When you supply your personal details to my clinic they are stored and processed for 4 reasons (the bits in bold are the relevant terms used in the Data Protection Act 2018, which includes the General Data Protection Regulation – ie the law):
I need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and my agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that I would not be able to provide treatment.
I have a “Legitimate Interest” in collecting that information because without it I cannot do my job effectively and safely.
It is important that I can contact you in order to confirm your appointments or to update you on matters related to your medical care. This again constitutes “Legitimate Interest”, but this time it is your legitimate interest. It is your option to decline this.
Provided I have your consent, I may occasionally send you general health information in the form of articles, advice, exercises or practice updates. You may withdraw this consent at any time via the method agreed in my GDPR consent form.
Your medical records are stored on paper, in a locked filing cabinet and the house is always locked if the property is unoccupied.
Your personal details (but no medical details) are also electronically stored using the specialist scheduling service 10to8 and I also use Zapier and Mailchimp to coordinate any other messages to you. These companies have given me their assurances that they are fully compliant with the General Data Protection Regulations and they do not have access to any of your personal details stored on their system. My access to this data is password protected, and the passwords are changed regularly.
Your contact details are also stored on my office computer. The computer and the database are password-protected and backed up regularly, and the property is always locked when unoccupied.
I have a legal obligation to retain your records for 8 years after your most recent appointment (or age 25, if this is longer). After this time your paper medical notes are shredded and your personal details are deleted from any electronic storage.
You may request to remove your details from the scheduling software and contact database before this but your medical record must be stored for at least 8 years.
I will never share your data with anyone who does not need access without your written consent. Only the following people/agencies will have routine access to your data:
Myself in order that I can provide you with treatment
My family will take your contact details if they answer the phone
From time to time, I may have to employ consultants to perform tasks which might give them access to your personal data (but not your medical notes). I will ensure that they are fully aware that they must treat your information as confidential, and I will ensure they sign a non-disclosure agreement.
You have the right to see all your personal data which I hold, and you can also ask me to correct any factual errors.
I want you to be absolutely confident that I am treating your personal data responsibly, and that I am doing everything I can to make sure the only people who can access that data have a genuine need to do so.
Of course, if you feel that I am mishandling your personal data in any way, you have the right to complain. Complaints need to be sent to the “Data Controller” which in this instance is myself:
Mrs Anne Johnson
Telephone: 01525 221958
Write to: 6 Moor End, Eaton Bray, Dunstable LU6 2HN
If you are not satisfied with my response, then you have the right to raise the matter with the Information Commissioner’s Office at www.ico.org.uk. Tel 0303 123 1113