This document refers to personal data, which is defined as information concerning any living person that is not already in the public domain. The General Data Protection Regulation (GDPR) contains rights that protect and enhance the rights of EU data subjects. These rights cover the safeguarding of personal data, protection against unlawful processing and the unrestricted movement of personal data within the EU.
Here at The Westway Clinic Ltd, we are committed to protecting your personal data and so outline below how we handle personal information and give you the tools you need to help manage the information we hold about you.
As a Clinic, with many different therapies and Practitioners, we need information about you, your lifestyle and your medical history to provide safe and effective treatment and to provide a high-quality service. Hopefully, by showing how we handle your data in a transparent way you can rest assured that you are ‘in safe hands’.
Your Personal Data:
What we need
The Westway Clinic Ltd will be what is known as the ‘Controller’ of the personal data you provide to us. We collect basic personal data (Name, Address, Date of Birth, Contact Details etc.) about you as well as details about your health and lifestyle in the form of Treatment Record Notes. Data capture may occur at the reception desk face to face, when you telephone/email in, when you book or enquire about our services online or through one of our agents or when you make a general web enquiry. Further information will also be captured when you see your practitioner during your initial and each subsequent appointment.
We ask you not to include any sensitive information in emails or web forms sent to us as the email addresses used are accessed by several different staff members. If you need to discuss a personal matter, please ask us to call you back whereby you can then be directed to a more secure method of communicating.
Why do we need it
We need to know your basic personal data to be able to deal with you regarding booked and past appointments in line with the overall contract of providing you with our services. We will not collect any personal data from you that we do not need to provide and oversee our provision of services to you.
Legal Basis – All data will be held and processed in-house using the lawful basis of ‘legitimate interest’ under the GDPR (find out more about the lawful basis and GDPR by clicking here). Any treatment provided by our Osteopaths, Reflexologists, Homeopaths and Massage Therapists will be provided using either verbal or written consent gained during your consultation and a note of this will be kept in your treatment records. Our Podiatry service is managed by Footzone Ltd and they detail their own lawful basis for processing Treatment Notes in their Privacy Notice which is available by contacting them directly. For all other therapies such as Counselling, whilst we will still process your personal data when managing your appointments etc, we do not handle Treatment Records and those Practitioners will have their own Privacy Notices regards how they manage that particular data.
If we need to communicate about you outside of The Westway Clinic (such as to refer to another medical professional or to an insurance company for example) we will always seek your permission according to our external Communication Policy
The data regarding your health, lifestyle and treatment form part of your treatment record and are needed for the safe and legal provision of healthcare services to you.
What we do with it
All the personal data we process is processed by our trained staff, our agents and practitioners either here in the Clinic or in our agent’s premises using fully updated computers and this data is protected by a firewall, security and encryption software. These details are also shared with the company that handles our hosted patient management software – that data is held securely on encrypted servers sited in the UK and no 3rd parties have access to your personal data unless the law allows them to do so.
Your treatment records are all held here in our alarmed building*, on paper notes, which are stored in cabinets under the supervision and kept locked. *The premises are alarmed when unoccupied such as when the Clinic itself is closed.
Many of the practitioners that work within our Clinic are separate from The Westway Clinic and in many instances, we act as the Data Processor for those businesses/individuals. A list of those businesses and practitioners is available on request by contacting our Data Protection Officer – details can be found at the end of this Privacy Notice.
We may use your contact details should we need to contact you about your appointments, or accounts or for general management of your relationship with us such as if a practitioner needs to call you about your treatment etc.
Additionally, we offer a text (SMS) or email reminder service for patients of our therapies (excluding Counselling). Our team will request a mobile number and email address to set this up when booking an appointment for the first time, however, should you prefer not to use this service then simply inform any member of the reception team or email us at email@example.com.
We don’t use it for marketing and external sites
We do not currently use your information for external marketing and all clients are allowed to opt out of marketing communications at any time by contacting us via email.
Sites that are linked to our website and those that link to our website are out of our control and the operators of those websites and organisations are responsible for their own data management and data security. If you have a question about how they handle your data, please use their help pages to identify the information you require.
How long do we keep it
Client information and treatment records for Osteopathy, Reflexology, Homeopathy and Massage are special category data and are important in case of future treatment or in medicolegal situations. Statutory guidelines dictate a minimum period of 8 years after the last consultation for adults and until the 25th birthday should you have been a child when you last attended for treatment – there may be different requirements based on Mental Capacity (which will be assessed on a per case basis). These statutory guidelines do not suggest a maximum retention period and so we may keep this type of data for an indefinite period.
Treatment records for other practitioners and therapies, including Footzone Ltd, are subject to their own Privacy and Retention policies however client information will remain on our database indefinitely as this is separate from Treatment Records.
For those under 16 years of age
We do not treat individuals under 16 years of age without a parent or guardian present and so that parent or guardian is free to act on behalf of the child for the purposes of this policy. Once that child reaches the age of 16, they are deemed an adult for the purposes of GDPR and so receive the same rights as anyone else.
What are your rights?
As a data subject, you have certain rights as follows:
- Right of access – you have the right to request a copy of the information that we hold about you
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete
- Right to be forgotten – in certain circumstances, you can ask for the data we hold about you to be erased from our records
- Right to restriction of processing – where certain conditions apply you have the right to restrict processing
- Right of portability – you have the right to have the data we hold about you transferred to another organisation
- Right to object – you have the right to object to certain types of processing such as direct marketing
- Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling
If we refuse your request under Right of Access, we will provide you with a reason as to why, which you have the right to legally challenge. At your request, we can confirm what information we hold about you and how it is processed.
Note: not all the rights listed above apply to how we process your data. For example, regards portability – this only applies to data held under the lawful basis of consent and applies to electronically held information and so would exclude your personal data held on our appointment systems as these are held under the lawful basis of legitimate interest and would exclude any paper held treatment records.
Similarly, if you were to make a request under the Right to be Forgotten but it has been less than 8 years since your last consultation, it is likely your request will be automatically refused because we have a legal obligation to keep those records.
To access what personal data is held, identification will be required
We will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your photocard driving licence, passport, birth certificate and a utility bill not older than three months.
A minimum of one piece of photographic ID listed above and a supporting document is required. If we are dissatisfied with the quality, further information may be sought before personal data can be released. All requests should be made to firstname.lastname@example.org or by writing to us addressed Catherine Helps (DPO), 17 Hatchlands Road, Redhill, RH1 6AA.
If you wish to raise a complaint about how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter and respond within 30 days. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can approach the Information Commissioner’s Office (ICO) at www.ico.org.uk.
Our Data Protection Officer is available by using the contact details in the previous section.
General Contact Details:
The Westway Clinic Ltd
17 Hatchlands Road
01737 762990 / 01737 766659