CHIROPRACTIC & COMPLEMENTARY MEDICINE
T/A "FORRES CHIROPRACTIC CLINIC"
PRIVACY NOTICES
KEY DETAILS
Policy prepared by: David Morgan
Policy became operational on: 1st May 2018
Next Review 1st May 2021
IDENTITY & CONTACT DETAILS OF THE DATA CONTROLLER
Forres Chiropractic Clinic
65 High Street
Forres
Moray
IV36 1PB
T: (01309) 696381
E: forreschiro_gdpr@yahoo.com
DATA PROTECTION OFFICER (DPO)
Forres Chiropractic Clinic is not legally required to appoint a DPO as it is only processing data on a small scale. The responsibilities are therefore carried out by the data controller David Morgan, under the contact details given above.
PURPOSES OF PROCESSING & LEGAL BASIS
The Personal Data I Process and What I Do With It
I record and use the following categories of personal data: name, address, telephone numbers, email address, date of birth, health information including medical history, diagnosis and treatment data. The lawful basis of processing this data is one of contract and, for the health information, the provision of health-related services as a chiropractic clinic. In addition, I will only examine or treat you with your explicit consent.
When you supply your personal details to the clinic they are stored and processed for 3 reasons (the bits in bold are the relevant terms used in the Data protection Act 2018, which includes the General Data Protection Regulation i.e. the law):
1. When you attend the initial consultation and subsequent appointments, I need to collect personal information about your health in order to provide you with the best possible treatment. You requesting a consultation & treatment requires your consent and my agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that I would not be able to provide treatment.
2. I have a "Legitimate Interest" in collecting that information, because without it I couldn't do my job effectively and safely.
3. I also think that it is important that I can contact you in order to confirm your appointments or to update you on matters related to your medical care. This again constitutes "Legitimate Interest", but this time it is your legitimate interest.
RETENTION PERIOD
Whilst you are receiving treatment from the clinic I will continue to store and use your personal data.
Once you have been discharged, I have a legal obligation to retain your records for 8 years after your most recent appointment or age 26, if this is longer.
Your records are stored:
1. On paper, in locked filing cabinets, and the clinic is always locked and secured in and out of working hours.
2. Your GP letter(s) if required are created and stored on the clinic computer. The PC is password protected, backed up regularly, and the office is locked and secured out of working hours.
3. If you have requested and booked a follow-up appointment(s) at the clinic your mobile phone number may be stored on the clinic mobile phone (encrypted and password protected) so that I may send you a text reminder regarding an upcoming appointment to avoid a missed session. Similarly, you will then have the clinic mobile phone number which you might use to make a booking request or cancellation via a text.
I will never share your data with anyone who does not need access without your written consent such as your GP.
RESPONSIBILITIES
The partners of Chiropractic & Complementary Medicine, David Morgan & Jayne Paulson are ultimately responsible for ensuring that Forres Chiropractic Clinic meets its legal obligations. The clinical case notes, paper diaries, GP correspondence, clinic mobile phone and e-mail can only be accessed by the aforementioned partners of the business.
YOUR RIGHTS
As I process your personal data, you have certain rights. These are a right of access, a right of rectification, a right of erasure and a right to restrict processing.
You may request a copy of your data at any time. Please make such a request in writing or by email to the Data Controller (acting as DPO) whose details are shown above.
Please provide the following information: your name, address, telephone number, email address and details of the information you require.
I will need to verify your identity so I will ask for a copy of your passport, driving license and/or recent utility bill.
Individuals will not be charged to view their data, however reasonable charges such as photocopying and postal (recorded delivery) costs may be levied to make and securely send paper copies. This will not exceed £50. I will aim to provide the requested data within 14 days but if there is an absence due to holidays or illness this will take no longer than 30 days.
An option to pick up the data copies in person at the clinic may also be practicable if the relevant identification can be checked and verified in person before the data copies are released.
If you believe any of the personal data I hold on you is inaccurate or incomplete, please contact the clinic directly and any necessary corrections to your data will be made promptly.
If you believe I should erase your data, please contact the Data Controller, whose details are shown above.
If you wish me to stop storing or using your data, please contact the Data Controller, whose details are shown above.
DATA BREACHES
Should your personal data that I control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, I will contact you without delay. I will explain to you the nature of the breach and the steps I am taking to deal with it.
SHOULD YOU WISH TO COMPLAIN
You can contact the Information Commissioner's Office (ICO) via their website: www.ico.org.uk should you wish to make a complaint about the way I am processing your personal data.
Automated Decision Making and Profiling
I do not use any systems which uses automated decision making or profiling in respect of your personal data.