Core Clinic is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to protecting the privacy and security of your personal information. This privacy notice describes, in line with GDPR, how we collect, use and store personal data about you during and after your time as a patient of this clinic. It also sets out how long we keep it for and other relevant information about your data. This notice applies to current and former patients. Your personal data will NOT be used in ways to which you have not consented. We do NOT and WILL NOT pass your details to any third party unless you give us your permission to do so.
Data Controller Details
For the purposes of processing your personal data we are the Controller. We are: Core Clinic, Nunhold House, Hatton Technology Park, Dark Lane, Hatton, Warwickshire, CV35 8XB. Telephone number: 01926 291322. Email address: firstname.lastname@example.org
Data Protection Principles
When you supply your personal details to Core Clinic they are stored and processed in line with GDPR regulations. This says that the personal information we hold about you must be:
- processed fairly, lawfully and in a clear, transparent way
- collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with those purposes.
- only used in the way that we have told you about
- kept only as long as is necessary for the purposes we outline
- Process it in a way that ensures it will not be used for anything that you are not aware of or have consented to.
Types of information we hold about you
Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed. We may hold many types of data about you, including:
- your personal details including name, address, date of birth, email address, telephone numbers
- gender and marital status, number/age of children where applicable
- details of your occupation and employer where applicable
- next of kin/parent/guardian where applicable and their contact details
- personal medical or health information, including past medical history
- information concerning examination and treatment at your first and subsequent visits
- letters of referral to or from the clinic regarding your treatment with us
- X-rays and scans and the reports in relation to these
How we collect your data
We collect data about you in a variety of ways and this will usually start when you make an enquiry to the clinic and continue when you attend your first and subsequent appointments. Core Clinic keeps both paper files and electronic records. Information you write down on paper may be transferred to our electronic system. We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic. We have a legitimate interest in collecting that information because without it we could not do our job effectively and safely.
Contact and legitimate interest
We believe that it is important that we can contact you in order to confirm your appointments with us or to update you on matters relating to your medical treatment. This again constitutes Legitimate Interest, but this time it is your legitimate interest. Provided that we have your consent, we may occasionally send you general health information in the form of articles, advice or newsletters. You may withdraw this consent at any time, please let us know by any convenient contact method you prefer.
How we store your data
All patient records are stored securely. Personal data is kept in the clinic and is either electronically protected via password or if a paper-based file, is stored in a secure area. The building is locked and alarmed out of working hours. Any file to be stored for filing is out of sight from the general public once the file has been finished with in regard to documentation. If a patient’s case needs reviewing between clinicians, then this is done in a private meeting room, which is away from the front reception area.
Why we process data (How we will use information about you)
The law on data protection allows us to process your data for certain reasons only, these are classified as legitimate interests. Most commonly, we will use your personal information in the following circumstances:
- in order for us to carry out our contract with you (your requesting treatment and our agreement to provide it constitutes a contract) which will include confirming appointments, changing appointments or clinic arrangements, changes to facilities and services at the clinic
- in order to provide you with the best possible treatment by recording health and treatment information which would be in your best interest
- in order to carry out legally required duties such as those required by me by my government appointed regulator
Situations in which we will use your personal information
We need all the categories of information to primarily allow us to perform our contract of treatment with you and to enable us to comply with legal obligations.
If you do not provide your data to us
We need to collect personal information about your health in order to provide you with the best possible treatment. By you requesting treatment, and our agreement to provide that care, this constitutes a contract. One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of care with us. If you do not provide us with the data needed to do this, we will be unable to perform that care to ensure your best interests are being maintained. You can, of course, refuse to provide the information, but if you were to do that, we would not be able to provide treatment.
Change of purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to us it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision making
No decision will be made about you solely based on automated decision making.
Sharing your data
Your data will be shared with colleagues within the clinic but only where necessary for them to undertake their duties. This includes for example, other clinicians working for, at or on behalf of the clinic, reception and administrative staff. All staff sign agreeing to maintain absolute confidentiality as part of their employment contract. All staff are made fully aware of regulations relating to confidentiality and GDPR regulations.
We may share your data with third parties in order to facilitate a referral to another healthcare practitioner, investigation or to keep your GP/insurer/legal representative informed about your progress with treatment. We will never share your data with anyone who doesn’t need it without your prior written consent.
Transferring your data outside the EU
We do not share your data with bodies outside of the European Economic Area (EU).
Data security – Protecting your data
We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. The database we use is encrypted and has a password security protocol, all emails concerning you will be password protected. The computer has a firewall, as has the rooter. Any paper files are securely locked away and the clinic has a security/burglar alarm installed.
Where we share your data with third parties, we provide them with written instructions to ensure that your data is held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your being a patient with us and we are legally required, by the Chiropractic regulator, to keep this information for 8 years after your time as a patient has ended (or, age 25 if this is longer), but after this period you can ask us to delete your records if you wish. Otherwise, we will retain your records indefinitely in order that we can provide you with the best possible care, should you need to see us at some future date.
Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner that maintains data security. In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Your duty to inform us of any changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you.
- the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request either in writing or by email to Core Clinics at the email address above.
- the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or incorrect, you can require us to correct it.
- the right to be informed. This means that we must tell you how we use your data and this is the purpose of this privacy notice. We must also inform you of any changes in how we use your data
- the right to have your information deleted. You have the right to ask us to delete information from our systems where you believe there is no reason for us to continue processing it. However, we are by law obliged to keep your personal data for at least 8 years after your last appointment with us.
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data held is correct
- the right to portability. You may request the transfer of the data that we hold on you for your own purposes
If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Core Clinics in writing or phone the above number and ask to speak to the Practice Care Team.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for a second or subsequent copy of information or if you request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases we may continue to use the data where so permitted by having a legitimate legal reason for doing so. To withdraw consent, please contact Core Clinics in writing or phone the above number and ask to speak to the Practice Care Team.
Making a complaint
We want you to be absolutely confident that we are treating your personal data responsible and that we are doing everything we can to make sure that the only people who can access that data have a genuine need to. If you feel that we are mishandling your personal data in some way, you have the right to complain. Please send any queries or complaints to email@example.com. If you are not satisfied with our response, then you have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO).