PLEASE NOTE: You will be charged if you cancel your appointment with less than 24 hours’ notice
In order to be GDPR compliant from the 25th May 2018 we have reviewed our data protection policy and formulated the following:
Contents:
Policy
Data Protection & Access
Basic Principles Of Client Confidentiality
Confidentiality In The Workplace
General Security Procedures
Data Processors
Data Protection Officers
Breaches Of The Confidentiality Policy
1. Policy
Functional Physio and Pilates has a clear policy on confidentiality & GDPR that is essential to protect the privacy of individuals – both clients & staff to ensure a high standard of practice at all times. This policy provides a guidance framework within which staff must exercise professional judgement where necessary in consultation with the clinic managers as appropriate. The company’s policy on confidentiality & GDPR will be explained to employees as part of their induction. The policy is also available to service users on request.
2. GDPR & Access to Records
Data protection means that those who decide how & why personal data is processed (known as data controllers) must comply with the rules of good information handling, known as the data protection principles. As employers we are the data controller- Functional Physio and Pilates. Those about whom data is processed (data subjects) – staff and clients are also provided with a number of rights which they may use to access certain information about them, as well as control the way in which it is processed in some cases. The main legislation governing GDPR is The Data Protection Act 1998(DPA), which came into force on the 1st March 2000. The DPA applies to all workers including employees and former job applicants.
There are 8 principles put in place by the DPA and subsequent amendments which specify that data must be:
The definition of data falling within the DPA is complex. It includes information:
Which Is Personal Data Relating To A Living Individual, And
Includes Any Expression Of Opinion About The Individual And/Or
Includes An Indication Of The Intentions Of The Data Controller Or Any Other Person In Respect Of The Individual.
The individual must be identified from the data.
The DPA applies to personal data in:
Computerised Format
Manual Format
Any Other Format As Long As The Data Is In A System That Allows The Information To Be Readily Accessible.
All files relating to service users and employees will be kept in locked filing cabinets or on a computerised filing system which is security protected. Access to these files will be limited to key members of staff who need the information contained within them in order to carry out their jobs.
Individuals may request copies of their file information (subject access request). All requests must be made in writing to Functional Physio and Pilates. These will be provided within one month from receiving the request unless extensive then an extension may be requested.
The address details and telephone numbers of employees and service users should never be given out to any third party who may contact the organisation. In situations where there is a request for address or telephone details a message should be taken and the individual concerned contacted.
Information relating to individuals employment with the organisation such as absence records and disciplinary information will be considered highly confidential and will be processed and stored in line with the DPA guidelines
On the termination of an employment relationship, Functional Physio and Pilates, will retain personnel records for as long as there is a real business need, e.g. to provide a reference or be able to defend any future claims.
Reporting directly to the UK parliament the information commissioner’s office is a UK independent supervisory authority which insures that organisations which process data does so in compliance with the DPA, Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and The Environmental Informational Regulations 2004. The website of The ICO is the most comprehensive source for guidance on GDPR and guidance can be found at: http://ico.org.uk
3. Basic Principles of Client Confidentiality
Information relating to service users must be treated with respect at all times.
Where written records are absolutely necessary, recordings must be accurate, concise, factual and clear. They must contain the minimum amount of information that is necessary for the purpose intended.
Client’s personal circumstances of any type are not to be relayed or discussed with anyone outside of Functional Physio and Pilates unless we are instructed otherwise by the client concerned. Consent should always be sought in situations where it is necessary to pass on information to enable service delivery to the individual concerned.
Information should only ever be passed on in cases where there is a legitimate need to know and only relevant and necessary information should be revealed e.g. reports to referrers or onward referrals to a tertiary service. However there are certain situations where information will need to be shared even if this is against the wishes of the service user.
This includes situations where:
A Clients Life Is At Risk
Other Individuals Life’s Are At Risk
It Is A Requirement Of A Court Order
It Is A Requirement Of Law
Where There Is A Child Protection/Vulnerable Adult Issue
There may also be occasions where there is a public interest justification for the disclosure of information including:
Public Accountability And Monitoring Purposes
Where There Is A Serious Risk To Public Health
The Prevention, Detection, Or Prosecution Of Serious Crime
Any requests for information from an external agency should always be discussed with the employer and fully documented.
4. Confidentiality in the workplace
Personal details of any employee must not be disclosed without their consent. All staff should ensure that documents:
Are Not Left Lying Unattended On Desks
Are Not Left Open And Visible On Computer Screens
Are Filed Away Securely After Use
Staff who are dealing with ongoing queries that contain confidential client information must ensure that no details, at any time, can be seen by members of the public, and all details are stored away appropriately at the end of the day.
All confidential records are to be stored in a locked filing cabinet in the clinic. The key will be held by the employer in a secure place.
All information that does not need to be stored will be shredded and disposed of appropriately.
Any loss of sensitive documents should be reported with immediate effect to the employer. If a data breach occurs, the ICO would be notified where feasible within 72 hours, unless the breach is unlikely to result in risk to individuals.
5. General Security Procedures
All employees should adhere to the following security measures at all times:
All Visitors To The Office Must Be Accompanied At All Times By A Member Of Staff If They Are Outside Of The Public Areas.
Computers Must Be Password Protected And Have Up To Date Anti-Virus And Firewalls
Emails Should Be Sent Securely
Social Media Should Have No Personal Identifiers
If A Testimonial Is Received Consent Must Be Gained To Utilise This For Advertising Purposes
Written Consent Must Be Obtained For Photographs Or Videos
Anything Sent By Post Will Be Sent By Royal Mail, First Or Second Class Delivery, Unless Specifically Requested By A Patient, To Be Sent By Recorded Post.
Complaints Received Will Be Dealt With Confidentially And Promptly By The Employer And A Record Stored In Patient Notes
6. Data Processors
A data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. E.g. Power Diary, Microsoft Office, IT Consultants, Accountants, Joint note holders (private healthcare companies) GDPR will be met by their terms and conditions when they set up their services. If they breach data they will be liable to be investigated by The ICO.
7. Data Protection Officers (DPO)
Data protection officers are responsible for overseeing data protection strategies and implementations to ensure compliance with GDPR. As a small business it is not possible to employ a separate DPO therefore the appointed officer at Functional Physio and Pilates is Jo Pereira.
8. Breaches of GDPR and Confidentiality
Any suspected breaches of confidentiality will be taken seriously and investigated thoroughly in line with the disciplinary policy and procedure. If a breach is found to have taken place this may constitute gross misconduct and following a disciplinary hearing may result in dismissal. By adhering to the above policy we are minimising the risk of a data breach to the best of our abilities.
–
During the course of your treatment or Pilates class at Functional Physio and Pilates the clinic necessarily needs to hold some of your personal information. For example, we need to hold your contact details for appointment and/or class purposes and we also need to store your medical questionnaire or clinical notes on the premises as a basic requirement of our clinical professional standards. Assessment notes and medical questionnaires will likely contain confidential personal information such as your medical history and details of previous and current treatment episodes.
We would like to make it clear that Functional Physio and Pilates will never pass any of your contact details to a third party and under no circumstances pass on any of your clinical records unless you have given your expressed written consent in cases where medical reports are required as part of your treatment. If you have been referred to Functional Physio and Pilates by a medical practitioner, then a discharge letter may be sent on completion of treatment. You have every right to see these letters or any other records pertaining to your treatment if you officially request to do so via a ‘subject access request’. Functional Physio and Pilates will always be happy to assist you in any request in this regard with no detriment to your ongoing treatment. We can also confirm that your data will not be used for any automated profiling purposes.
You also have the right to have to have your personal data deleted on request and to withdraw treatment consent. However, we are required to retain notes pertaining to treatment episodes and any withdrawal of treatment consent would result in termination of your treatment episode.
Clinical notes no longer in use are securely archived after two years and securely destroyed after eight years. We are however required to retain records for a longer period when the patient is a child.
All our clinical records are stored securely on the premises and are unavailable to anyone except authorised clinicians. Personal contact details are used solely for appointment or class purposes.
If you have any concerns regarding how Functional Physio and Pilates handles your data you are entitled to complain directly to the Information Commissioners Office (ICO).
If you have any queries regarding how we store your data or any other issues regarding data protection at Functional Physio and Pilates, then please ask to speak to the registered data controller and clinic owner Jo Pereira
Thank You.
Joint Mobilisation
Manipulation
Soft tissue Release
Exercise prescription/Pilates
Modified Pilates
Shock Wave Therapy
Acupuncture
Ultrasound
Pulmonary Rehabilitation
Call: 0118 405 0089
Email: info@functionalphysio.co.uk
Functional Physio and Pilates
Sonning Common Health Centre
Wood Lane
Sonning Common
Reading, RG4 9SW