This policy covers the collection, processing and other use of personal data under the Data Protection Act (DPA) 2018 (GDPR compliance) that came into effect on 25th May 2018. By using our website you consent to this policy. We are registered with the Information Commissioner’s Office (ICO) for this purpose. Our reference: ZA055210.
Who we are
W6 Physiotherapy is a trading name of W6 Physiotherapy Limited.
Registered in England. Company No: 08656000
Registered Office: Nazareth House, 169-175 Hammersmith Road, London, W6 8DB
Telephone: 020 8748 9006
We take your privacy seriously. We are the data controller for your personal data, and any enquiry regarding the collection or processing of your data should be addressed to Jakub Bienczak via one of the following:
By post: W6 Physiotherapy Ltd, Nazareth House, 169-175 Hammersmith Road, London, W6 8DB
By email: firstname.lastname@example.org
By telephone: 020 8748 9006
What information we collect and why
Information collected by www.w6physiotherapy.co.uk, through an online booking or online enquiry form, over the phone or via email.
When you contact us by one of the above methods, we will collect personal data about you, eg: title, name, surname, mobile number, email address, and your private health insurance details (if applicable). We will collect this information only if it is directly provided to us by you, and therefore with your consent. We will only collect the personal data you choose to provide to us
We use analytical tools that monitor details of visits to our website such as website traffic, location data and other communication data.
When using the online booking form, you are sharing your information with us, but also with Findoc (www.findoc.co.uk) and you are subject to their privacy statement.
Information collected at the clinic prior to treatment
Privacy for healthcare treatment is assured under the common law Duty of Confidence. We collect your personal and health data. Processing of this personal data is necessary for the purposes of medical diagnosis and healthcare. We do not gather other sensitive data (e.g. genetic or biometric data, information about race or ethnic origin, political opinions, philosophical beliefs, sexual orientation or criminal convictions). As we provide direct healthcare, your consent is implicit for us to share information with others involved in your treatment.
- We collect your name, surname, occupation, sex, your age (date of birth), your address, your preferred contact details, information relating to your past medical history including any letters you may have from specialists, your GP’s details, details about your general health, what medication you may use and your activity level. We will also create a physical record of details from your physical examination in order to:
- identify you
- understand the nature of your disorder, formulate a diagnosis and establish a goal and plan of treatment.
The lawful basis for processing your personal data is of a vital interest necessary to protect life.
- We collect alternative contact details for you, and, if applicable, your health insurance policy number, authorisation code, how many sessions you are authorised for and if you have an excess, the amount you need to pay. In some cases, upon your consent, we may store your card payment details on file using a secure payment method called Square UP. These details are used for:
- communication purposes relating to appointments, payments, notifications relating to invoices settled by health insurers and sending you your exercise programmes.
The lawful basis for processing your personal data is your consent.
As stated in Article 9 of the GDPR, processing is necessary to protect the vital interests of the data subject or of another natural person, where one is physically or legally incapable of giving consent. We therefore collect either:
- Vulnerable adult’s information – details of the Power of Attorney (POA), if the service user is not able to give consent themselves.
- Children’s information – details of the parent or legal guardian, if the service user is under 16 years of age.
Use of your information
We keep your information secure in accordance with the DPA 2018 (GDPR compliance) and use it to respond to your enquiry. When attending your appointment you will have the option to give consent.
You are asked to provide us with informed consent for treatment, and once given we only provide treatment within the scope of that consent. As the treatment changes, we would again ask you for your informed consent.
How information is obtained
- Information from you may be obtained over the phone, via email, or via an online booking enquiry at the time of booking your initial consultation.
- Information may be obtained via the online booking service provided by www.findoc.co.uk.
- Information may be obtained by post or email when shared via another health professional such us your consultant, GP, or podiatrist.
- Information may be provided by you directly – verbally at the time of the initial consultation.
How your information is stored
- Information on our patients registered prior to 31 December 2017 is stored on paper copies stored within a locked cabinet in a security keypad lock protected office.
- Information on patients registered on or after 1 January 2018 is stored on Private Practice Software (PPS) by Rushcliff Ltd. This is a secure clinical and management software, which uses remote server hosts provided by the iomart Group. We have a Data Processing Agreement with PPS which fulfils the responsibilities and legal obligations under DPA 2018 (GDPR compliance) ensuring your privacy rights are protected.
How information is accessed
- Paper files are accessed directly by the office staff who know office access code and have access to the cabinet key.
- Electronic notes stored on PPS are accessed by authorised clinic staff and healthcare professionals working at the clinic. Access is protected by double passwords when using desktop PCs and by a face-recognition system, personal login and password when accessed from Office Microsoft Surface Pro notebooks. The system can also be accessed via other devices, computers outside of the clinic. Staff have an obligation to follow our policies regarding accessing electronic notes outside of the clinic, and use a double password protected system.
How information flows out of the business
External health professionals/NHS
Information such as your name, surname, address, date of birth, mobile number and relevant musculoskeletal or general health information, is shared with other medical professionals with whom you may be seeking further treatment or are being referred to. This information is shared via post or encrypted email sent to a dedicated secretary/ referral source appointed by the individual health professional that receives your referral.
Your healthcare records will be shared with solicitors to handle medico-legal cases, if requested by yourself. Information is shared only upon recipient of signed and dated ‘Authorisation to Release’ medical records. Data is shared via a recorded/signed for postal service for security purposes.
Case management companies
Upon your signed authorisation, specific health/MSK health records relating to an individual episode of care are shared with case management companies such as The Physiotherapy Network
Upon completion of a provisionally-authorised course of treatments, we may share your data via encrypted email with your insurance provider in order to obtain further treatment authorisation.
Online billing and secure messaging services
We use the following services:
Information is shared with the above for billing purposes. Files are transferred and encrypted using a password-protected account.
Key Performance Indicators (KPIs)
If requested by Bupa, specific information that is obtained by processing existing service-user data may be shared with the Bupa insurance scheme. Information is shared to provide Bupa with statistical and performance data.
Statutory duty to disclose information
Upon justification to disclose confidential information by a local authority (for example, the Police, the Care Quality Commission, the Home Office), we have a statutory duty to disclose the required information. Acts of Parliament which require production of confidential information are: Prevention of Terrorism Act, Road Traffic Act, Public Health Act, Police and Criminal Evidence Act 1984, and Misuse of Drugs Act 1971.
We can move, copy or transfer your personal data from one IT environment to another in a safe and secure way, without compromising the data in any way
Communication over the internet ie: email is not always secure. We do our best and have measures in place to safeguard your personal information, but we cannot always guarantee the security of your data when electronically submitted or transmitted to us. This is at your own risk. We can assure you that when we do receive your information, we have measures in place to keep it safe and secure.
If a data breach is reported by a third party, an individual, or is discovered by our administration staff or clinicians, we will investigate and take the appropriate measures to resolve the issue immediately.
We have included third-party links on our website to provide you with further information or other services that may be of interest to you. However, we do not accept any responsibility for the content or materials provided by these third parties, as we have no control over them.
A cookie is a small file stored on your browser or the hard drive of your computer. We use website cookies to collect information about your computer for our services. This is statistical data about our visitors and your use of our website.
In accordance with the DPA 2018 (GDPR compliance), your rights are as follows:
You have the right to request a copy of your information.
If you would like to request your data from us, we require a written request. You can email or write to our Data Controller Jakub Bienczak (see our ‘Who we are’ clause) with details of the information you would like a copy of. In order for us to comply with this request, you will need to provide proof of identity. We may charge a fee of £10 for this service depending on the amount of information requested, and will respond within 30 days of your written request with the details we hold about you (unless there are exceptional circumstances, in which case we will inform you if a longer period is required). Verbal requests can be accepted where the individual is unable to request in writing.
You have the right to correct any mistakes in your information.
If you would like to request your data from us, we require a written request. You can email or write to our Data Controller Jakub Bienczak (see our ‘Who we are’ clause) letting us know what information about you is incorrect, and what you would like changed. In order for us to comply with this request, you will need to provide proof of identity. We do not charge for this service and will respond within 30 days of your written request (unless there are exceptional circumstances, in which case we will inform you if a longer period is required).
You have the right to ask us to stop contacting you with direct marketing.
Please do so in writing, by email or write to our Data Controller Jakub Bienczak (see our ‘Who we are’ clause) and tell us what method or of contact you are not happy with, and how you would like it changed. In order for us to comply with this request, you will need to provide proof of identity (see below). We do not charge for this service and will respond within 30 days of your written request (unless there are exceptional circumstances, in which case we will inform you if a longer period is required).
You may also opt-out from receiving our emails by clicking the unsubscribe link placed at the bottom of our emails. We will receive this request and will no longer contact you by email.
You have the right to have your personal data erased (‘the right to be forgotten’).
Please do so in writing, by email or write to our Data Controller Jakub Bienczak (see our ‘Who we are’ clause). Let us know why you would like your details erased and why you are withdrawing your consent for our services. In order for us to comply with this request, you will need to provide proof of identity (see below). We do not charge for this service and will respond within 30 days of your written request (unless there are exceptional circumstances, in which case we will inform you if a longer period is required).
Please note, as we are healthcare providers, to comply with common law and other healthcare regulations, we may not be able to erase all of your data as requested from our records.
You have the right to restrict the processing of your data.
Please do so in writing, by email or write to our Data Controller Jakub Bienczak (see our ‘Who we are’ clause). Let us know what personal information you would like us to restrict the processing of. In order for us to comply with this request, you will need to provide proof of identity (see below). We do not charge for this service and will respond within 30 days of your written request (unless there are exceptional circumstances, in which case we will inform you if a longer period is required).
You have the right to object to us processing your data at the point of first communication or at any other time.
Please do so in writing, by email or write to our Data Controller Jakub Bienczak (see our ‘Who we are’ clause) and let us know what personal data you object to us processing. In order for us to comply with this request, you will need to provide proof of identity (see below). We do not charge for this service and will respond within 30 days of your written request (unless there are exceptional circumstances, in which case we will inform you if a longer period is required).
Proof of identity
To help us establish your identity, you must provide two pieces of identification: One that clearly shows your name and date of birth, and a second that shows your current address.
- We accept a photocopy or a scanned image of one of the following as proof of identity: passport or photo identification such as a driver’s licence, national identification number card, or birth or adoption certificate.
- We accept a photocopy or a scanned image of one of the following as proof of your address: a copy of a bank or credit card statement or utility bill showing your current address and dated within the last three months.
- If you have changed your name, please provide the relevant documents evidencing the change.
We may request additional information from you to help us confirm your identity and your right to access, and to provide you with the personal data we hold about you. We reserve the right to refuse to act on your request if we are unable to identify you.
Parental requests for information pertaining to their children
Parents will normally have responsibility for accessing the health records of their children. However, care must be taken to obtain consent of the child where necessary (16 and 17 year olds are seen as adults in relation to confidentiality, and their consent would be necessary). It is important to be aware that children under 16 years of age who have capacity and understanding for decision making should also have their confidence respected. However, they should be encouraged to involve parents and guardians in their healthcare matters.
Denial or limitation of information
We may deny or limit the scope of information we provide to you if:
- The information released may cause serious harm to the physical or mental health, or condition of the individual or any other person, or
- The disclosure would also reveal information relating to or provided by, a third person who has not consented to that disclosure unless:
- the third party is a clinician who has compiled or contributed to the health records, or who has been involved in the care of the individual.
- the third party, who is not a clinician, gives their consent to the disclosure of that information.
Although we do not have the obligation to inform you why we had denied to provide you with your personal information, we will document this for our records.
Changes to this policy
If you wish to raise a complaint on how we have handled your data, you can contact us either by telephone (0208 748 9006) or by email (email@example.com or firstname.lastname@example.org) addressed to our Clinic Manager, Jakub Bienczak, who is responsible for data protection compliance. We will respond to your request within 30 days. The Clinic Manager will investigate the problem, and will arrange a formal meeting with you to try to resolve the complaint.
If the problem remains unresolved and you are unhappy with how we have dealt with your request, and believe we are not processing your personal data in accordance with the law (DPA and the GDPR), you have the right to make a complaint to the Information Commissioner Office (ICO). You can also seek other legal independent advice.
Last updated: 25/05/2018