PRIVACY POLICY

An overview to our Privacy Policy

DOWNLOAD PDF VERSION HERE

What is a Privacy Policy and why do I need to read it?

To comply with the obligations of the General Data Protection Regulation (GDPR) from 25th May
2018 we must let you know how and when we collect, use, and share your personal information
and any details relating to the treatment you receive.

Our processes must be described in a clearly written document – our Privacy Policy – for all of
our patients to read, understand and agree to.

We take privacy seriously; your best interests are paramount to the service we provide.

What do I have to do once I’ve read it?

Please let us know if you have any questions about any aspect of the Privacy Policy. It is a legal
requirement for us to ensure you are fully aware of your rights and our reasons for collecting,
processing, accessing and storing your data. We understand this may be a lot of information to
take in and we do our very best to give any further clarity required.

If you fully understand and agree to the information in our Privacy Policy then we will ask for
your full and free consent to process your data.

As an individual you have the right to a genuine choice and control of how your data is
processed however we are legally obliged to hold certain patient information for clinical reasons.

You are fully entitled to refuse consent to the processing your data. We will not be able to
engage in consultation, examination or treatment if you are not happy for us to process any
aspect of your personal data as explained in the Privacy Policy.

Privacy Policy

How we collect, process, access and store your personal data
In compliance with the General Data Protection Regulations (GDPR) 2018

1. Why we collect, use, and share personal information:

We must let you know the purpose and legal bases for why collect, use, and share your information.

Your personal information falls under two GDPR data categories in a clinical setting; Personal Data (identifies you) and Special Category Personal Data (sensitive personal information such as your medical history and clinical records).

To ensure we legally comply with requirements of our governing body the Health Care Professional Council (HCPC) and the Society of Chiropodists and Podiatrists (SCP) Standards for Clinical Practice we must process both your Personal Data and Special category data.

We are also required to retain information for purposes of UK tax law and need to hold sufficient records to fulfil any legal obligations – such as a legal claim or court order.

2. How we collect and record your personal information:

  • Your personal information is collected in the first instance with our Practice registration form and Medical history. This information is retained as a hard copy and stored securely within our secure filing systems. Your personal information is manually inputted into our GDPR compliant encrypted software system. It is a medico-legal requirement to collect and record this information for your clinical records.
  • Your clinical notes are recorded during your clinical session in paper records. This information is not copied to create a digital record unless we need to share, with your consent, your information in a digital format. It is a medico-legal requirement to collect and record this information for your clinical records.
  • With your consent, photographs may be taken during your appointment then stored securely in an encrypted digital file. We use photographs to record presenting issues and document treatment progress.
  • Prescriptions for external laboratory use – a hard copy will be securely retained within your clinical notes. On occasion we may discuss information on your prescription with the laboratory via telephone or using email through our secure email client. It is a medico-legal requirement to record this information for your clinical records.
  • All inbound and outbound information and communications (such as referral letters) will be securely retained within your clinical notes or within our encrypted software system if sent or received electronically. It is a medico-legal requirement to record this information for your clinical records.
  • All email communications are securely managed through our password protected email client within our encrypted software system. We use email to contact and receive contact from our patients and third party suppliers.
  • Payments are recorded within your patient notes, within a password protected spreadsheet and in a separate ledger stored in our secure filing systems in conjunction with card receipt copies. In the event of taking a telephone payment; your card details are entered directly into the card machine and not written or stored elsewhere – we do not record calls. We must record this information for UK tax legislation.
  • Treatment trackers and laboratory trackers, in the form of password protected spreadsheets, are used to monitor progress and timescales. We record some aspects of your personal information to ensure we deliveran efficient service.

3. Information we collect through our website:

Your IP address is classified as online personal data. We use cookies on our website to collect information from our visitors. Cookies enable our website to remember you (by remembering your IP address) and help us to understand how you use our website. Your IP address is classified as online personal data.

By using our website you have the option to allow us to use cookies (to see your IP address) and the option to disable cookies (your IP address will not be visible to us). You will need to disable cookies each time you visit the website or adjust your browser settings if you do not want us to see your IP address.

We use Google Analytics to see information on how our website is being used such as demographic, general location and search terms. Google Analytics can see your IP address if you do not opt to disable the cookies on our website as mentioned above. Google is a data processor and as such we have accepted their data processing agreement to engage with their services.

We have an online contact form which enables you to send a direct message to our email address. This is an encrypted service which means that your information is only seen and received by us.

Your continued use of our Website signifies your continuing consent to be bound by this Privacy Policy.

4. How we use and share your personal information:

We may need to share relevant parts of your personal information with third parties as part of your care and treatment with us. We will only use this information when absolutely necessary and with your full and free consent to do so. We may need to disclose your personal information with the following third parties:

  • Medical professionals: with your consent we will share your information with medical professionals such as your GP, consultant or another health care professional to allow continuity of care.
  • Service providers: we engage certain trusted third parties to provide services to the clinic:
    – Laboratory (for functional foot orthoses): we will always request your consent prior to sending a prescription that holds your personal information.
    – IT support services: we do not actively share your information with them however in the event of a system problem or update they may need to access systems that hold your information.
    – Card payment services: your card payment data is transmitted from the card machine through an encrypted network and processed securely with our card payment processor.
    – Data destruction company: an accredited data construction company will be used when data has reached the minimum record retention date.
  • Business transfer: If the business is sold or merged your information may be disclosed as part of that transaction – only to the extent permitted by law and with your consent.
  • Compliance with laws: We may need to collect, use, retain, and share your information under legal obligation to do so.

5. Marketing:

Sally Varney Clinic has not undertaken any marketing campaigns to date – digital, phone or post. We may decide to do this in the future and we will seek your explicit consent before doing so.

6. The length of time we keep your personal information:

Your personal information is retained to provide our clinic services as described in this Policy. We must keep your records to comply with legal and regulatory obligations. The retention requirement for podiatry records is a minimum of 8 years, after the last appointment. We must retain sales and transaction data for a minimum of 6 years in line with UK tax legislation.
When your data has passed the minimum record retention date the information will be removed from our systems – digital data will be permanently deleted and paper records will be consigned to an accredited data destruction company.

7. Transferring personal information outside of the European Economic Area (EEA):

Our digital data is stored on Office 365 which is a ‘Tenant’ within the EU and no data (without your express permission) would exit the EEA.

In the event of a patient moving outside of the EEA the clinical records can be sent at request from the patient or in conjunction with a legal requirement. We will gain express permission from the patient to disclose specific information and confirm how the data will be transmitted.

8. Your Rights:

You have a number of rights in relation to your personal information. While some of these rights apply generally, certain rights apply only in certain limited cases:

  • Access: you have the right to access and receive a copy of the personal information we hold about you by contacting us using the contact information below. We will provide this information within one month of receiving your request and verifying your identify.
  • Change, restrict, delete: you may also have rights to change, restrict our use of, or delete your personal information. In the case of health records these are exempt from change and deletion requests (prior to the minimum record retention date) with the exception of a special legal requirement do so.
  • Object: You can object to (i) our processing of some of your information based on our legitimate interests and (ii) receiving marketing messages from us – even after providing your express consent to receive them. In such cases, we will delete your personal information unless we have legitimate grounds to continue using that information or if it is needed for legal reasons.
  • Complain: If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with the Information Commissioner’s Office. Please visit their website for further information: www.ico.org.uk

9. Confirmation that we do not have a Data Protection Officer:

We are not required to appoint a Data Protection Officer Due to the small scale nature of the data processing we undertake. We will continually review our policies and procedures in line with the requirements of GDPR, the Health Care Professional Council (HCPC) and the Society of Chiropodists and Podiatrists Standards for Clinical Practice to ensure your data is processed appropriately.

10. How to Contact us:

For purposes of the GDPR, Sally Varney Clinic is the data controller of your personal information. If you have any questions or comments, or if you want to update, delete, or change any Personal Information we hold, or you have a concern about the way in which we have handled any privacy matter please do not hesitate to contact us:

Address: Sally Varney Clinic, 110 Redland Road, Bristol BS6 6QU
Contact email: reception@sallyvarneyclinic.co.uk
Contact number: 0117 907 11 13

11. Changes and review of this Privacy Policy:

This Privacy Policy will be reviewed regularly and may be changed from time to time. We will take all reasonable steps to notify you of any updates in relevant policy communications.
The most recent version of the Privacy Policy is reflected by the version date referenced in section 12 of our Privacy Policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by sending a revised version of this Privacy Policy by post or other notice on our Website. Please continue to review this Privacy Policy on a regular basis to stay informed of any changes that may
affect you.

12. Privacy Policy version:

Our electronic and printed copies of this Privacy Policy are each deemed to be the true, complete, valid, authentic, and enforceable copies of the current version of this Privacy Policy in effect on each respective date you have visited the clinic or website.

The current version of this privacy policy is valid from July 2018.