This document sets out why we collect your personal data and what we do with it.
We are allowed to process your data only if we have a legitimate reason to do so, such as when it is in our joint legitimate interest in order to provide you with treatment, when you consent to it or in order to comply with aspects of the law.
When you supply your personal details to Willow Chiropractic, they are stored and processed for the following reasons:
We need to be able to identify you, provide a service and take payments.
We need to collect your personal health related information in order to provide you with treatment. By contacting us and requesting treatment and our agreement to provide you with treatment constitutes a contract. If you were to refuse to provide the information, we would not be able to provide you with any treatment.
We have a legitimate interest in collecting your health information because without this we could not provide you with the level of care or treatment which is specific and tailored to your health or contact you about your health, when needed.
We believe that it is your legitimate interest that we are able to contact you to confirm your appointments with us or to update you on matters related to your care.
We need to collect personal details in order to respond to you when you have provided us with feedback regarding your care and our service.
Marketing or informative communications
Provided we have your consent, we may occasionally send you communications in the form of articles, advice or newsletters/offers. If you have not expressly provided this consent and you were added to our system before 25th May 2018, we will continue to contact you legitimately under ‘soft opt in’ because a relationship already exists. You are our patient and you have accessed our services in the past. After 25th May 2018, new patients need to expressly opt into marketing preferences.
You can always withdraw your consent to receiving any of our marketing communications. Every communication will give you a clear option to unsubscribe.
Legally, we have an obligation to retain your medical records for anyone up to the age of 25 or for 8 years following your most recent appointment. After this period you have the right to be forgotten and you can ask us to delete your records. Otherwise, your records will be retained indefinitely in case you come back to see us in the future. We would then be in the best position to resume your care.
Storage of data
Patient records are stored on paper files, in locked filing cabinets, in clinics which are always locked out of hours. Your records are also stored electronically, using specialist software for managing our patient base and diary management. Cliniko and Practice Hub supplies the software for these services. Practice Hub does not move or process data outside of the European Union/European Economic Area (EU/EEA) but Cliniko does process data outside of the EU/EEA. In order to do so and remain compliant with GDPR, Cliniko has issued us with a Data Protection Addendum (DPA) which includes Standard Contractual Clauses (also known as “Model Clauses”), which are an approved set of provisions that offer sufficient safeguards and protection for data that’s processed outside of the EU/EEA. The DPA provides appropriate safeguards for the transfer of data outside of the EU/EEA, as mentioned in Article 46, 2) c) of the GDPR legislation.
Access to data is password protected, with passwords being changed regularly. Our office computers are password-protected and access to Cliniko and Practice Hub is password protected. Different users have different levels of access depending on the requirement for them to have this access.
Safety & Security
CCTV signs are clearly displayed on all entrances. Audio and Video recording is running in public areas to ensure the safety and security of our premises, our staff and our customers whilst within our clinics; this is in our joint interest. No recordings of any type take place in any treatment areas other than still images for the purpose of postural analysis.
CCTV is not used for training or marketing purposes but can be relied upon to establish the facts and provided to the authorities as deemed necessary. Recordings are stored securely on an encrypted server by Nest for 10 days after which it is automatically and permanently deleted.
Access to any recordings is limited to only senior management when there is legitimate reasons for viewing it and is secured with passwords.
Other 3rd Parties
MailChimp is the provider we use to coordinate our marketing communication e-mails. Your name and email address will be held on their server. Their processes are compliant with GDPR and their data is not moved outside of the EU/EEA.
Access to your data
We will never share information with anyone who does not need access to your data without your written consent. The only people who will have routine access to your data are:
• Your practitioner in order that they can provide you with care.
• Our reception team, because they manage our patient data, diary systems, assist in the provision of care and prepare files.
• Other staff at head office. This will be limited to Service and Operational Managers only who will only need to access the details if there was a need to do so in the provision of your care. Other administrative staff will not have access to your medical notes, just your essential contact details.
• In the event of illness or holiday, we may need to use locum practitioners to cover. This helps to maintain capacity in our clinics and maintain your level of care whilst your practitioner is off. This will give them access to your personal data and your medical notes which they will need in order to understand your care and provide you with the best level of care whilst your practitioner is off. We enter into contracts with practitioners for locum cover with confidentiality agreements in place to ensure that patient information is treated with the highest levels of care.
We are under an obligation to inform the Information Commissioners Office of any data breeches within 72 hours.
Cookies are small text files that are placed on your computer's hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved.
Some cookies may last for a defined period of time, such as one day or until you close your browser. Others last indefinitely.
Your web browser should allow you to delete any you choose. It also should allow you to prevent or limit their use.
If you choose to prevent their use through your browser settings, you will not be able to use all the functionality of our website.
1.1. to track how you use our website
1.2. to record whether you have seen specific messages we display on our website
1.3. to keep you signed in our site
1.4. to record your answers to surveys and questionnaires on our site while you complete them
1.5. to record the conversation thread during a live chat with our support team
2. Personal identifiers from your browsing activity
Requests by your web browser to our servers for web pages and other content on our website are recorded.
We record information such as your geographical location, your Internet service provider and your IP address. We also record information about the software you are using to browse our website, such as the type of computer or device and the screen resolution.
We use this information in aggregate to assess the popularity of the webpages on our website and how we perform in providing content to you.
If combined with other information we know about you from previous visits, the data possibly could be used to identify you personally, even if you are not signed in to our website.
We legitimately record phone calls on our secure system, Ring Central, in order to provide staff training, for quality improvement purposes and also establishing facts.
You have the right to request the details of your personal data which we hold. You have the right to ask us to update your information if it is not correct and you also have the right to be forgotten, providing that the minimum medical requirements (mentioned above) are adhered to. You can also object to the processing of your data or question the grounds for which we are processing your data under ‘legitimate reasons’. You can exercise these rights by using the following form where we will provide a response within 30 days:
Concerns or complaints
If you have any concerns or complaints with how we have dealt with your personal data, you have the right to complain. Complaints or any general queries need to be sent to our Data Controller; Nathan Allen, using the following e-mail address: firstname.lastname@example.org
Telephone number: 0800 511 8966
Or write to us at:
Willow Chiropractic, 3rd Floor, Churchfields, Westbury Hill, Westbury-on-Trym, Bristol, BS9 3AA.
If our response is not satisfactory, you have the right to raise the issue with the Information Commissioner’s Office.