Under the new General Data Protection Regulation (GDPR) it is important that you are aware of your rights regarding how your data is handled, stored and your right to withdraw your consent to this. Your information is being collected for your physiotherapy care by clinicians at Wilson Physiotherapy Services limited (contact details above).
What information is being collected and who is collecting your data?
Wilson Physiotherapy services collects only data directly relating to your physiotherapy care. The information collected is in-line with good practice guidelines published by the Health and Care profession council (HCPC) and Chartered Society of Physiotherapy (CSP).
How and why is my data being collected and what is the lawful basis for this?
Your data is collected by your physiotherapist, either partly by telephone on initial contact to the clinic and then in your assessment and treatment session. The information is being collected to be able to assess and treat your presenting condition in line with good practice guidelines set out by the HCPC and CSP. For Wilson Physiotherapy Services LTD there is a lawful basis for processing information in compliance with legal obligations and under additional reasoning for processing data provided in 'Special Categories of Personal Data'. This is data that contains information on a subject's health. In order to process this data we have identified a condition under article 9 which allows us to process the data in addition to the lawful basis. For Healthcare Clinics this is Point 2) h), processing is necessary for the provision of health or social care.
How is my data stored and protected?
Your data is kept completely confidentially. We are registered with the Information Commissioners Office (ICO) which regulates data protection. We operate an electronic system on Private practice software (PPS) by Rushcliff for adult notes and adult and children's contact details. Article 32 of GDPR addresses the technical requirements for data processing and states that security measures being used must be appropriate to the data being processed. PPS hosted and PPS express are all hosted by PPS Rushcliff and are held in up to date, secure UK data centres managed by Iomart, one of the UK's leading data providers. Their supplier is ISO 27001 certified and employs an array of methods to ensure data is kept safe, secure and accessible by only authorised personnel. If you would like more information about this, we have it detailed in our GDPR policy and would be happy to provide it. All other information for example clinic letters, exercise programmes etc are held on computers that are encrypted and password protected. All email accounts are secure and password protected as are clinic mobile phones. All children's information is held on PPS and paper notes as it is more appropriate to be able to move around the clinic room for assessment and treatment. All paper front sheets and paper notes are kept in lockable filing cabinets in lockable rooms that only treating clinicians have keys to access. We operate a clear desk policy which means no patient identifiable information is left on desks at the end of clinic. Only clinicians appropriate to your care have access to your information. Any admin/ front desk personnel have restricted rights to the diary only and no access to clinical notes.
Who is my information shared with?
Your information is only shared with healthcare or educational (for children) professionals or insurance companies involved with your care and only with your consent to do so. It is not used for marketing or any Social media.
For adults, following your assessment, through your treatment and on discharge, a GP or Consultant (or both) letter may be sent if appropriate for your care and your consent to do this will be asked. If your insurance company requires a report following assessment, during or after treatment, you will usually have given consent to them already but if not we will ask for your consent before any information is shared. If you have been in an accident, your solicitor may also request details of your physiotherapy care, but again you will usually have signed a form to allow us to release this to them, but we will again ask your consent before doing so. For children under the age of 16 (as specified in the new GDPR), parental consent to share information will be sought. Following assessment, a report will be generated and sent to health care professionals involved in the child's care with the consent of the parent. Any information sent to educational settings will be via parents, not sent straight to school. Some information is sent via email and this will be sent encrypted via Egress as a standard and when the recipient is able to access this. Text messages regarding appointments will be sent directly to the patient/ patient's parent (for children under the age of 16) and will not have treatment details on.
How long is my information held for?
In line with CSP guidance on the standards for record keeping from the Chartered Society of Physiotherapy (CSP) in their Information paper April 2017 (which can be found at csp.org.uk) we hold information:
Can I access my information?
Within the new GDPR you have a right to your information under Subject access requests (SAR). These will be provided to the patient and only to other parties with the patient's/ patient's parents consent and:
What would happen in the event of a data breach?
If there is a Data breach, the clinician involved will inform the other lead clinician and consult the ICO's 'Managing a data breach document' via the CSP guidance on the standards for record keeping page 30/37 from the Chartered Society of Physiotherapy (CSP) in their Information paper April 2017 (which can be found at csp.org.uk). They recommend that as the clinic is the data controller we would:
How is my data disposed of when the appropriate date arrives?
Any paper data is shredded and disposed of in appropriate bins. Electronic data is deleted from the PPS system and any computer systems, including recycle bins and backups. Do I have the right to withdraw my consent at any time? Under the new GDPR your consent is not automatically assumed and we will ask for your consent throughout your physiotherapy course. You have the right to withdraw your consent at any time. In line with our lawful basis for processing personal data which is in compliance with legal obligation we will still hold the information for the time limits detailed above.