This notice applies to anyone who views the Pain Relief Physiotherapy website: www.painreliefphysio.co.uk, makes enquires to Pain Relief Physiotherapy either verbally or in written format, provides personal information and receives physiotherapy treatment from Pain Relief Physiotherapy.
For the purposes of GDPR the data controller is Pain Relief Physiotherapy. The responsibility of the data controller is to oversee how data or information is used, controls and oversees the duties of the data processor and ensures that data is used, stored and processed in accordance with the guidelines of GDPR.
Pain Relief Physiotherapy is registered with the Information Commissioners Office (ICO). ICO is the UK’s independent body set up to uphold information rights. It covers several acts and regulations such as the Data Protection Act 2018, Freedom of Information Act, Privacy and Electronic Communications Regulations and General Data Protection Regulation (GDPR).
ICO registration number: ZB251905.
Credit: This document was created using a template from Docular (https://seqlegal.com/free-legal-documents/privacy-policy).
What personal information is collected?
The law requires the processing of your personal information to be balanced against your interests, rights and freedom. Pain Relief Physiotherapy carefully considers that the personal information collected does not override your interests, rights and freedom. This legal requirement is endorsed by the regulatory bodies the Health and Care Professions Council and the Chartered Society of Physiotherapists to make and maintain detailed health records as part of safe and effective patient care. Different types of personal information require to be included as part of health records and so will be collected by Pain Relief Physiotherapy:
- Standard personal information which can include but is not limited to: name, address, gender, email address, telephone number, date of birth, occupation, next of kin
- Special category personal information relates to both your physical and mental health
- We may process information contained in or relating to any communication that you send to us or that we send to you.
Why is personal information collected?
Personal information is collected for two reasons:
- Legitimate interests
- Legal obligation
Standard personal information – legitimate interests
Pain Relief Physiotherapy processes standard personal information for legitimate interests to communicate effectively and efficiently with you for the purposes of:
- Operations – We may process your personal information for the purposes of operating our website, managing your appointments, providing physiotherapy care, generating invoices, bills and other payment-related documentation. The legal basis for this processing is our legitimate interests, namely the proper administration of our website, services and business.
- Relationships and communications – We may process contact information and communication information for the purposes of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS, post and/or telephone, providing support services and complaint handling. The legal basis for this processing is our legitimate interests, namely communications with our website visitors and clients, the maintenance of relationships, and the proper administration of our website and business.
- Direct marketing – We may process contact data for the purposes of sending direct marketing communications by email, SMS, post and making contact by telephone for marketing-related purposes. The legal basis for this processing is our legitimate interests, namely promoting our business and communicating marketing messages and offers to our website visitors and service users.
- Research and analysis – We may process information for the purposes of researching and analysing the use of Pain Relief Physiotherapy. The legal basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.
- Record keeping – We may process your personal information for the purposes of creating and maintaining our databases, back-up copies of our databases and our records generally. The legal basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run Pain Relief Physiotherapy in accordance with this policy.
- Security – We may process your personal information for the purposes of security and the prevention of fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business, and the protection of others.
- Insurance and risk management – We may process your personal information where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
- Legal claims – We may process your personal information where necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights, and the legal rights of others.
- Legal compliance and vital interests – We may also process your personal information where such processing is necessary for compliance with a legal obligation to which we are subject or to protect your vital interests or the vital interests of another natural person.
Standard personal information – legal obligation
Collecting standard personal information is a legal requirement which is required for maintaining detailed healthcare records as part of the provision of healthcare and treatment.
Special category personal information – legal obligation
Pain Relief Physiotherapy would not be able to provide healthcare and so physiotherapy treatment to you if this information was not collected. It is a legal requirement to collect information that relates to both your physical and mental health. The Health and Social Act 2008 (Regulated Activities) Regulations 2014: Regulation 17 Section 2c states that healthcare providers must ‘maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided’.
How is your personal information processed/collected?
If you, a friend, relative, carer, other health professional such as a doctor, nurse or other gets in touch with Pain Relief Physiotherapy via telephone or email your personal information such as your name, email address, phone number may be collected. Other standard personal information such as date of birth, gender, occupation, next of kin and special category information may be collected via encrypted and secure email that is SSL certified, over the telephone or during private face-to-face consultations. Special category information might be collected via encrypted and secure email, registration forms, health questionnaires. Information might also come in the form of investigations such as MRI scans, x-rays and blood tests or from other health professionals involved in your care. If information is required after your treatment has begun your permission to requesting gaining information from these sources will always be sought prior to doing so.
No personal information is collected from the Pain Relief Physiotherapy website.
No financial information is collected.
How is your personal information stored?
Your personal information, communication notes and records are stored in Microsoft Azure Cloud Infrastructure through a Data Processing software company called WriteUpp which is situated in the UK. Their servers are stored in an EU based data centre. For security purposes no data is stored on a computer or other device. When data is being sent from the WriteUpp software to their server it is encrypted using 256-bit encryption. Encryption means that information cannot be intercepted when it is being transmitted. For an added layer of security when sending emails containing special category personal information an SMS message will be sent containing an access code which is required to ‘unlock’ the message. WriteUpp are iSO27001 certified which is an internationally recognised information governance and security standard.
Sharing your personal information with others.
Your personal information might be shared with other health care professionals involved in your care such as your GP or consultant. This might be done over telephone or via a secure and encrypted email. In usual circumstances your consent for this to happen will be gained.
We may disclose your personal information to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.
Your personal information will be stored on the servers of our data processing services providers identified at www.writeupp.com.
In addition to the specific disclosures of personal information set out in this section, we may disclose your personal information where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
International transfers of your personal data
In this section information is provided about the circumstances in which your personal data may be transferred to a third country under UK and/or EU data protection law.
Pain Relief Physiotherapy may transfer your personal information from the European Economic Area (EEA) to the UK and process that personal data in the UK for the purposes set out in this policy, and may permit our data processors, WriteUpp to do so, during any period with respect to which the UK is not treated as a third country under EU data protection law or benefits from an adequacy decision under EU data protection law; and we may transfer your personal information from the UK to the EEA and process that personal data in the EEA for the purposes set out in this policy, and may permit our data processors, WriteUpp to do so, during any period with respect to which EEA states are not treated as third countries under UK data protection law or benefit from adequacy regulations under UK data protection law.
The website hosting facilities, Cloud Above, for www.painreliefphysio.co.uk , are situated in London, UK and are protected with SSL certification.
Retaining and deleting your personal information
This section sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal information.
Personal Information that Pain Relief Physiotherapy processes for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In line with NHS guidance your records will be retained for 8 years after your last consultation with Pain Relief Physiotherapy. More information about Records Management code of Practice please see: www.nhsx.nhs.uk/information-governance/guidance/records-management-code/
Your personal information might also be retained where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.
Amendments and updating policy
We may update this policy from time to time by publishing a new version on our website.
You should check this page occasionally to ensure you are happy with any changes to this policy. We may also notify you of changes to this policy.
Your principal rights under data protection law are:
(a) the right to access – you can ask for copies of your personal data. This is also known as ‘subject access request’.
(b) the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data;
(c) the right to erasure – you can ask us to erase your personal data;
(d) the right to restrict processing – you can ask us to restrict the processing of your personal data;
(e) the right to object to processing – you can object to the processing of your personal data;
(f) the right to data portability – you can ask that we transfer your personal data to another organisation or to you;
(g) the right to complain to a supervisory authority – you can complain about our processing of your personal data; and
(h) the right to withdraw consent – to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.
These rights are subject to certain limitations and exceptions. You can learn more about these by visiting [https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/].
You may exercise any of your rights in relation to your personal information by written notice to Pain Relief Physiotherapy via email at: email@example.com