Why we collect your personal data and what we do with it:
When you supply your personal details to this clinic they are stored and processed for three reasons. In bold are the relevant terms used in the Data Protection Act 2018 which includes the General Data Protection Regulation):
- We need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can refuse to provide the information, but without it we would be unable to provide treatment.
- We have a “Legitimate Interest” in collecting that information, without it we couldn’t do our job effectively and safely.
- It is important that we can contact you in order to confirm your appointments with us or to update you on matters related to your medical care. This constitutes “Legitimate Interest”, in this instance, your legitimate interest.
We have a legal obligation to retain your records for a minimum of 8 years after your most recent appointment (or age 25, if this is longer), after this period, you can ask us to delete your records. We voluntarily retain your records for 10 years to remove the necessity for a re-consultation within this timeframe.
Your records are stored on paper in locked filing cabinets and the building is always locked out of working hours. Some of your information is also stored on our office computers. These are password-protected, backed up regularly, and the building is locked out of working hours. Some of your data may be stored electronically (‘in the cloud’) using providers that have given us assurance that they are fully compliant with the General Data Protection Regulations. Access to this data is password protected and the passwords are changed regularly.
We will NEVER share your data with anyone who does not need access without your written consent unless compelled to in order to meet legal obligations, regulations or valid governmental requests. Only the following people/agencies will have routine access to your data:
· Your practitioner(s) in order that they can provide you with treatment.
· Our answering service staff, because they organise our practitioners’ diaries, co-ordinate appointments and reminders ( they do not have access to your medical history or sensitive personal information).
· Other administrative staff, such as our book keeper. Again, administrative staff will not have access to your medical notes, just your essential contact details.
From time to time, we may have to employ consultants to perform tasks which might give them access to your personal data (but not your medical notes). We will ensure that they are fully aware that they must treat that information as confidential and we will ensure that they sign a non-disclosure agreement.
You have the right to see or request a copy of what personal data of yours we hold and you can also ask us to correct any factual errors. Provided the legal minimum period has elapsed, you can also ask us to erase your records. When requesting access to your personal data, we may require formal proof of your identity (e.g. driving licence, passport and proof of address).
We want you to be completely confident that we are treating your personal data responsibly, and that we are doing our utmost to ensure that the only people who can access that data have a genuine need to do so.
If you feel that we are mishandling your personal data in any way, you have the right to complain. Complaints need to be sent to the “Data Controller” (Catherine Ashworth, The Ashworth Practice, Bromley Park Medical Centre, Daly Drive, Bromley, Kent. BR1 2FF. Tel: 0208 295 8466, email: firstname.lastname@example.org).
If you are not satisfied with our response, you have the right to raise the matter with the Information Commissioner’s Office.