Name and Address of the controller Our Data Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is: Fiona O’Leary Winstanley House, 4 Market Hill, Saffron Walden, Essex, CB10 1HQ Phone: 07757609091 Email: email@example.com Website: www.fionaolearyphysio.co.uk
Use of your information We may hold and process personal data that you provide to us through our online contact forms and during treatment sessions in accordance with the DPA and GDPR.The information that we collect and store relating to you is primarily used to enable us to provide our services to you, and to meet our contractual commitments to you. We also have a professional and legal obligation to keep accurate notes of all our interactions with you. Where you have consented on the registration form, you will from time to time receive updates/promotions via email; you can opt out of these at any time by contacting firstname.lastname@example.org
Disclosure of your information Where you have consented for us to do so, we may provide your personal data to selected third parties, such as insurance companies and other medical professionals.We do not use or disclose any personal datawithout your explicit consent.Otherwise, we will process, disclose or share your personal data only if required to do so by law or in the good faith belief that such action is necessary to comply with legal requirements or legal process served on us or the website. Where you have consented to Cookies being stored on your computer, non-personally identifiable data concerning your web browsing activity will be disclosed to the companies listed above.
Data Storage and Transfer:
Data such as client notes and contact information is stored via Practice Pal on UK-based servers with Rackspace. All data sent to and from Practice Pal’s servers is encrypted. Further information is available on Practice Pal’s website: www.practicepal.co.uk
Online Bookings through our website also utilise the secured services of PracticePal; clicking on our ‘Online Booking’ link, you will be re-directed to a secured site, which will encrypt any personal data provided. See link above for more details.
All sensitive information sent via email is password-protected and encrypted using Swiss-based ProtonMail. All data transfers between ProtonMail’s Swiss based servers and our workstations are encrypted. More information regarding ProtonMail’s security features can be found on their website: https://protonmail.com
Information sent to us via our website’s Contact Form or Mummy MOT Pre-Screening Form is held on the EU-based servers of JotForm; information sent to us is encrypted and the relevant forms are SSL secured. More information regarding JotForm is available on their website: https://www.jotform.com/
We hold other data, such as GP letters and referral letters, on a local, password-protected and encrypted hard drive.
As a data processor we understand that we have an obligation under the GDPR to comply with the following:
Subject Access Requests The GDPR gives individuals the right to access personal data that is held by organisations by a ‘subject access request’ (SAR). We will endeavour to respond quickly to any such requests, which legally require us to respond within one month of receiving the request and necessary information.
Right to Rectification Individuals have the right to request that we amend or change personal information that is inaccurate or incorrect. As Data Controller, we will act on any request without delay, as instructed by you.
Right to erasure In certain circumstances, individuals have the right to ask us to delete personal information from our systems; such requests can be made without giving any reason and at any time.However we are legally required to store notes for eight years from the date of last treatment for adult records, and for children eight years after their 18 birthday or until 25 years of age.
Right to restrict processing Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction.As Data Controller, we will act on any request without delay, as instructed by you.
Right to data portability Individuals have the right to obtain and transfer their data to different service providers. As Data Controller, we will act on any request without delay, as instructed by you.
Right to object Individuals have the right to object to the processing of data at any time based on their particular situation. This includes objecting to profiling, unless it is in the ‘public interest’ or exercised lawfully by an official authority. We will only process data where we can demonstrate lawful grounds for doing so. As Data Controller, we will act on any request without delay as instructed by you.
Right not to be subject to decisions based on automated processing We do not use any automated processing that results in any automated decision based on a data subject’s personal information.
Breach in data protection Any breach in data protection will be reported to the ICO within 72 hours.
Changes to this policy We may update these policies to reflect changes to the website and customer feedback. Please regularly review these policies to be informed of how we are protecting your personal data.