Privacy Policy | MHCPT Chartered Physiotherapy

GENERAL DATA PROTECTION REGULATION (GDPR) POLICY STATEMENT

This policy was last updated: 23/05/2018

This policy outlines how MHCPT Chartered Physiotherapy Clinic handles the data of individuals. MHCPT Chartered Physiotherapy (the “Company”) is committed to maintaining robust privacy protections for its users. We will take the necessary steps to ensure that users information is safeguarded and kept in accordance with applicable laws and regulations.

This Policy forms part of our terms and conditions and is designed to help you understand how we collect, use, share and safeguard information we receive from our other organisations and clients.

For the purpose of GDPR, we are the Data Controller. Any enquiry regarding the collection or processing of your data should be addressed to Marek Holowenko at MHCPT, Stretford Leisure Centre, Greatstone Road, Stretford, Manchester, M32 0ZS. We undertake to protect all personal and sensitive data that is provided to us and in a manner that is consistent with the requirements of the General Data Protection Regulation (GDPR). We will take reasonable measures to ensure the secure storage of all data, see below.

What information do we collect?

From clients:

All data given by clients is recorded by us in accordance and as permitted under the GDPR. We will collect information such as personal details, including name, address, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

Website contact Form:

We use the details that you give us, by email or phone, to follow up on enquiries, to send you general information about us and our services, to ask for feedback, reviews or testimonials, to deal with complaints or any reports about other user’s use of the Website. The basis for holding this information is as being for legitimate legal purposes or to fulfill a contractual obligation where the contact is from an existing client.

Payment data:

Payments are taken by our card reader and processed online. We use the following third party, First Data, to manage our payment process. You are advised to read their Privacy Policy at https://www.firstdata.com/en_gb/privacy.html.

Information we get from other sources:

From time to time, we may need to obtain information from third parties. This will only apply where it is essential for the provision of our services and as permitted by law. Where applicable we will seek the consent of the client or organisation providing the data.

How we use personal information (Lawful basis)

Your data is primarily collected for the purpose of providing healthcare services and to meet our contractual commitments to you. Contract basis for lawful processing is used for personal information which directly relates to purchases (ie contract of sale) and to the provision of treatments and therapies for our customers and our former customers.

We may use your information to notify you about any changes to our website, such as improvements or service/product changes, that may affect our service.

Client data is not used by us for any marketing purpose. In the event of this happening in future, we will seek the express consent of the client.

Sharing Information

Disclosure

We do not share, sell, or distribute your data to third parties. If it is necessary to share data with a subcontractor working on our behalf, you will be informed without delay. Any third party must adhere to all data protection laws and regulations.

We may disclose personal information if we are required to do so by law, in connection with any legal proceedings, or if it is justified in the public interest.

Invoice validation

Your information may be shared if you have received treatment via an insurance that is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

Data Retention

We keep all personal information in accordance with our Data Retention Policy which reflects our needs to provide our services to you as contracted and also to meet legal, statutory and regulatory obligations. We will only retain data that is necessary and this will include data relating to the physiotherapy that we have provided to clients. The need to hold information is regularly reviewed and information/data will be disposed of when no longer required. All disposal is carried out securely and records will be destroyed so that they are not retrievable.

We are required by law to hold accounting information for approx 7 years (6 years from the end of the last financial year), but any other information that is not required to be kept by law can be erased from our systems.

Data Storage

We use One Drive cloud storage to store records such as client medical notes, exercise programs and invoices, and WD hard drive and cloud storage as a back up. Google calendar diary is used for appointments. All data is password protected.

In accordance with data protection legislation, data records are stored in a locked cabinet and electronic storage is protected by a user’s password that is individual to the user.

We regularly carry out tests to ensure our compliance with keeping data secure. In addition, we regularly review our procedures for secure data storage to ensure that all appropriate measures are adopted.

Any information that you supply to us may be stored and processed by servers hosting our website. Data will only be transferred outside EEA countries in accordance with the relevant data protection laws.

Data Subject Rights

As a data processor we understand that we have an obligation under the GDPR to comply with our obligations to the following:

Subject Access Requests

The General Data Protection Regulation (GDPR) gives individuals, known as ‘data subjects’, the right to access personal data that is held by organisations by a subject access request (SAR). We will endeavour to respond quickly to any such requests, which legally require us to respond within one month of receiving the request and necessary information.

Right to Rectification

Data subjects have the right to request that we amend or change personal information that may be inaccurate or incorrect. We will act on any request without delay as instructed by the data subject.

Right to erasure

Data subjects have the right to ask us to delete personal information from our systems without giving any reason and at any time. We will act on any request without delay as instructed by the data subject.

Right to restrict processing

Data subjects have the right to restrict processing of their data where applicable. We will act on any request without delay as instructed by the data subject.

Right to data portability

Data subjects have the right to obtain and transfer their data to different service providers. We will act on any request without delay as instructed by the data subject.

Right to object

Data subjects have the right to object to the processing of data at any time based on their particular situation. This includes objecting to profiling unless it is in the ‘public interest’ or exercised lawfully by an official authority. We will only process data where we can demonstrate lawful grounds for doing so. We will act on any request without delay as instructed by the data subject.

Right not to be subject to decisions based on automated processing

We do not use any automated processing that results in any automated decision based on a data subject’s personal information.

Third party links

You might find links to third party websites on our website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

Data Breaches

We will report any unlawful breach of data as required by the GDPR within 72 hours of the breach occurring, if it is considered that there is an actual, or possibility, that data within our control including the control of our data processors, has been compromised. If the breach is classified as ‘high risk’ we will notify all data subjects concerned using an appropriate means of communication. We will report any relevant breaches of date to the Information Commissioner’s Office (ICO). We are registered with the Information Commissioner’s Office for this purpose.

Important Information

Questions and queries

If you have any concerns about how we handle data, you can contact US by writing to MHCPT Chartered Physiotherapy, Stretford Leisure Centre, Greatstone Road, Stretford, M32 0ZS. Alternatively, you can email at contact@mhcpt.co.uk.

Changes to this policy

We reserve the right to amend this Statement at any time to meet the requirements of the GDPR and our role as a data processor. Any significant changes will be mutually agreed.

Complaints

If you have a complaint about the use of data by us, you can email us at contact@mhcpt.co.uk. Alternatively, you can formally report an issue of concern to the Information Commissioner’s Office (ICO) at www.ico.org.uk.