CATHEDRAL ROAD CLINIC PRIVACY NOTICE
For the purpose of providing treatment, the following information is collected: patient name, address, date of birth, email address, phone numbers, occupation, details of any relevant sport/hobbies, GP details, past medical history, family medical history, and case history. Explicit consent allows the practice to document and process your personal medical data. Contact details provided by you (as listed above) may be used to remind you of future appointments and provide reports or other information concerning the practice and your treatment.
In making initial contact, you consent to the practice maintaining a marketing dialogue with you until you either opt out (which you can do at any time) or we decide to desist in promoting our services. Osteopaths may occasionally also act on behalf of its patients in the capacity of data processor, when we may promote other practitioners based at our premises, who may not be employed by us. Osteopaths do not broker your data and you can ask to be removed from our marketing database by emailing or phoning the practice using the contact details provided at the end of this Privacy Notice.
-Data Collection, Storage and Disposal
- Information collected is sufficient for the purpose of making informed clinical decisions.
- Data is collected orally on the phone by reception staff or practitioners to book appointments and take contact details.
- Medical information is collected by osteopaths orally at a face to face appointments, and over the phone when required
- Patient contact details, clinical records, and appointment information is stored electronically, and also manually in paper files.
- This data is always held securely in locked cabinets and in a password protected computer system.
- Your data is not shared with anyone not involved in your treatment, although for data storage purposes it may be handled by pre-vetted staff who have all signed an integrity and confidentiality agreement.
- Information is stored on a patient management software system- currently ‘PPS’ - details available on request.
- Records cannot be deleted before statutory requirements for data retention.
- Files are destroyed by shredding after 8 years (since patient's last appointment) or in the case of patients under the age of 16, when they reach their 25th birthday. Electronic records are also deleted from the system in line with the above timeframe.
DATA SHARING, CHECKS, AND SECURITY
- As per our obligations as primary healthcare physicians information is only shared with other persons with patient’s permission and explicit consent. This would usually be with other health professionals e.g. GPs, consultants, surgeons and/or medical insurance companies.
- Data would extremely rarely be shared without consent if there was a legal order or in cases of serious safety risks.
- We regularly check all active patient data is correct, and request that all patients let us know if their personal information changes.
- Access to paper records is restricted to practitioners and admin staff who have signed a integrity and confidentiality agreement.
- All electronic data is password protected. Systems are kept updated and antivirus security systems are in place.
- Data breaches will be detected by observing signs of unauthorised entry to storage areas, monitoring communications or becoming aware of a security breach (e.g. a virus or unauthorised log on or change to permissions) on the computer system.
- Data breaches will be investigated and reported to the Information Commissioner’s Office by the appointed person. Patients will be informed if we believe a data breach has occurred.
- Patients may contact the Information Commissioner’s Office if they believe a data breach has occurred. Information Commissioner’s Office: 0303 123 1113
- Subject Access Requests
- Subject access requests will be responded to within a month and no charge will be made.
- Data is only released on receipt of photo ID and a signed request from patient. Data sharing will be detailed in the patient record.
At any point whilst Osteopaths/practice staff are in possession of, or processing your personal data, all patients have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
Through agreeing to this privacy notice you are consenting to Osteopaths processing your personal data for the purposes outlined. You can withdraw consent at any time by using the postal, email address or telephone number provided at the end of this Privacy Notice.
Appointed person with responsibility for data protection:
Mark McWilliam (- registered with the ICO)
CATHEDRAL ROAD CLINIC ("the practice")
242 Cathedral Road, Cardiff, CF11 9JG
029 2023 5220