ABLE2 Physiotherapy and Pilates is the data controller of any information that we collect from you. If another party has access to your data, we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information. If you have any questions that are not adequately answered by this policy, please ask us anything you would like clarified and our Data Protection representative; Vickie Cork will help you. If you are not satisfied with the answers from the Data Protection representative, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.
1. What personal information do we collect and when do we collect it?
For us to give you the services and treatment you have asked for, we need to collect the following information:
- Your name and contact details including a postal address, telephone number(s) and electronic contact such as email address. We may also communicate via text, Whatsapp, Twitter or Facebook in which case we will need to know your Whatsapp profile, Facebook username or Twitter username.
- Your personal identifying information, such as Date of Birth, Insurance or Medical Authorisation Code.
- A description of your health concern, or reason you seek our services and advice.
- Your past and present Medical History, disabilities, social arrangements and activities so that we can complete a complete Health Assessment.
- Your next of Kin in case of emergency.
- Your payment card details (At time of payment only. We do not store any payment information.)
- Details about how you access our website such as the IP address, the browser you use, and which pages you access.
We collect this information directly from you. We may also collect information about you from third parties; for example, if we need to gather further information from another Health Professional (such as your Doctor or Occupational Therapist), or your family, to complete or add more context to our assessment and provide you with the best level of care.
2. Why do we need to collect your personal data?
We need to collect information about you so that we can:
- Know who you are so we can contact you personally and communicate with you. This could be to inform you about things including but not limited to: booking and rescheduling appointments or classes, discussing how the services we offer could help you, updates to your treatments or any results received, any goods or services we would recommend to you or that you have received, new educational insights regarding physical therapy healthcare that may benefit you.
- Verify your identity to ensure we are treating the correct person, and to understand the nature of the problem which you have come to receive help or sought our advice.
- Verify your insurance cover or other policy /medical identification record is accurate and relevant, so that we know if you are covered for the treatment which will be provided, and learn how much treatment can be provided.
- Learn about, understand, analyse and diagnose the problem with which you are visiting us, then provide effective, safe treatment and help optimise your wellbeing on an ongoing basis.
- Communicate with other Health Professionals (such as your G.P., Consultant, or those in Hospital/Community Health or Social services),Fitness Professionals (such as Nutritionists or Personal Trainers), or your family/friends who can to help us understand your difficulties more. Communicating with them could also help to provide you with more support or services so you can become even healthier and safer.
- Communicate with medicolegal agencies to aid in, and proof of treatment and outcomes, in any legal proceedings.
- To receive payment, or raise invoices against the appropriate entity, for the services and goods provided.
- Learn about your experience with us and get feedback to enable us to know that we are maintaining our legal obligation of high standards of care, to continually improve our service to you, and help others to find and use our services when they think it will be helpful to them.
- Provide you with a useful and relevant website.
- Help you become aware of any new services, offers or changes to the company may benefit you now and in the future.
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
- We communicate with you so that we can inform you about your appointments and upcoming treatment/services.
- We deliver the correct services and/or products for your specific needs
- We may write reports or liaise verbally with your GP/Insurance company/family or carers on your behalf, with your benefit in mind and consent to do so.
- We may refer you onto any third parties in the Health and Fitness professional sphere, which you will have consented to.
- We create your invoice using our accounting package.
- We process your payment.
- We store your information for the next time you need our service, or if any other agency, such as the HCPC or medicolegal agencies require access to prove competency and outcomes of services provided.
- We comply with the legal obligations set out in our Professional code of Conduct.
- We optimise our website so that users can find the information they need
- We may use your photo or video footage in our advertising and marketing, with your consent.
- We may use part of your episode of care as a reflection or evidence of treatment outcomes and our service level, to maintain compliance with Standards demanded by the HCPC.
4. What is the legal basis for us to collect and use your data?
The fundamental reason we provide the Physical Therapy services we do at ABLE2 Physiotherapy and Pilates Ltd, is to assess, diagnose and treat Healthcare problems or optimise health and wellbeing.
- As HCPC registered Health Professionals providing these services, ABLE2 Physiotherapy and Pilates Ltd collect and use both personal identifying data, and sensitive data like that of your health, your age and gender. Once you have received services from us, the legal basis for this under the GDPR is 6 (1) c – Legal Obligation and 9 (2) h – contract w / Health Professional, and under the UK Data Protection Bill it is Sch 1.1. – Health Care.
- If you provide us with some information as part of making an enquiry, the legal basis is 6 (1) b – Contract and 9 (2) h – contract w / Health Professional, Sch 1.1. – Health Care. After 6 months of the enquiry, should you not become a client, the basis will become 6 (1) (f) – Legitimate Interest.
- Next of Kin information is required and stored in case of emergency, the legal basis of which is 6 (1) d – Vital Interest.
- We will always ask your consent before taking a photo or video of you as part of your assessment, treatment, or visit to the clinic. Storage and the use of these images or videos have different legal basis dependent on their usage.
- For ongoing assessment, diagnosis, and treatment of your problem, or to optimise and maintain your health and wellbeing, the legal basis is 6 (1) c – Legal Obligation and 9 (2) h – Contract w / Health Professional, Sch 1.1. – Health Care.
- For use in proving and maintaining HCPC standards the legal basis is 6 (1) c – Legal Obligation and 9 (2) h – Contract w / Health Professional, Sch 1.1. – Health Care.
- For use in giving testimonials, the legal basis is 6 (1) a – Consent, and 9 (2) (a)- Consent. Remember you can withdraw your consent at any time.
- For use in advertising and marketing purposes, the legal basis is 6 (1) a – Consent and 9 (2) (a)- Consent. Remember you can withdraw your consent at any time.
• We may contact you from time to time to contact you with any updates that are happening at the Company, offers or new services provided, new information learned about relevant health conditions and what you can do to improve them, which we think will likely be of interest to you. The legal basis is 6 (1) (f) – Legitimate Interest. Remember you can unsubscribe or ask us to not use your contact details used for these purposes at any time.
5. Where do we keep your information?
We keep your information in the stores described below. Please note that we do not store your payment card details in any of our systems; these are passed straight through to our payment processor.
- On our Company computers. We use personal computers located in our business premises. The computers are password protected. Passwords are changed every 90 days and it is company policy that passwords are not shared. They have up to date and automatically updating Avast and Malwarebytes security, malware and ransomware protection in place.
- Your paper clinical records are kept in a locked filing cabinet securely in the Poynton clinic or Company’s registered address. If digital, they are stored securely within TM3 Practice Software, who have provided a statement that they are compliant with GDPR regulations as a processor, and have their servers located in the UK.
- In Kashflow our accounts software application, who have provided a statement that they are compliant with GDPR regulations as a processor, and have their servers located in the UK.
- In Microsoft 365 Enterprise which is GDPR compliant in the services it provides (email encryption, data storage protection and resting encryption, and a list of other security features) who have provided a statement that they are compliant with GDPR regulations as a processor, and have their servers located in the UK.
- We store other personal and sensitive data, besides the clinical records in TM3 Practice software.TM3 have provided a statement that they are compliant with GDPR regulations as a processor, and have their servers located in the UK.
- In Apple iPhones, 5s and 6s, iPad and the iCloud which are passcode or password protected and can be remotely wiped in event of loss. iCloud have provided a statement that they are compliant with GDPR regulations as a processor. They have their servers located in the USA and data is transferred out of the EU and stored in encrypted form as per GDPR compliance.
6. Who do we share your information with?
- We share your information with your G.P. when a report is required to help you access the best care. We will ask your permission to share information and discuss what information we will be sharing, unless it is in your vital interests that we inform your G.P of anything that may harm you or others. We are bound by a duty of care and legal obligation in these circumstances. We will advise you if we have needed to contact your GP in this circumstance. We send your report to you and anyone we are required by law to inform.
- We share your information with an insurance company or medicolegal agency when required to advise of assessment outcomes, treatment recommendations and progress reports, and invoicing.
- All reports that are sent electronically are sent as attachments that are encrypted and password protected.
- We always ask your permission to share your information with third parties.
- Your information is shared with our trusted data processors, who store and provide us with services and software application solutions that allow us to process (use or store) your information as already detailed in this Notice. They have been selected because they have committed to transferring, using and storing your information responsibly, only for the purposes needed, securely and in full compliance of the GDPR 2016.
A list of the data processors we are using, and trust are:
- TM3 Practice Software – they store the data we collect and enable vital functions of running the clinic possible, such as booking appointments, invoicing, clinical note writing, send text or email appointment reminders, etc.
- Kashflow Accountancy Software – this has been the method of invoicing, and creating reports on where clients have been referred from, what sales were made by sales type and client before making the move to TM3.
- Gough Accountancy – They access the Kashflow system for Book keeping and creating Year end reports for the purpose of the legal obligations set out by the HMRC. Even though the personal data is potentially available to be seen, the purpose of accessing Kashflow is for financial account purposes only, profit and loss statements, and determining what tax needs to be paid by the company. Gough Accountancy do not look at your personal data.
- Microsoft 365 Enterprise – they host the email messages which are received and sent, allow client reports to be written and stored on Word, and the spreadsheets which contain personal data to manage enquiries, and provide the best service of following up enquiries and treatment episodes. We use it as a back up to store the data on our hard drive to One Drive in case of loss of data from the clinic personal computers from physical or technical causes and allow online access in the cloud.
- Telephone Answering Biz – They are a third-party reception call answering service who take calls into ABLE 2 Physiotherapy and Pilates Ltd, when the therapist and receptionist are busy, or out of clinic receptionist hours. They will collect and pass on to ABLE 2 Physiotherapy and Pilates Ltd your contact details, and what health data you wish to give to progress with your enquiry.
- iCloud – iPhone and iPad have enabled ABLE2 Physiotherapy and Pilates to write reports, manage the diary, respond to enquiries, scan and send reports or information on the move, outside of a clinic environment. Prior to 2015 the business was very mobile, did not operate any Practice Software, and used the portability iPhone, iPad and the iCloud provided the business in managing its basic functions, like but not limited to the ones listed above. This processor still stores data stored and created before the move to Microsoft 365 Enterprise and TM3. We still operate in a satellite clinic and on Home Visits which requires this remote access.
- The payment processor is Valitor via a handheld card terminal.
- Santander Business is the bank which processes payments which you may make online.
…. all of these processors are duty bound to protect your information, and are compliant with the GDPR, which means they are responsible and secure in handling your information.
7. How long do we keep your information?
- Upon receipt of our services, we have a legal obligation to keep your information for 8 years, the legal length of time we must keep medical records.
- After 8 years, there is a legitimate interest to keep your information, securely, for an indefinite length of time, or until you request we remove some or all of your data. This is so you can receive the best care, the most accurate diagnosis and effective treatment if you come back to receive treatment for the same or similar problem in the future, for ease of processing any future enquiries, or to be kept informed of relevant and best treatment options which may have been developed since your last visit. It is also a legitimate interest for you and of the Company to be able to communicate with you to promote any services we can offer to you, which we think may help you, based on your past history of care with us, and to use it as evidence if any aspect of the standard of your care was called into question.
- Any photos or videos which are not part of a clinical record, or a HCPC Continuing Professional Development record, will be kept indefinitely or until a time when you request that they are removed, which can be at any time you wish.
- Any information you give us when making an enquiry, if you do not continue on to become a client, will be kept for a minimum 6 months and then indefinitely, if we do not receive a request for your data to be removed, which in this instance can be done at any time.
8. It is my information, what are my rights?
At any point while ABLE2 Physiotherapy and Pilates Ltd is in possession of or processing your personal data, you have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have a right to restrict the processing (use) of your data.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
In the event that ABLE2 Physiotherapy and Pilates Ltd refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.
9. How can I find out what information you hold on me?
You can submit a Subject Access Request. You can ask to see your information verbally by telling any of our staff that you would like to do so, or you can email us. All requests should be made to firstname.lastname@example.org or by phoning 01625 460 382 or writing to us at the address further below.
ABLE2 Physiotherapy and Pilates Ltd will accept the following forms of ID when information on your personal data is requested: a copy of your national ID card, driving license, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If ABLE2 Physiotherapy and Pilates Ltd is dissatisfied with the quality, further information may be sought before personal data can be released.
No fee will be charged, unless the request is excessive as per the terms of the GDPR 2016.
9. What if my information is incorrect?
Please notify us as soon as possible. We may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, we have a form you can fill in. Please contact us by phone or email and we can arrange to get the information altered for you.
10. How can I have my information removed?
If you want to have your data removed contact us to advise us which data in particular you would like removed, for example a photograph of you on our website or leaflet, your contact details from our marketing contact list, or your whole episode of care from our system. You will be required to fill out a form detailing which data you would like removed. Please contact us by phone or email and we can arrange to get the form to you.
We may require additional verification that you are who you say you are to process this request and we will need to determine if we need to keep the data, for instance, if it part of your clinical record and is less than 8 years after your last treatment, in which case we would need to keep it for legal reasons.
If the data can legally be removed, and it is within reasonable expectations, we will remove it without delay and inform you when it is completed. Please note that if you had previously agreed for your personal data to be part of paper advertising such as leaflets, or flyers, then we can promise to not include it in future publications and remove the data from our systems but cannot remove it from previous circulation.
11. Will we send emails and text messages to you?
As part of providing our best service to you, we will contact you by email and text. We will send details of your bookings, appointments to you, and respond to your enquiries, we will often do this via email and/or text. We may also send you a report on your treatment, invoices, want to get feedback on your experience, discover how you are getting on in the time after having treatment with us, and from time to time we may send you information on what education or services we think may benefit you, and any offers we think you will be interested in and benefit from.
12. How do I opt out of receiving emails and/or text messages?
We will be using email or text to contact you about a number of different purposes, such as those already mentioned in section 10. You have the right to ask us to stop contacting you by email or text for any reason, and we will obey your request as quickly as possible. If you are receiving emails from us, you may unsubscribe at any time by following the instructions included within the email. When you unsubscribe (i.e. opt out) from either text message and/or email communications, we will suppress your details on our systems to ensure we have a record of your decision to not be contacted in that particular manner. We will not use the email address or mobile phone number for such purposes again unless you opt back in. When unsubscribing from either email or text communications, you should always follow the specific instructions given in the particular email or text that you wish to discontinue receiving. This way you can continue to receive text or email communication about things you want to hear from, such as upcoming appointments, and discontinue hearing about anything you don’t want to, such as any special offers we are giving away.
13. Cookies on our website.
In the event that you wish to make a compliant about how your personal data is being processed by ABLE2 Physiotherapy and Pilates Ltd, you have the right to complain to Vickie Cork , Clinical Director at email@example.com or by phone or request a meeting in person. If you do not get a response within 30 days you can complain to the Data Protection Regulator.
The details for each of these contacts are:
ABLE2 Physiotherapy and Pilates Ltd
For the attention of the Clinical Director
11 Fountain Place, Poynton, Cheshire, SK12 1QX
Telephone 01625 460 382 or email firstname.lastname@example.org
Data Protection Regulator
Information Commissioner’s Office
Telephone 0303 123 1113 or visit: https://ico.org.uk/for-the-public/raising-concerns/
Updated 24th May 2018