At Devonshire Square Physiotherapy we are committed to protecting and respecting your privacy.
This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and what choices you have. It relates to all our business activities, not just this website.
We may change this Policy from time to time so please check this page occasionally to ensure that you're happy with any changes. By using our services, you're agreeing to be bound by this Policy.
Review Date 25/4/2018
Who Are We?
We are Devonshire Square Physiotherapy, a private physiotherapy practice, treating patients'
musculoskeletal problems such as sports injuries, postural problems, neck and back complaints and post-operative rehabilitation. The clinic has been running since 2011 and the ownership was taken over by its lead physiotherapist, Amir Pojhan, on 1st May 2018.
Clinic Owner and Senior Physiotherapist: Amir Pojhan
Clinic Manager: Anahita Ghaffarpasand
General Statement of our Practice's Duties and Scope
As a physiotherapy clinic, we collect and process patients' personal data as part of our operation and shall take all reasonable steps to do so in accordance with our policies. This policy has been written to ensure that we comply with the relevant provisions of the Data Protection Act 1998, the Freedom of Information Act 2000 and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). It has been written with reference to the information provided by the Information Commissioner’s Office (ICO).
Devonshire Square Physiotherapy will be registered with the Information Commissioners Office (ICO) and will act as the Data Controller determining the purposes and means of handling personal data for physiotherapy patients at our practice.
The Principles of GDPR
We shall ensure that your information will be:
• Fairly and lawfully processed
• Processed for a lawful purpose
• Adequate, relevant and not excessive
• Accurate and up to date
• Kept no longer than necessary
• Processed in accordance with your rights
• Not transferred to other countries without adequate protection
Devonshire Square Physiotherapy will be the Data Controller responsible for information in respect of its physiotherapy patients, and personnel at the practice will process data in association with their role. Clinical staff are responsible for following their relevant professional and legal obligations. Whilst processors have legal responsibility for their actions the Controller has an obligation to ensure that they comply with GDPR. All processors are bound by their contractual obligations about client and patient confidentiality.
We will ensure that, where data are processed externally, for example by service providers, Cloud services or storage facilities, all external processors are compliant with this policy and relevant legislation.
What kinds of personal information do we process?
Reception staff are required to collect personal data (e.g. contact details) for making appointments and day to day administration. These will be recorded on the clinical notes and diary system. It is a legal requirement for us to record attendance. Reception staff are required to handle sensitive personal data but will never share this.
Sensitive Personal Data
Clinical records contain sensitive personal information and will be recorded by clinicians in accordance with the relevant professional standards and legal obligations. Consent is to be obtained before sensitive personal data are shared with, for example, General Practitioners, other health professionals or insurers. Sharing information with other parties will not be done without your written consent specifying what details you wish to share and who you would like to share it with. You can ask to see a copy of any correspondence before it is sent.
How will we collect your information?
• We will ask you to give your title, full name and date of birth, telephone number, email and payment basis when you book your initial appointment by phone in person.
• We will ask you whether you wish to receive a text reminder.
• When you come to your initial appointment you will be asked to complete our full patient registration form and sign our privacy notice to confirm your consent allowing us to process your information.
• Your physiotherapist will collect all the medical information that they need to treat you during your assessment. The assessment will be recorded on the clinical record and will not be shared without consent.
Privacy Notice and Consent
Every physiotherapy patient (or their guardian) will be asked to read a Privacy Notice at the start of each new session of care and be required to complete the data consent section at the bottom of the form. Their consent will be recorded on their clinical record. All associates from other disciplines are responsible for obtaining their own relevant consent and documentation.
Right of Access to Information
You have the right of access to information held by Devonshire Square Physiotherapy. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. (Known as a subject access request SAR). An initial copy of your information will be provided at no charge.
Devonshire Square Physiotherapy will endeavour to ensure that all data held are accurate. We ask you to notify us of any changes to information held about you, and it is your right to have inaccurate data corrected or erased. This does not apply where there is a legal requirement to retain records of corrections or mistakes in the interest of all parties to which they apply, and where no alterations can be made to the clinical record.
Monitoring Data Protection
We will conduct a GDPR Risk Assessment annually and a report included in our Practice Manual.
An annual data processing and information audit will be conducted to document the following:
• The type of information the Clinic holds
• Where the data are being stored
• How data are being processed
• Whether the data are being collected and stored in accordance with our policies
• Records of Consent
• Records of data breaches
Data Retention and Destruction
• Your information will be retained in accordance with legal and operational requirements. Your clinical notes are kept for 8 years and anything financial is retained for 7 years.
• Data will be securely destroyed once the retention period has expired.
• We will not share your personal information with anyone without your consent.
• If you are making a claim to pay for your treatment through a health insurer they will require us to share information. It will not be possible to process your claim without this but if you wish you can ask to see any information or reports before they are shared.
Is your information transferred outside the UK or EEA?
Wix (Wix.com, Ltd.)
Wix is a platform provided by Wix.com, Ltd. that allows the Owner to build, run and host Website. Wix is highly customizable and can host websites from simple blogs to complex e-commerce platforms.
Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilizes the Data collected to track and examine the use of this Website , to prepare reports on its activities and share them with other Google services.
Data collected: Cookies and Usage Data.
By voluntarily filling in the Contact Form with your data you are authorising this website to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header. Data collected : email address, name, country, date of last activity.
• We will not use your data for marketing ourselves unless we obtain specific consent from you first.
• We will not pass any of your information on to anyone for external marketing purposes.
Changes to this policy
We may update these policies to reflect changes to the website and customer feedback. Please regularly review these policies to be informed of how we are protecting your personal data.
Version: May 2018