Why we collect your data:
We collect your personal data in order to provide our health therapy services to you.
We collect the following information:
Clerical information for the purpose of making appointments and maintaining communication about appointments
Medical information relating to your appointment with our therapists
Further clinical information including reports from other health professionals.
What we do with the information we gather:
We require this information for the purpose of:
Professional clinical record keeping
Sharing information with relevant health professionals, which we only do with written permission from the client involved.
We have a legal obligation to retain your records for 8 years after your most recent appointment (or until you reach age 25, if this is longer), but after this period you can ask us to delete your records if you wish. Otherwise, we will retain your records indefinitely in order that we can provide you with the best possible care should you need to see us at some future date.
Your records are stored either:
on our office computers. These are password-protected, backed up regularly, and the office(s) are locked out of working hours.
on paper, in locked filing cabinets, and the offices are always locked out of working hours (this includes consultations before February 2022, referral letters from other medical practitioners, and imaging on CD-ROMs)
in “the cloud” using a specialist medical records service. The provider we use is called Pabau, and you can read about their GDPR position here: https://www.pabau.com/gdpr/. Our practitioners have access to this system, with their own usernames and passwords, which will be changed regularly.
Our practitioners can access Pabau via their own computers and in a limited manner via iOS devices. Those devices are all secured with passwords and biometric barriers, and access to Pabau requires username and password or a PIN.
We will never share your data with anyone without your written consent. Certain parties who help the clinic have access to your data in limited capacities and have signed confidentiality agreements. They are:
Your practitioner(s) in order that they can provide you with treatment.
Our reception staff, because they organise our practitioners’ diaries, and coordinate appointments and reminders. They typically only have access to your clerical details although in some cases they will see high-level medical information when handling referrals from other practitioners in order to make the most appropriate arrangements.
Our virtual assistant, who performs clerical tasks remotely. They typically handle referrals from other medical professionals so have access to high-level medical information as well as clerical details for the purpose of making appointments with the appropriate practitioner at Hartwood Health. They have their own GDPR policy, available on request.
Other administrative staff, such as our accountant and bookkeeper have access to your clerical details.
If you have contacted the clinic via website form, or commented on blogs, our webmaster and web designer would be able to see clerical details and view any comments which might contain medical information.
We also share some details (mostly clerical and the most basic medical data e.g. which body part is being treated, how much progress has been made) with your private medical insurance company where applicable. They already have your data as you have a contract with them, and any exchange is required for contractual reasons to allow your healthcare to continue to be funded by them.
From time to time, we may have to employ consultants to perform tasks which might give them access to your personal data (but not your medical notes). We will ensure that they are fully aware that they must treat that information as confidential, and we will ensure that they sign a confidentiality agreement.
Controlling your personal information
We will not distribute, sell or lease your personal information to third parties unless we have your explicit permission or are required by law to do so.
We send an episodic email out to subscribed contacts, from which anyone is free to unsubscribe. Our intention is for email content to be informative and relevant to our cohort of customers.
You may request details of personal information which we hold about you under the General Data Protection Regulation (GDPR). If you would like a copy of the information held on you, please contact Paula Wood, Data Protection Officer, at this address: 121 Albert Street, Fleet, GU51 3SR.
If you believe that any information we are holding on you is incorrect or incomplete, please email or write to us as soon as possible at the above address. We will promptly correct any information found to be incorrect.
Provided the legal minimum period has elapsed, you can ask us to erase your records. We have to keep a record of your name and date of birth, so we know you’ve asked to “be forgotten” as it will prevent us from contacting you again.
We want you to be absolutely confident that we are treating your personal data responsibly, and that we are doing everything we can to make sure that the only people who can access that data have a genuine need to do so.
Of course, if you feel that we are mishandling your personal data in some way, you have the right to complain. Complaints need to be sent to our Data Controller. Here are the details you need:
Name: Paula Wood
If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office.
This policy is effective from March 2022 was reviewed in January 2023, April 2023, November 2023 and is due for review again in April 2024.