The General Data Protection Regulation (GDPR), which became law on 25th May 2018 as part of the UK’s Data Protection Act 2018, is a European Parliament regulation which affects the way every organisation handles the personal data of EU residents.
One of the key aims is to strengthen your position with regard to the handling of data relating to yourself. This privacy notice is to explain what data we collect about you and why, how it is stored and who has access to it.
Who we are
We are The Well Centre (Warwickshire) Ltd - a private practice providing physiotherapy and Pilates.
Personal data - Pilates
We use your email address and/or phone number to contact you if we need to cancel a class that you are booked into, to inform you about rebooking deadlines and to tell you about news and developments within The Well Centre via a newsletter.
We use a third-party provider, MailChimp, to deliver our mass emails and newsletter. For more information, please see MailChimp’s privacy notice. You can unsubscribe to general mailings by clicking the unsubscribe link at the bottom of any of our emails sent by MailChimp or by emailing our data protection officer Simon Gregory on email@example.com. However if you do unsubscribe from these, we will not be able to email you to tell you about issues such as classes for the following term.
Our emails come from either The Well Centre email account or via the SmartBookings system.
We only send emails to people who have given us their email address. If you have signed up for Pilates classes at The Well Centre, we believe you have given consent that we can tell you about the classes available to you – we think this constitutes what the GDPR calls “Legitimate Interest”. Even so, we try to keep communications to a minimum.
We don't rent or trade contact details with other organisations and businesses.
We ask you to fill in a health form before coming to a class to allow us to tailor exercises and advice and for your safety. Paper health forms are stored in a locked box in the studio so that the instructor of the class has access to it.
There is also an uploadable version which you may have filled in and this is stored on our registration website. This is accessible to any instructor who takes a class that you are booked into. (We are in the process of uploading paper health forms to the system as this will make it easier for the instructor to access any information.)
In most cases, we are required to keep health records for eight years from the date of last contact for adult records, and for children eight years after their 18th birthday or until 25 years of age.
Personal data - Physiotherapy
Physiotherapists are obliged by law to maintain records of your health and any treatment provided. Treatment notes are kept as paper copies which are stored in a lockable filing cabinet. Some personal data will be held in electronic form such as emails. These are held in our password protected mail system. During a phone conversation, some details are recorded in a paper diary which is the personal property of Angie Gregory/The Well Centre and is kept behind lockable doors.
Some personal data may be shared between The Well Centre and the treating physiotherapist by email to facilitate the arrangement of an initial appointment and, as professionals, to seek advice from each other to enhance treatment.
Room bookings are under the name of the therapist not the patient.
Reports may be shared with third party referrers such as insurance companies, your GP or your consultant. These are stored securely either in paper format with your notes or held electronically.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and/or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Information collected through our website
We do not collect any personal information from visitors to our website other than information that is knowingly or voluntarily given. Anonymous information may be collected, such as the number of visitors to the website in a given period, but this is purely statistical and cannot be used to identify an individual user.
Cookies are not used to collect any other information from visitors to the website. Visitors interested in requesting more information must provide contact details and the reason for their request. Visitors will not be contacted by us unless such information is given, and contact is specifically requested.
The rights of the individuals whose data we process (Data Subjects)
GDPR regulations allow individual ‘data subjects’ particular rights, the key ones being:
- Right to be informed – of how we fairly process your data
- Right to access – the data that is held on you
- Right to rectification – of any data felt to be inaccurate or incomplete
- Right to erasure – of your data (otherwise known as ‘right to be forgotten’)
- Right to restrict processing – to ‘block’ or prevent further processing of existing data
- Right to data portability – transferring data to another provider/data controller
- Right to object – to processing (inc profiling), direct marketing, and certain types of research
- Right to question automated decision making (eg for the purpose of profiling)
We will accommodate your wishes in line with your rights under GDPR as long as it is not contravened by any other relevant associated regulations. Email your request to our data protection officer Simon Gregory at firstname.lastname@example.org
We take appropriate measures to safeguard the information we hold from unauthorised access or improper use. Our data is stored in a secure, protected environment. Only users authorised by us have access to this data.
Integrity of Data
We take all reasonable measures to ensure that the information we hold is accurate. In particular we use reliable collection methods and destroy or convert to an anonymous form, any out of date data. Individuals may request details of all personal information held by us so as to contest inaccurate or incomplete data, verify the information and have it corrected as appropriate.
Complaints & Concerns
Alternatively, you can raise an issue, if you feel we have in any way handled your personal data unfairly or inappropriately, with the Information Commissioners Office. Further details on GDPR and data protection laws can also be found at the ICO website.
This policy will be reviewed regularly and was last updated in May 2018.