Cambridge Neuro-Physiotherapy (hereafter CNP) takes its data protection obligations seriously and are committed to the highest professional standards. We only collect data that is relevant to your treatment and is necessary for us to deliver the best possible service.
This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may share it with others.
We will ensure that all members of the team take the necessary steps to protect the personal data they hold against accidental loss or unauthorised access.
CNP is a neuro-physiotherapy company, providing expert specialist treatment to a wide range of individuals. The office is based at 64 Barrons Way, Comberton, Cambridge CB23 7DR. The office number is 01223 264992.
CNP has appointed Will Winterbotham as Data Protection Officer (DPO). Please contact Will at 64 Barrons Way, Comberton, Cambridge CB23 7DR or at firstname.lastname@example.org with any questions or requests about the personal information we process.
Collection of your personal information
In addition to your basic contact information (name, date of birth, telephone numbers and address), we will collect other relevant details including your current and past medical history, medication, your GP, the findings from our assessment, your treatment records and your goals for the future. We will also collect your payment details. We may also store associated, relevant information that we receive from other healthcare professionals, as part of your ongoing care.
We process the data because it is in our legitimate interests as expert clinicians to do so.
How we use this information
The information we collect is used to ensure that we provide you with the best and most appropriate treatment. We use your contact information to get in touch with you and to send you invoices. From time to time, we will need to liaise with other professionals involved with your care, such as your GP, hospital consultant, orthotist or other members of the multidisciplinary team. We will only do this with your consent and when it is necessary to your physiotherapy treatment.
We are committed to protecting your rights to privacy. They include:
- Right to be informed about what we do with your personal data
- Right to have a copy of all the personal information we process about you
- Right to rectification of any inaccurate data we process
- Right to be forgotten and your personal data destroyed
- Right to restrict the processing of your personal data
- Right to object to the processing we carry out based on our legitimate interest.
Storage, processing and retention of your information
Your electronic personal data is encrypted, with restricted access on secure cloud storage. Hard copy personal data is stored securely at the home of your therapist, with restricted access.
Your personal details, assessment notes and treatment records are held solely by the treating physiotherapist and are only accessed by them. No one else has access to these records. The responsibility for this documentation lies with the treating physiotherapist. Each treating physiotherapist is registered with the Information Commissioner’s Office (ICO) as a data controller and understands the importance of protecting your personal data against accidental loss or unauthorised access.
We retain your information for as long as reasonably necessary to provide our services and to maintain records that satisfy the legislation for medical records, accountancy and other legal requirements.
Personal data is retained for eight years, in compliance with our professional indemnity obligations. We are legally obliged to hold data on children until they reach the age of 21.
Administrative data is retained for up to six years as necessary, in the unlikely event that there are queries from HMRC. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible.
Personal data relating to associates who have left our company is also retained for up to six years as necessary.
How and when we share your personal information
We share personal data internally but strictly on a ‘need to know’ basis.
All emails are confidential, and all personal data is password protected.
Any data shared between Will Winterbotham and other members of the team will be encrypted and password protected.
The subject line of emails will not contain any patient identifiable data.
Where necessary we may disclose your information to healthcare professionals, as outlined above. We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers. If the business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.
Other personal data
We also process personal data pursuant to our legitimate interests in running our business such as:
- Invoices and receipts
- Accounts, VAT and tax returns
- Personal details, including bank details of our associates
- CVs of prospective candidates.
The rights of data subjects include the right of access to personal data by means of a subject access request.
You have a right under the Data Protection Act 1998 and GDPR guidance 2018, to request access to view or to obtain copies of what information we hold about you and to have it amended should it be inaccurate.
In order to request this, you need to do the following:
- Your request must be made in writing
- There may be a charge to have a printed copy of the information held about you.
- You will need to give adequate information (for example full name, address, date of birth, and details of your request) so your identity can be verified and your records located.
It is important that you tell the person treating you if any of your details, such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date.
The DPO is responsible for responding to requests from data subjects and must do so within one month. The period may be extended by a further two months where that is necessary. In these circumstances the data subject must be informed within one month that more time is needed and given the reason why. On receipt of a request, the DPO conducts a search of the relevant files, email folders and inboxes as necessary.
If the DPO does not wish to accede to a request, they will seek legal advice.
You may choose how we send your communications, using any of the contact details we hold on our records, this may include your email, SMS, telephone and postal information. We will restrict our communications to clinically necessary messages and messages regarding your invoices. Your personal preferences can be changed at any time by contacting the DPO at the address above.
A ‘cookie’ is a small text file containing information that a web site transfers to your computer’ shared disk for record keeping purposes. A cookie cannot give us access to your computer or to your personal information. Most web browsers automatically accept cookies; consult your browser’s manual or online help if you want information on restricting or disabling the browser’s handling of cookies. If you disable cookies, you can still view the information on our website.
Information Commissioner’s Office
If you have any concerns about the way your personal information has been processed, please contact the DPO above. If you are still unhappy following a review by us you can then complain to the Information Commissioners Office (ICO). www.ico.org.uk Telephone: 0303 123 1113 (local rate) or 01625 545 7451.
When there is a personal data breach, CNP will report this immediately, truthfully and in full.
The DPO is responsible for handling data breaches and will evaluate what the breach is, how it occurred and the associated risk to data subjects.
If there is a risk to data subjects, the breach will be reported to the Information Commissioners Office within 72 hours. If the report is late, an explanation must be given as to why.
Where the risk to data subjects is high, the breach must be reported to them individually if at all possible.
The DPO will inform the ICO how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in future.
The initial report will contain a summary of the position. The DPO may wish to seek authority to obtain legal advice before submitting the initial and any subsequent reports.
A thorough investigation and corrective action will be undertaken so as to reduce the risks to data subjects arising out of any breach, and to make sure that something similar does not happen again in future.
Where a breach of a computer system is suspected, the DPO may engage the support of IT support, to better understand the nature of the breach.
The theft of data, whether as a result of shortcomings in the physical security arrangements on the premises, or the hacking and penetration of computer systems, or theft by a member of staff, will be reported immediately to the police.
The breach, investigation and corrective actions must be documented and filed on the CNP data protection risk register.
All personal data breaches, however minor, and whether reportable or not will be recorded in the data protection risk register, held by the DPO.
This security policy is designed to ensure that CNP complies with the security requirements of the General Data Protection Regulation, and the rights to privacy of data subjects are protected.
In compliance with Article 32 CNP has implemented appropriate physical, organisational and technical measures to ensure a level of security appropriate to the risk.
- Hard copy material containing personal data is stored securely and locked in filing cabinets in physiotherapist’s offices at night.
- Electronic data is encrypted with restricted access.
- Documents that contain personal data, such as letters, timesheets or reports, that need to be shared between a member of the team and Will
- Winterbotham will be encrypted and password protected.
- Shredding of confidential information is carried out securely on site or outsourced pursuant to a GDPR compliant contract.
- Mobile equipment such as laptops are encrypted and locked away when not in use.
- Computers and other electronic equipment are disposed of in a safe manner.
- Anti-virus and anti-spyware tools are installed on physiotherapists computers and a full scan performed weekly.
- All computers are password protected.
- Team members have access rights to personal data on a strict ‘need to know’ basis.
- Personal data and invoices shared by email are encrypted and password protected as appropriate.
Will Winterbotham is responsible for data protection and has sufficient resources to carry out his role effectively as data protection lead.