Privacy Policy

Keeping Your Records
So Healthy (Matlock Green & Kempston), is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to protecting the privacy and security of your personal information. This privacy notice describes, in line with GDPR, how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This notice applies to current and former patients.

Data controller details
So Healthy (Matlock Green & Kempston) is the data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows:
So Healthy (Matlock) So Healthy (Kempston)
The Atrium 160 Bedford Road
Matlock Green Kempston
Matlock Bedford
Derbyshire Bedfordshire
DE4 3BT MK42 8BH
Tel: 01629 888323 Tel: 01234 853444
hellomatlock@so-healthy.co.uk    hellobedford@so-healthy.co.uk
The responsible data controller within the practice is the Practice Manager.

Data protection principles
In relation to your personal data, we will comply with GDPR regulations which state that the personal information we hold about you must be:
1. Processed fairly, lawfully and transparently
2. Obtained for specified, explicit, legitimate, and lawful purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Kept no longer than necessary
6. Kept secure

Types of personal data do we hold about you?
In order to provide you with a high standard of chiropractic care, we need to hold personal information about you. This personal data comprises of:
your past and current medical condition; personal details such as your age, address, telephone number and your GP
information about the treatment that we have provided
conversations/incidents that might occur for which a record needs to be kept
records of consent to treatment
any correspondence relating to you from other health care professionals, for example your GP
Special categories of data
There are “special categories” of more sensitive personal data, which require a higher level of protection, such as information about a person’s health or sexual orientation.

Health
We will use your special category data:
to ensure the treatment you receive at the clinic is appropriate to your condition
to determine reasonable adjustments that should be made for access to the clinic or to treatment
We must process special categories of data in accordance with more stringent guidelines. We will process special categories of data when the following applies:
you have given explicit consent to the processing (on our consent form)
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences, where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.  However, to enable us to take you on as a patient, we are legally obliged to get and maintain accurate data as described above and hold it for a minimum of 8 years.

Why do we hold data about you?
We need to keep comprehensive and accurate personal data about our patients in order to provide them with safe and appropriate chiropractic care.

How we collect your data
We collect data about you in a variety of ways and this will usually start when you make an enquiry to the clinic and continue when you attend your first and subsequent appointments. At our clinics we keep paper files and electronic records.  Information written down on paper is transferred immediately to our electronic system.
We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us to continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic.
Personal data about you is held in the practice’s computer system.  The information is not accessible to the public and only authorised members of staff have access to it via password entry.  Our computer system has secure audit trails and we back up information routinely.

Change of purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated decision making
No decision will be made about you solely on the basis of automated decision making
Transferring information outside the EU
We do not share your data with bodies outside of the European Economic Area.

Data Security – Protecting your data
We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
The diary management system used in clinic is password protected. Access rights are given to individual members of staff based on the information they need to have access to. All computers are password protected. Paper files are securely locked away in filing cabinets, and the clinics all have alarm systems.
Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

Data Retention – How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your being a patient with us and up to a maximum of 10 years since your last appointment, as we are legally required, by the Chiropractic regulator, to keep this data for a minimum of eight years after your time as a patient has ended. To determine the appropriate retention period for personal data beyond eight years, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.
Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner than maintains data security.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.

Your rights in relation to your data
GDPR regulations on data protection give you certain rights in relation to the data we hold on you. These are
You have the right of access to the data that we hold about you and to receive a copy.  Access may be obtained by making a request in writing. We will provide a copy of the record within 28 days of receipt of the request and an explanation of your record should you require it.
the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you can require us to correct it.
the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice. We also must inform you of any changes to how we use your data.
the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.  However, we are by law obliged to keep your personal data for at least 8 years after your last appointment with us.
the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
the right to portability. You may request transfer the data that we hold on you for your own purposes.
If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the address above in writing or phone the number above and ask to speak to the Practice Manager.

Fees
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for a second or subsequent copy of information or if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent
Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so.
To withdraw consent, contact the responsible data controller.

Data breaches
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay. We will give you the contact details of our Responsible Data Protection Controller who is dealing with the breach to explain to you the nature of the breach and the steps we are taking to deal with it.

Making a complaint
If you have any questions about this Privacy Notice or how we handle your information, please contact the Practice Manager who is responsible data controller for both clinics. Contact details can be found above.
You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO). Contact details can be found on their website
https://ico.org.uk/

Policy date: May 2018