Chiropractic By Hand is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to protecting the privacy and security of your personal information. This privacy notice describes, in line with GDPR, how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This notice applies to current and former chiropractic patients.
Data controller details
The Clinic is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows: Chiropractic By Hand, Movers and Shapers, 63 Balham High Road, London SW12 9AP.
Data Protection Officer
As we record and use sensitive data we take the protection of this data very seriously. We have therefore appointed a Data Protection Officer, Josie Ross, who is your first point of contact for any matters regarding your personal data we process. Josie can be contacted by calling the Clinic (07847 202 365) by e-mail ([email protected]) or in writing to Chiropractic By Hand, Movers and Shapers, 63 Balham High Road, London SW12 9AP.
Data protection principles
In relation to your personal data, we will comply with data protection law. This says that the personal information we hold about you must be:
Types of information we hold about you
Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed.
We hold many types of data about you, including
Special categories of data
There are “special categories” of more sensitive personal data which require a higher level of protection, such as information about a person’s health.
We will use your special category data:
We must process special categories of data in accordance with more stringent guidelines. We will process special categories of data when the following applies:
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.
How we collect your data
We collect data about you in a variety of ways and this will usually start when you make an enquiry to the clinic and continue when you attend your first and subsequent appointments. At this clinic, we keep paper and electronic records. Information we write down on paper is transferred to our electronic system. We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic.
Personal data is kept in the clinic. Paper copies of patient consent forms are filed into a locked filing cabinet within our treatment rooms which are always locked when not in use. All data that is stored electronically is password protected.
Why we process your data (How we will use information about you)
The law on data protection allows us to process your data for certain reasons only, these are classified as legitimate interests. Most commonly, we will use your personal information in the following circumstances:
We may use your personal information in these rare situations:
Situations in which we will use your personal information
We need all the categories of information to primarily allow us to perform our contract of treatment with you and to enable us to comply with legal obligations.
Should you decide to make payments by card following your treatments the payment will be processed by a company called iZettle. Full details of iZettles GDPR compliance are available on their website (https://www.izettle.com/gb/legal) or within our own GDPR Compliance handbook. Patients can choose to have a receipt sent via email or text message of the transaction.
If you provide your email address or mobile number to receive a receipt, iZettle AB, reg. no. 556806-0734, is responsible for this processing of personal data and will only use your email address or mobile number to send receipts to you. iZettle will not use your contact details for any other purpose, and will not share them with anyone else, without obtaining your consent first.
If you want us to rectify, update or remove your contact details from iZettle, please get in touch with them at [email protected]
If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of care with us. If you do not provide us with the data needed to do this, we will be unable to perform that care to ensure your best interests are being maintained. We may also be prevented from continuing with your treatment with us due to our legal obligations.
Change of purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision making
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Sharing your data
Your data will be shared with colleagues within the Clinic but only where it is necessary for them to undertake their duties. This includes, for example, other chiropractors working for, at or on behalf of the Clinic and the other therapists based at the Chiropractic By Hand.
We only share your personal data with your explicit consent.
The General Practitioner is the legal custodian of the patients’ health records. It is the normal practice of the clinic that correspondence will be sent to your GP should it be required to complete their records. This is considered best practice for the patient’s wellbeing, although you are entitled to withhold consent if you do not want us to communicate with your doctor. You are also entitled to see your notes and copies of any correspondence.
Chiropractic By Hand uses practice management software and patient data is held upon it. We also use an email enquiry platform for our online enquires and we send out an e-newsletter using a company called Mailchimp. We have ensured all of these third parties are compliant with the data protection law and that any personal data is not stored outside of the EU. For added security the only data we use for our e-newsletters is your email address, with consent. We may also share your data with third parties as part of a Clinic sale or restructure, or for other reasons to comply with a legal obligation upon us. We would always keep you informed of these situations.
Transferring information outside the EU
We may share your data with bodies outside of the European Economic Area should the need arise. It is likely that this situation would be to share information regarding your treatment or ongoing care with healthcare practitioners in these countries in accordance with your wishes. However, we would not transfer your data unless we were assured that the country in question had data security and protection laws of equivalence to those of the UK and the European Economic Area.
Data Security – Protecting your data
We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. In addition, we limit access to your personal information to those agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of all of these measures are available in our Clinic GDPR Compliance Handbook – a copy of which is located in the main treatment room at all times.
Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of you being a patient with us and we are legally required, by the Chiropractic regulator, to keep this data for eight years after your time as a patient has ended. To determine the any appropriate retention period for personal data beyond eight years we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.
Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner than maintains data security.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you.
If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Josie Ross by email ([email protected]).
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for a second or subsequent copy of information or if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so.
To withdraw consent, contact Josie Ross by email ([email protected]).
Making a complaint
If you have any questions about this Privacy Notice or how we handle your information, please contact the Clinic’s Data Protection Officer – Josie Ross. She can be contacted on email: [email protected]
You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO).