Updated July 2020
This document sets out policy for Oxford Osteopaths Limited
Oxford Osteopaths (also referred to as “we”, “us” or “our”) is the trading name of Oxford Osteopaths Limited (company no: 12491967). Our registered address is 235 Cowley Road, Oxford. OX4 1XG
THE PURPOSE OF THIS POLICY
This Policy is designed to help you understand what kind of information we collect in connection with our services and how we will process and use this information. In the course of providing you with services we will collect and process information that is commonly known as personal data.
This Policy describes how we collect, use, share, retain and safeguard personal data.
This Policy sets out your individual rights; we explain these later in the Policy but in summary these rights include your right to know what data is held about you, how this data is processed and how you can place restrictions on the use of your data.
WHAT IS PERSONAL DATA?
Personal data is information relating to an identified or identifiable natural person. Examples include an individual’s name, age, address, date of birth, gender and contact details.
Personal data may contain information which is known as special categories of personal data. This may be information relating to and not limited to, an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, or data relating to sexual orientation.
PERSONAL DATA WE COLLECT
In order for us to provide and administer the best healthcare services for you, we will collect and process personal data about you. We will collect, hold and process personal data such as an individual’s name, address, date of birth, gender, contact details and address along with data relating to your personal health, wellbeing, ethnicity, medication or other statutory required data.
We may also need to collect personal data relating to others, such as your insurers or general practitioner in order to satisfy legal or regulatory requirements. In most circumstances, you will provide us with this information. Where you disclose the personal data of others, you must ensure you are entitled to do so.
We will not share your personal data with third parties for marketing purposes.
We may share personal data with others such as your insurers or solicitors but always with your consent, or legally, when we are required to do so by law.
Where we collect data directly from you, we are considered to be the controller of that data i.e. we are the data controller.
Where we use third parties to process your data, these parties are known as processors of your personal data.
We use a third party called Rehab My Patient to transmit personalised exercises for some of our clients. Client names, date of birth and email are stored by this third party which links with our patient record system Cliniko. No other details are processed.
We use a company named Cliniko, who provide a web based highly secure electronic patient record system. We also use Cliniko to send secure service emails to our clients.
These companies are GDPR complaint and adhere to the strictest rules regarding confidentially and patient data.
A data ‘controller’ means the individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A data ‘processor’ means the individual or organisation which processes personal data on behalf of the controller.
If you object to the collection, processing and use of your personal data we may be unable to provide you with all our healthcare services.
For the purposes of meeting the Data Protection Act 2018 territorial scope requirements, the United Kingdom is identified as the named territory where the processing of personal data takes place, ie, your data is not stored outside of the UK.
WHY DO WE NEED YOUR PERSONAL DATA?
We are legally obliged to collect, process and hold personal data when assessing, examining or administrating healthcare under UK Statutory health care regulations. We require this data in order to be professionally informed about you and your health, to ensure we can provide you with the best healthcare service we can.
The retaining of data is necessary where required for contractual, legal or regulatory purposes. Sometimes we may need to retain your data for longer, for example if we are representing you or
defending ourselves in a legal dispute or as required by law or where evidence exists that a future
claim may occur.
Client records shall be kept for at least 8 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept or at least 7 years after they reach the age of majority (18).
The Statute of Limitation in the UK (i.e. time when an individual is able to bring a claim) is 6 years for certain injury claim situations, or 6 years after the individual reaches the age of majority in the case of minors. However, these 6 years start from the date that the injury was discovered, not from the time that the alleged incident that caused it occurred. There are also instances, for example if treating a vulnerable client, where the statute may be overturned. Your records are your best line of
defence in any claim situation hence the need to keep these for at least 7 years. It will be for you to determine, in view of your own client base, whether you choose to keep the records for longer than the 7 years noted in the policy wording, and then note this in your Privacy Notice for your clients.
There are provisions under the GDPR with regards to keeping records to defend yourself in a claim situation (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/individual-rights/right-to-erasure/ - When can I refuse to comply with the right of erasure), which clearly give you the right to hold your client records to comply with your insurance Terms and Conditions, should your client make a request for them to be deleted under their Right of Erasure.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
This will only apply if you have provided us with consent and asked us to pass on your personal data to a third party abroad.
Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
These rights are known as Individual Rights under the Data Protection Act 2018. The following list details these rights:
- The right to be informed about the personal data being processed;
- The right of access to your personal data;
- The right to object to the processing of your personal data
- The right to restrict the processing of your personal data;
- The right to rectification of your personal data;
- The right to erasure of your personal data;
- The right to data portability (to receive an electronic copy of your personal data);
- Rights relating to automated decision making including profiling.
Individuals can exercise their Individual Rights at any time. As mandated by law we will not charge a fee to process these requests. However if your request is considered to be repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee.
In exercising your Individual Rights, you should understand that in some situations we may be unable to fully meet your request, for example if you make a request for us to delete all your personal data, we may be required to retain some or all data for regulatory and other statutory purposes.
You should understand that when exercising your rights, a substantial public or vital interest may take precedence over any request you make. In addition, where these interests apply, we are required by law to grant access to this data for law enforcement, legal and/or health related matters.
PROTECTING YOUR DATA
We will take all appropriate technical and organisational steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data with any authorised third parties.
DATA PROTECTION OFFICER
To ensure data privacy and protection has appropriate focus within our clinic, we have a Data Protection Officer. Our DPO is Michael Harding, a director of the company, and you can contact him by email at email@example.com
If you are dissatisfied with any aspect of the way in which we process your personal data please contact our Data Protection Officer. You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website which is https://ico.org.uk/concerns/, by live chat or by calling their helpline on 0303 123 1113.
HOW TO CONTACT US
If you have any questions regarding this Policy, the use of your data and your Individual Rights please contact our Data Protection Officer at Oxford Osteopaths, 235 Cowley Road, Oxford OX41XG
Or by email at firstname.lastname@example.org
Tel: 01865 790235