Appointment

Data Protection Policy

Ensuring the Privacy and Security of Personal Data

Introduction

At Bodyfunction Clinic we are committed to ensuring the privacy and security of all personal data entrusted to us. This Data Protection Policy outlines how we collect, store, process, and protect personal data, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By adhering to this policy, we aim to safeguard the rights and freedoms of our patients, employees, and other stakeholders.

Scope

This policy applies to all employees, contractors, and third parties who have access to or process personal data on behalf of Bodyfunction Clinic. It covers all personal data relating to patients, employees, suppliers, and other individuals associated with the clinic.

Key Principles

Bodyfunction Clinic is committed to following the seven principles of data protection as outlined in the UK GDPR:

  • Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation: Personal data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy: Personal data will be accurate and, where necessary, kept up to date.
  • Storage Limitation: Personal data will be kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the data is processed.
  • Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
  • Accountability: We will take responsibility for and demonstrate compliance with these principles.

Personal Data We Collect

Patients’ Data

We collect the following types of personal data from our patients to provide osteopathy and physiotherapy services:

  • Name, date of birth, and contact details (address, phone number, email).
  • Medical history, including past treatments, allergies, and current health conditions.
  • Session notes and treatment plans.
  • Billing and payment information.

Employees’ Data

For our staff, we collect personal data for employment purposes, including:

  • Name, contact details, and emergency contact information.
  • National Insurance number and tax information.
  • Employment history and professional qualifications.
  • Training records and performance reviews.

Suppliers and Third Parties

We may collect and store data from suppliers and contractors, such as:

  • Names and contact details of company representatives.
  • Bank account information for payments.

How We Use Personal Data

The personal data we collect is used for purposes including but not limited to:

  • Providing effective osteopathy and physiotherapy treatments.
  • Communicating with patients about appointments, treatments, and clinic updates.
  • Complying with legal obligations, such as maintaining medical records.
  • Processing payments and managing accounts.
  • Ensuring the safety and security of our clinic premises.
  • Managing employee records and payroll.

Data Storage and Security

We are committed to implementing robust measures to protect personal data from unauthorised access, loss, or damage. Our data storage and security practices include:

Physical Security

  • All paper records are stored in locked cabinets accessible only to authorised personnel.
  • Clinic premises are equipped with secure entry systems and surveillance cameras.

Digital Security

  • Patient records and other sensitive data are stored on encrypted servers with restricted access.
  • Staff are required to use strong, unique passwords and two-factor authentication for accessing systems.
  • Regular data backups are conducted and stored in secure, off-site locations.

Staff Training

All staff members receive training on data protection policies and procedures, including how to identify and report potential data breaches.

Sharing Personal Data

We may share personal data with third parties in the following scenarios:

  • With healthcare providers or specialists for referrals and collaborative treatment plans (with the patient’s consent).
  • With insurance companies for claims and billing purposes (where applicable).
  • With legal authorities if required by law, such as in cases of court orders or public interest.

We ensure that any third parties we work with are compliant with data protection regulations and have appropriate safeguards in place.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy. Retention periods include:

  • Medical records: Retained for eight years after the last treatment or until the patient turns 25 years old, whichever is later (in compliance with healthcare regulations).
  • Employee records: Retained for six years after employment ends.
  • Financial records: Retained for six years for auditing and tax purposes.

After the retention period expires, data is securely deleted or destroyed.

Data Subject Rights

Individuals have the following rights under data protection laws:

  • Right to Access: Request access to the personal data we hold about them.
  • Right to Rectification: Request corrections to inaccurate or incomplete data.
  • Right to Erasure: Request the deletion of their personal data in certain circumstances.
  • Right to Restrict Processing: Request limitations on data processing in specific cases.
  • Right to Data Portability: Request a copy of their data in a structured, commonly used format.
  • Right to Object: Object to the processing of their data for direct marketing or other legitimate interests.

Requests can be submitted in writing to our Data Protection Officer, and we will respond within one month.

Data Breaches

In the event of a data breach, we will:

  • Act swiftly to contain and mitigate the breach.
  • Notify affected individuals if the breach poses a high risk to their rights and freedoms.
  • Report the breach to the Information Commissioner’s Office (ICO) within 72 hours if it meets the threshold for reporting.

Policy Review

This Data Protection Policy will be reviewed annually or whenever there are significant changes in data protection laws or clinic operations. Updates will be communicated to all relevant stakeholders.

Contact Information

For any questions or concerns about this policy or how we handle personal data, please contact:

Data Protection Officer

Bodyfunction Clinic
10 Barnsbury Road
London
N1 0HB

hello@lightseagreen-chicken-404026.hostingersite.com

By adhering to this Data Protection Policy, Bodyfunction Clinic reaffirms its commitment to protecting the privacy and security of all personal data while delivering exceptional osteopathy and physiotherapy services.