*Last review date: September 2020 Next review date: January 2021 *
Interactive Physio is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the GDPR (General Data Protection Regulation). Data protection shall be monitored and implemented in order to remain compliant with all requirements.
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register. Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.
What data do we hold?
Clients - We hold both personal data and healthcare data, which include: client names; date of birth; address; medical history (past and current); invoice records; drug history; social history; names and contact details of other professionals and care teams involved; physiotherapy assessment, treatment management plan and goals.
Healthcare data and children’s data are recognised as ‘sensitive’ and we take extra care to keep these safe.
Contractors - We hold bank details and contact details of contractors who carry out work for us.
How do we collect this data?
We only collect this information verbally from clients, carers and parents; from other professionals’ reports and letters; from consent forms; contractors provide their own data directly.
We do not collect any data from our website.
Photographs and video images of clients will only be captured or shared with prior consent from the client.
Who has access to this data?
Those who have access to this data currently are solely Rebecca Scott (the data controller).
Rebecca Scott is responsible for data protection within this business. However, any third party contracted to provide services within the business (contractors) must treat all client information in a confidential manner and follow the guidelines as set out in this document. Interactive physio is committed to ensuring that its contractors are aware of data protection policies.
The requirements of this policy are mandatory for all contractors.
No information /data will be transferred outside of EU borders.
Why do we collect and store this data?
It is a legal requirement for all health documents to be stored.
Further legal bases for processing data are as follows – (a) Consent: the client has given clear consent for Get Ahead Physiotherapy Ltd to process their personal data for a specific purpose. (b) Legitimate Interests: the processing is necessary for the legitimate interests of the client. (c) Contract: the processing is necessary to carry out our duties as hired Physiotherapists.
Subjective data is required to have an accurate history of a client’s presentation for safe treatment and management.
The physiotherapy objective assessment, management plan and goals are required for ongoing optimal rehabilitation. If another physiotherapist is also providing therapy to a client or becomes involved at a later date, they need access to the data to provide safe and effective treatments.
At a later date, records may be requested by a client for legal purposes. We will keep adult clients’ records for 8 years following the last treatment. We will keep children (under 18) clients’ records until their 25th birthday. Other types of records may need to be stored indefinitely.
We use email and address data to contact clients regarding their treatment.
We do not use personal data for marketing purposes. We will not transfer your information outside the EEA (European Economic Area) without first obtaining your consent.
How do we store Personal Data?
Paper data is stored in a secure building in a filing box that is locked.
Electronic data is stored in cloud storage which has been assessed to have high level security protection, requiring a password for access which is by invitation only. We adhere to strong password criteria to maintain effective data security.
If client information is required during community visits, the physiotherapist keeps the relevant paperwork with them at all times. It is never left in a vehicle.
How do we process and share data?
Interactive Physio will: ensure that data is fairly and lawfully processed; process data only for limited purposes; ensure that all data processed is adequate, relevant and not excessive; ensure that data processed is accurate; not keep data longer than is necessary; process the data in accordance with the data subject's rights; ensure that data is stored and shared securely (with sensible use of passwords, encryption, secure cloud storage etc); ensure that data shared by email is contained in password-protected attachments; ensure that data is not transferred to other countries without adequate protection. We shall be transparent about the intended processing of data and communicate these intentions to clients prior to the processing of individuals’ data.
The intention to share data relating to individuals to an organisation outside of our business shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Who do we share personal data with?
If of benefit to a client’s rehabilitation and wellbeing, data may be shared with relevant health, social and educational professionals. This will always be with prior discussion and consent from the client, parent or carer unless there is a safeguarding issue where the physiotherapist is concerned that the safety of themselves or others is at risk by doing so.
Any proposed change to the processing of individuals’ data shall first be notified to them. To assure the protection of all data being processed we shall review and assess our data processing activities regularly.
Data Access Requests
All individuals whose data is held by us has a legal right to request access to this data or information. They can request for it to be deleted and can withdraw consent for us to process their data (unless we are legally required to keep it). We shall respond to such requests within one month and they should be made by email to firstname.lastname@example.org. No charge will be applied to process the request electronically (though fees may apply if printing of documents is required).
Personal data about clients will not be disclosed to third parties without the consent of the client, unless it is obliged by law.
Where any personal data is no longer required for its original purpose, an individual can demand that the processing is stopped and all their personal data is erased by the business including any data held by contracted processors.
How do we dispose of Personal Data?
Interactive Physio recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk. All data held in any form of media (paper, electronic) shall be disposed of securely. Paper documents will be shredded and electronic data will be erased.