Davies Chiropractic Care Ltd is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to protecting the privacy and security of your personal information.
This notice applies to current and former patients.
- Controller –any organisation that determines the purposes and means of processing personal data
- Processor – any person, agency or other body which processes personal data on behalf of the controller, not an employee.
- Data Breach – breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data Includes breaches that are the result of both accidental and deliberate
- Processing – any operation which is performed on personal data:
By automated or non-automated means:
includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data any information that allows an individual to be identified
- Directly or indirectly
- Applies to both automated personal data and manual filing systems
- Sensitive personal data. Special Categories, which include: Race, ethnic origin, political opinions, religion, genetic or biometric data, health data, sexual orientation
1.2 Principles of Data Protection
In relation to your personal data, we will comply with data protection law.
This says that the personal information we hold about you must be:
- Processed fairly, lawfully and in a clear, transparent way.
- Collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with those purposes.
- Only used in the way that we have told you about.
- Kept secure, accurate and up to date.
- Kept only as long as is necessary for the purposes we outline.
- Processed in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed.
1.3 Lawful Bases
We must have a valid lawful basis for processing data, there are six available lawful bases and the lawful basis must be determined before processing begins:
- The data subject gives consent
- Processing is necessary to meet contractual obligations
- Processing is necessary to comply with legal obligations
- Processing is necessary to protect data subject’s vital interests
- Processing is necessary on basis of public interest
- Processing is necessary for legitimate interests
2. Data Controller Details
For the purposes of processing your personal data, we are the Data Controller.
We are Davies Chiropractic Care Ltd of 180a Heaton Moor Road, Stockport Sk4 4DU
Telephone number 0161 879 7701
3. Data Protection Officer
As we record and use sensitive health data we take the protection of this data very seriously.
We have therefore appointed a Data Protection Officer, and this is your first point of contact for any matters regarding your personal data that we process.
They can be contacted at Davies Chiropractic Care Ltd 180a Heaton Moor Road, Stockport Sk4 4DU
Telephone number 0161 879 7701
4. Information We Collect
Personal data means any information capable of identifying an individual, it does not include anonymised data.
Any personal data we process is done under a lawful basis:
- Patient contact data: Contract
- Enquiries from new patients: Consent
- Health data is “special category” which we process as health care providers
We may process certain types of personal data about you as follows:
- Identity Data – including name, marital status, date of birth, gender, home & email address.
- Contact Data – your next of kin contact information and telephone numbers.
- Referral information – letters of referral to or from the clinic regarding your treatment.
- Transaction Data – details about payments you have made to us.
- Special categories of data – “special categories” of more sensitive personal data require a higher level of protection, such as information about a person’s health or sexual orientation.
Health Data – we collect information about your personal medical and health information, including past medical history and we store information concerning examination and treatment at your first and subsequent visits.
We will use your special category data:
- to ensure the care you receive at the clinic is appropriate to your condition.
- to determine reasonable adjustments that should be made for access to the clinic or to treatment.
We must process special categories of data in accordance with more stringent guidelines.
We will process special categories of data when the following applies:
- you have given explicit consent to the processing (on our new patient form)
- we must process the data, in order to carry out our legal obligations
- we must process data for reasons of substantial public interest
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld.
Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.
5. How We Collect Your Data
We collect data about you in a variety of ways and this will usually start when you make an enquiry to the clinic and continues when you attend your first and subsequent appointments.
You may provide data by filling in forms on our website (or otherwise) or by communicating with us by phone, email or otherwise, including when you:
- Become a patient;
- Request a quote for our services;
- Subscribe to our reminder service or newsletter publications;
- Give us feedback;
At Davies Chiropractic Care we keep paper and electronic records. Personal data is transferred from paper records to our electronic patient database system, the paper records are then shredded using a confidential waste shredding service.
- Information we write down on paper may be transferred to our electronic system;
- We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment;
- We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic.
6. Why We Process Your Data
The law on data protection allows us to process your data for certain reasons only, these are classified as legitimate interests.
Most commonly, we will use your personal information in the following circumstances:
- To carry out our contract with you (your requesting treatment and our agreement to provide it constitutes a contract) which will include confirming appointments, informing you of changes to appointments or clinic arrangements, changes to facilities or services at the clinic.
- To provide you with the best possible treatment by recording health and treatment information which would be in your best interest.
- To carry out legally required duties such as those required by government appointed
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.
We may use your personal information in these rare situations:
- where we need to protect your or someone else’s interests
- where it is needed in the public interest or for official purposes
Situations in which we will use your personal information:
We need all the categories of information to primarily allow us to perform our contract of treatment with you and to enable us to comply with legal obligations.
If you do not provide your data to us:
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of care with us. If you do not provide us with the data needed to do this, we will be unable to perform that care to ensure your best interests are being maintained. We may also be prevented from continuing with your treatment with us due to our legal obligations.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision making
No decision will be made about you solely based on automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
7. Data Retention
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your being a patient with us and we are legally required, by the Chiropractic regulator, to keep this data for eight years after your time as a patient has ended.
To determine the any appropriate retention period for personal data beyond eight years we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.
Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner that maintains data security.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you and use this data for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current.
Please keep us informed if your personal information changes during your time as a patient with us.
8. Sharing your data
Your data will be shared with colleagues within the Clinic but only where it is necessary for them to undertake their duties. This includes, for example, other chiropractors working for, at or on behalf of the clinic, reception staff and the practice manager.
We may share your data with third parties to facilitate a referral to another healthcare practitioner, investigation or to keep your GP informed about your progress with treatment
We may also share your data with third parties as part of a Clinic sale or restructure, or for other reasons to comply with a legal obligation upon us. We would always keep you informed of these situations.
Your data may be shared with the parties set out below:
- Care Response – outcomes monitoring & reporting software.
- Xero – accounting software.
- GEM – call answering service.
- Mailchimp – marketing software.
- Social Media – with your explicit consent, for marketing purposes.
- Automated technologies or interactions – as you use our website, we may automatically collect Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies.
We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law.
We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.
Consent to the release of your information to other appropriate professionals will be sought, prior to releasing your information.
The clinic may contact you from time to time, using contact information provided, to let you know about matters relating to the clinic. You may choose not to receive this information at any time by letting us know.
9. Transferring information outside the EU
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.
We may share your data with bodies outside of the European Economic Area should the need arise. It is likely that this situation would be to share information regarding your treatment or ongoing care with healthcare practitioners in these countries in accordance with your wishes.
However, we would not transfer your data unless we were assured that the country in question had data security and protection laws of equivalence to those of the UK and the European Economic Area.
Some of our third parties service providers may be based outside the European Economic Area (EEA) so their processing of your personal data involves a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
- Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or
- Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
10. Your Rights
As a data subject, the law on data protection gives you certain rights in relation to the data we hold on you, these are:
- The right of access – You have the right to access the data that we hold on you. To do so, you should make a Subject Access Request, details listed below.
- The right for any inaccuracies to be corrected – If any data that we hold about you is incomplete or inaccurate, you can request we correct it by contacting the Data Protection
- The right to be informed – This means that we must tell you how we use your data, and this is the purpose of this privacy notice. We also must inform you of any changes to how we use your data.
- The right to have information deleted – If you would like us to stop processing your data, you have the right to ask us to delete it from our systems, if you believe there is no reason for us to continue processing it please contact the Data Protection Officer.
- The right to restrict the processing of the data – For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
- The right to portability – You may transfer the data that we hold on you for your own purposes, please contact the Data Protection Officer.
Subject Access Requests
You may request a copy of your data at any time. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
Please make such a request in writing to:
Data Protection Officer
Davies Chiropractic Care Ltd
180a Heaton Moor Road, Stockport Sk4 4DU
Please provide the following information in your request:
- Your name
- Telephone number
- Email address
- Details of the information you require.
We will need to verify your identity, so we may ask for a copy of your passport, driving license and/or recent utility bill.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
11. Data Security – Protecting your data
We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse.
We have implemented processes to guard against such. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
Where we share your data with third parties, we provide written instructions to them to ensure that your data is held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay.
We will give you the contact details of the Data Protection Officer who is dealing with the breach, explain to you the nature of the breach and the steps we are taking to deal with it.
12. Should You Wish to Complain
If you have any questions about this Privacy Notice or how we handle your information, please contact the Clinic’s Data Protection Officer.
Data Protection Officer
Davies Chiropractic Care Ltd
180a Heaton Moor Road, Stockport Sk4 4DU
You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO). You can contact the ICO via their website: www.ico.org.uk.
This policy will be reviewed every two years or following any changes to practice and legislation, whichever is soonest.