

The information we hold

We hold paper records of 

  • Patients physiotherapy notes. The notes include a record of your name address, date of birth, person to be contacted in an emergency, GP, telephone numbers and email address. These are held for 7 years after the date of the last consultation. They are then destroyed by a secure shredding company. Physiotherapy Notes are stored in locked filing cabinets.
  • Any letters or reports we have sent to your GP, consultant, insurance company or anyone else you have requested we contact.
  • Any letters or reports you have given to us
  • Patients Insurance company details. This includes the patients name, contact details, Insurance company details and a record of the financial transaction in connection to this.
  • A record of money you have paid to us or is owed to us.

We hold on our computer

  • Your name, address, telephone numbers and email address, date of birth, name of your insurance company, if you have one and a brief note about the area of the body we are looking at. A record of when you attended.
  • Any letters or reports we have sent to your GP, consultant, insurance company or anyone else you have requested we contact.
  • Emails you have sent to us and we sent to you. This includes emails that have arrived via our website.
  • A record of money you have paid to us or is owed to us.

How we use the information we hold

On paper

  • Patients physiotherapy notes allow us to record our findings, work and plans. The contents are shared with the physiotherapists involved with your care. You have always been welcome to ask to see what we have written about you and this will of course continue after GDRP comes into effect.
  • Any letters or reports we have sent to your GP, consultant, insurance company or anyone else you have requested we contact, are stored with your physiotherapy notes and used to help us in planning your care.
  • Any letters or reports you have given to us are stored with your physiotherapy notes and used to help us in planning your care.
  •  Any patients Insurance company details including the patients name, contact details, and a record of the financial transaction are used to refer to if there is a question a later date about a financial payment.
  • A record of money you have paid to us and the dates when you attended are used to refer to if there is a question a later date about a payment.

On Computer

  • Your name, address, telephone numbers and email address, date of birth, name of your insurance company are stored on the computer so that we do not ask you the same questions every time you contact us to make an appointment. 
  • We use your email address to send you a reminder of your appointment. We ask you verbally if we can do this the first time you contact us for an appointment. On your first visit you are asked to complete a consent form concerning how you wish us to communicate with you.
  • Any patients Insurance company details including the patients name, contact details, and a record of the financial transaction are used to refer to if there is a question a later date about a financial payment.
  • A record of money you have paid to us and the dates when you attended are used to refer to if there is a question a later date about a payment.

Your right to be forgotten

You have the right to have your personal data deleted or amended on request, and to withdraw treatment consent at any time. However, we are required to retain medical notes pertaining to treatment episodes. 

Youhave the right to request access to personal data which we may process about you. 

How to request access to personal data

  • Put your request in writing specifying the personal data you want to access. Send the request to Grantham Physiotherapy Practice, 10 St Catherine’s Road, Grantham, NG31 6TS or email contact @granthamphysio.co.uk. If someone else is making this request on your behalf you must send us a signed and dated statement that you give your permissions for this person to receive your data.
  • We will than contact you and arrange a time for you to come to the practice to view your information or if you would like copies, to use our photocopier to make them, or to request screen shots of any or all information. Please bring with you proof of your identity and address such as your driving licence or passport, and two recent utility or credit card bills
  • If you are unable to attend the practice to view your information we are able to send you copies of the requested information. We can only do this after you have sent us proof of your identity and address (e.g. a copy of your driving licence or passport, and two recent utility or credit card bills)

You have the right to require us to correct any inaccuracies in your data. If you wish to do this, you should:

  • put your request in writing. Send the request to Grantham Physiotherapy Practice, 10 St Catherine’s Road, Grantham, NG31 6TS or email contact @granthamphysio.co.uk.
  • provide us with enough information to identify you. 
  • specify the information that is incorrect and what it should be replaced with.

You also have the right to ask us to stop processing your personal data for direct marketing purposes. If you wish to exercise this right, you should:

  • put your request in writing
  • provide us with enough information to identify you
  • if your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g. email or telephone) please specify the channel to which you are objecting.

Our approach to children’s data 

GDPR require a child’s parents to give consent to use their data, therefore it is essential that we document any processes related to the collection of children’s data.

The collection of children’s data does not vary from the collection of adult data except that the parents or guardians email address will be used and the contact details for the child’s parent or guardian will be collected and used. The storage of notes for children will be 30 years. Consent to collect data is requested from the parent at time of first attendance.

What we would do if there was a data breach

If there was a data breach the source of the breach would be investigated. The measures put in place to rectify the data breach and prevent future breaches would be documented and audited. Patients affected by the data breach would be informed.

Conclusion

We understand that as the full implications of GDPR become clearer over time this document will need to be revised an amended.

Any changes we may make to our privacy policy in the future will be posted on this page. 

Beverley Myers

Director

17 May 2018

 

 

     

If you are reading this page send us an email to contact@granthamphysio.co.uk and say what is in the picture and you will win a small prize.