We are aware of our obligations under the General Data Protection Regulation (GDPR) and are committed to protecting the privacy and security of your personal information. This privacy policy describes, in line with GDPR, how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how long we keep that information for and other relevant details about your data.
We are Durham House Chiropractic Clinic of 30 East Street, Farnham, Surrey, GU9 7SW, telephone number 01252 725 669, email address farnham@durhamhousechiropractic.co.uk and 60 Reading Road South, Fleet, Hampshire, GU52 7SD, telephone number 01252 622 050, email address fleet@durhamhousechiropractic.co.uk. For the purposes of processing your personal data we are the Controller.
As we record and use sensitive data, we take the protection of this data very seriously. We have therefore appointed a Data Protection Officer, Fiona Wilkes, who is your first point of contact for any matters regarding your personal data we process. She can be contacted via email on admin@durhamhousechiropractic.co.uk
Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed.
We hold many types of data about you which may include: name, address, telephone numbers, email address, date of birth, gender, marital status, next of kin and their contact numbers, personal medical or health information (including past medical history), information concerning examination, diagnosis and treatment at your first and subsequent visits and letters of referral to or from the clinic regarding your treatment with us.
Our lawful basis of processing this data is one of contract and, for the health information, the provision of health-related services as a chiropractic and massage clinic. In addition, we will only examine or treat you with your explicit consent.
We collect data about you in a variety of ways and this will usually start when you make an enquiry with the clinic and continue when you attend your first and subsequent appointments. Information we write down on paper may be transferred to our electronic system. We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us continue with your treatment. We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic. We do use third party systems to collect data. These include our Studio booking system MindBody. Your data is protected under their privacy policy which you can view here https://www.mindbodyonline.com/privacy-policy.
In addition, we may collect data using MailChimp which is the system we use for sending out our monthly newsletter. When submitting your data via this platform, you are protected under our privacy policy and not MailChimp’s.
The law on data protection allows us to process your data for certain reasons only; these are classified as legitimate interests. Most commonly, we will use your personal information to carry out our contract with you (your requesting treatment and our agreement to provide it constitutes a contract) and to enable us to comply with legal obligations. These may include confirming appointments, informing you of changes to appointments or clinic arrangements or changes to facilities or services at the clinic; to provide you with the best possible treatment by recording health and treatment information which would be in your best interest; to carry out legally required duties such as those required by us and our governing body; where it is necessary for our legitimate interests and where your interests and fundamental rights do not override those interests. We may also use your personal information in the rare situation where we need to protect your or someone else’s interests or where it is needed in the public interest or for official purposes.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use if for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent in compliance with the above rules, where this is required or permitted by law.
We use third party vendors and hosting partners to store our data via cloud based technology. These third party service providers may have access to your personal information for the purpose of providing these services for us. We do not permit third party service providers to use the personal information we share with them for their marketing purposes. You retain all rights to your data.
In addition, we store name and email address data on MailChimp. Their privacy policy in relation to visitors can be read here https://mailchimp.com/legal/privacy.
Your personal information may be stored and processed in any country where we engage service providers. By using our services, you understand that information may be transferred to countries outside of the European Economic Area (EEA) which may have data protection rules that are different from those of the UK.
Your data will be shared with colleagues within the clinic but only where it is necessary for them to undertake their duties. We may share your data with third parties to facilitate a referral to another healthcare practitioner, investigation or to keep your GP informed about your progress with treatment or as part of treatment that is covered by insurance. We may also share your data with third parties as part of a clinic sale or restructure or for other reasons to comply with a legal obligation upon us.
We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Where we share your data with third parties, we ensure that your data is held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data. Where third parties outside of the EU process your data, we ensure they are compliant with GDPR requirements.
In line with data protection principles, we only keep your data for as long as we need it, which will be at least for the duration of your being a patient with us and we are legally required, by the chiropractic regulator, to keep this data for at least eight years after your time as a patient has ended. To determine the appropriate retention period for personal data beyond eight years, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements. Once we no longer have a lawful use for retaining your information, we will dispose of if in a secure manner that maintains data security. In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.
As we process your personal data, you have certain rights. These are a right of access, a right of rectification, a right of erasure and a right to restrict processing.
You may request a copy of your data at any time. Please make such a request in writing or by email to the Data Protection Officer, whose details are shown above. Please provide the following information: your name, address, telephone number, email address and details of the information you require. We will need to verify your identity so we may ask for a copy of your passport, driving license and / or recent utility bill.
If you believe any of the personal data we hold on you is inaccurate or incomplete, please contact the clinic directly and any necessary corrections to your data will be made promptly.
If you believe we should erase your data, please contact the Data Protection Officer, whose details are shown above.
If you wish us to stop storing or using your data, please contact the Data Protection Officer, whose details are shown above. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so.
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedom, we will contact you without delay. We will give you the contact details of the Data Protection Officer who is dealing with the breach, explain to you the nature of the breach and the steps we are taking to deal with it.
You can contact the ICO via their website www.ico.org.uk should you wish to make a complaint about the way we are processing your personal data.
We do not use any system which uses automated decision making or profiling in respect of your personal data.