Here at Marlow Physiotherapy we are aware of our obligations under the General Data Protection Regulation (GDPR) and we are committed to processing your data securely and transparently. This notice sets out, in line with GDPR, the types of personal data that we collect and process about our patients. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
Who we are
The Company is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows: Marlow Physiotherapy & Sports Injury Clinic Ltd The Pavilion, Marlow Sports Club, Pound Lane, Marlow Bucks SL7 2AE
How you are protected
In relation to your personal data, we will:
- Process it fairly, lawfully and in a clear transparent way
- Collect your data only for specified and specific purposes
- Only collect the minimum information we need to meet the purpose
- Only use it in the way that we have told you about
- Ensure it is correct and up to date
- Keep your data for only as long as we need it
- Process it securely, reducing the risk of it being lost or stolen.
What data do we collect about you?
Personal data means any information capable of identifying an individual. It does not include anonymized data. We may process certain types of personal data about you as follows:
- Identity data – may include your first name, maiden name, last name, username, marial status, title, date of birth and gender.
- Contact data – may include your billing address, delivery address, email address and telephone numbers.
- Transaction data – may include details about payments between us and other details of purchases made by you.
- Technical data – may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone settings and location, operating system and platform and other technology on the devices you use to access the site.
- Profile data – may include your username and password, purchases or orders, your interests, preferences, feedback and survey responses.
- Usage data – may include information about how you use our website, products and services.
Marketing and Communications data – may include your preferences in receiving marketing communications from us and our third parties and your communication preferences.
We may also process Aggregate Data from your personal data, but this data does not reveal your identity and as such in itself is not personal data. An example of this is where we review your Usage data to work out the percentage of website users using a specific feature of our site. If we link the Aggregate Data with your personal data so that you can be identified from it, then it is treated as personal data. Where we are required to collect personal data by law, or under the terms of the contract between us and you, if you do not provide us with that data when requested, we may not be able to perform the contract ( for example to deliver the services to you). If you don’t provide us with the requested data, we may have to cancel your order of the services. If we do, we will notify you at that time.
Why we process your data
There are 6 lawful reasons for processing personal data, which are:
- You give consent for us to process your data
- It is necessary to fulfil a contractual obligation with you
- There is a regulatory obligation on us to do so
- It is in the legitimate interest of the company to do so
- It is in the public interest to do so
- It is in your vital interest to do so
How we collect your data
We collect personal data about you through a variety of different methods including:
- Direct interactions: you may provide data when filling in forms on the website (or otherwise) by communicating with us by post, phone, email, or otherwise, including when you: - subscribe to our service - request resources or marketing be sent to you; - give us feedback.
- Automated technologies or interactions: as you use our site, we may automatically collect Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies. We may also receive technical data about you if you visit other websites that use our cookies.
- Third parties or publicly available sources: we may receive personal data about you directly or indirectly from various third parties and public sources as set out below: - Insurance companies - Primary/ secondary care referrals - Analytics providers such as Google based outside the EU - Identity and contact data from publicly available sources such as LinkedIn
Sensitive/ Special categories of data
We collect the following categories of “sensitive” (also known as “special”) personal data related to your health. We will process this data on the basis that it is in your vital interests that we do so:
- We do not collect any information about criminal convictions and offences (other than as a part of our internal hiring processes through standard background checks).
We must process special categories of data in accordance with more stringent guidelines. Most commonly we will process special categories of data when the following applies:
- You have given explicit consent to the processing
- We must process the data in order to carry out our legal obligations
- We must process data for reasons of substantial public interest
- You have already made the data public.
We will use your special category data to:
We do not need your consent if we use special categories of personal data in order to meet and protect your vital interests: carry out our legal obligations; or exercise specific rights under employment law.
However, we may ask for your consent to allow us to process certain particularly sensitive data in particular ways. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no adverse consequences where consent is withdrawn.
It is not our intent to process data from anyone under the age of 16. If you are aware of anyone having submitted data to us relating to an individual under the age of 16, please let us know at email@example.com and we will immediately stop processing and delete any personal data relating to that individual. If we become aware of having been provided data relating to an individual under the age of 16 (without parental consent) we will immediately stop processing and delete any personal data relating to that individual.
Sharing your data
Your data will be shared within the Company where it is necessary for staff to undertake their duties in provision of the services to you.
We also share some of your data with the following third parties:
- Streamline – who process your card payments
- Healthy Practice – who provide the IT infrastructure on which your data is stored
- Insurance Companies – including Nuffield Health, Bupa, Axa PPP, CS Healthcare, Cigna, WPA.
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us.
Protecting your data
We are aware of the requirements to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such. Where we share your data with third parties within and outside the health service, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data. We do not share your data outside the European Economic Area.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as necessary. Retention periods can vary depending on why we need your data.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
- The right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice.
- The right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request to firstname.lastname@example.org
- The right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate you can require us to correct it
- The right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
- The right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
- The right to portability. You may transfer the data that we hold on you for your own purposes
- The right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests.
- The right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in a way that adversely affects you.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases we may continue to use the data where so permitted by having a legitimate reason for doing so: for instance to provide continuity of care and a record of the treatment that you have received from us. If you wish to exercise any of the rights explained above, please contact Alison at email@example.com
How to complain about Marlow Physiotherapy and Sports Injury Clinic We strive to meet the highest standards when collecting and using personal information. Complaints are taken very seriously, and data subjects are encouraged top bring any issues to our attention. To do this please email Alison at firstname.lastname@example.org Or call: 01628898140
You can contact the ICO via their website at www.ico.org.uk should you wish to make a complaint about the way we are processing your personal data.
Issue date: 25/10/18