The basis on which we hold personal data:
If you decide to become a patient at Haslemere Chiropractic Clinic we need to hold personal information about you in order to provide you with the best possible care. This information includes your name, address, date of birth, medical history, and treatment records. Your requesting treatment, and our agreement to provide that care, constitutes a contract. If you do not wish to provide this information, regrettably we would not be able to provide treatment because we couldn’t do our job effectively and safely without it.
We ask for your contact details so that we can communicate with you on matters related to your care at this Clinic. We believe that it is in your legitimate interest that we are able to contact you in this way, and we believe that these communications enhance the quality of the service that we offer. Such communications include email confirmation of bookings and cancellations, appointment reminders, re-scheduling of appointments (e.g. if the chiropractor was sick), and to provide you with information relating to your treatment (e.g. exercises and self-help advice sheets). We will never contact you in this way if you have not attended the Clinic for more than a year. We will never use the contact details held on our computerised diary for marketing purposes. If you would prefer not to be contacted by email regarding your treatment, please ask Reception to remove your email address from our system.
An additional service is available for those who wish to receive information regarding special offers, events, articles, or newsletters. This is run by MailChimp on a system independent to our computerised diary. You will only receive emails via MailChimp if you have requested them by specifically giving your consent. It is easy to unsubscribe from this service, and you may withdraw this consent at any time. MailChimp have given assurances that they are General Data Protection Regulations (GDPR) compliant.
Storage of personal data:
Your contact details, date of birth, basic case profile (to include x-rays if these have been provided as digital images), and account details are stored electronically “in the cloud” using a specialist service (TM2). This provider has given us their assurances that they are fully compliant with the GDPR. Access to this data is password protected with an appropriate level of access according to the user.
Your medical history and treatment notes records are stored as paper records, in locked filing cabinets, and the Clinic is always locked and alarmed out of working hours.
We also hold some personal data accessed via our office computers, mainly comprising contact details of patients who attended before we introduced our computerised diary in 2013 (but not more than 8 years ago), and GP letters in progress. This data is held on the cloud based system Dropbox, and is accessed via our office computers. Dropbox have given assurances that they are fully compliant with GDPR. The office computers are password –protected, and the Clinic is locked and alarmed out of working hours.
Who has access to your personal data and why?
Only the following people/agencies will have routine access to our data:
• The specialist service who stores and process our files (TM2).
• The practitioners in order that they can provide you with treatment.
• Our reception team, because they organise our practitioners’ diaries and the filing system. Any team member with access to your records is properly trained in confidentiality issues and is governed by a legal duty to keep details secure and accurate.
• MailChimp – if you have consented to receive additional information from us your name and email address may be saved on their server.
From time to time, we may employ consultants to perform tasks which might give them access to your personal data (but not your medical notes), e.g. IT support. We will ensure that they are fully aware that they must treat that information as confidential.
In most circumstances you will be required to give written consent before information is released to a third party, e.g. reports for insurance, solicitors, GP letters etc. In exceptionally rare circumstances we may be required by law to release your records, e.g. if a court order is presented, or there is an imminent risk to the life of yourself or others.
To ensure your privacy, we will not disclose information unless we are sure that we are talking to you, and may need to ask you for identification. Information will not be disclosed to family and friends unless we have prior written consent.
Retention and deletion of data:
We have a legal obligation to retain your records for 8 years after your most recent appointment (or age 26, if this is longer). After this period we will delete your records both in paper form and electronically.
You have a right to see your records if you wish, and you can also ask us to correct any factual errors. Copies can be provided, and there is usually no fee payable unless large volumes of records are involved.
We want you to be absolutely confident that we are treating your personal data responsibly, and that we are doing everything we can to make sure that the only people who can access that data have a genuine need to do so. If you feel that we are mishandling your personal data in any way, you have the right to complain. Complaints need to be sent to the Data Controller. Here are the details your need:
Haslemere Chiropractic Clinic
40 West Street
Clinic Director: Michelle Carrington
If you are not satisfied with our response, you have the right to raise the matter with the Information Commissioner’s Office.