What is personal data?
Personal data is any information, be it private, professional, or public, that can be used to directly or indirectly identify an individual.
Who processes the data?
Within Our clinic, access to patient medical records is restricted to chiropractors and patient record administrators. A specialist cloud-based healthcare record platform, with whom We have a Data Processing Agreement (DPA), is the ‘Processor’ of the Personal Data of Patients [“Patient Data”]. Under the DPA, the Processor is contractually bound to process Patient Data only as per Our instructions, in a confidential and secure manner, and to demonstrate their compliance with these responsibilities.
What data is processed by TargetHealth?
The Patient Data We collect includes identity and contact data, e.g. name, date of birth, and contact details, as well as ‘Special category data’, e.g. medical/ health and treatment records, medical test results, referral letters. Patient Data is collected subject to the principles of data minimisation, accuracy, and storage limitation, i.e. the data is necessary, recorded accurately, and kept no longer than required. We may also collect anonymous demographic data such as age, gender, post code, etc.
What lawful basis permits data processing?
We obtain and process Patient Data on a lawful basis of consent to enable fulfilment of contractual obligations to patients through provided services, including provision of accurate diagnosis, appropriate treatment, and care review, and which meet the required conditions for processing special category data. We also have a legitimate interest in contacting patients regarding appointments and/or occasional healthy living tips, etc., although patients may respectively opt-out of such communications. We are additionally subject to regulatory obligations from the chiropractic regulatory body, the General Chiropractic Council (GCC), regarding use and retention of Patient Data.
How is data processed?
Data processing incorporates the obtaining, usage, storage, sharing, and/or retention of data.
Obtaining: We only obtain personal data directly from individuals, with their consent, via Our clinic and/or website; personal data may be provided physically and/or electronically from patients, or obtained during their treatments. We do not obtain any personal data from any outside/ Third-party source.
Purpose: We only use personal data for the provision of patient services and management of patient records; we do NOT use any automated decision making, including profiling, to process personal data. We occasionally send informative health-related emails to patients who have provided specific consent relating to this.
Storage: We store Patient Data electronically with Our data Processor, protected by appropriate security measures. Access to Patient Data is restricted to Us and, under Our instruction on occasions to resolve technical issues, Our data Processor. We reformat for electronic storage any Patient Data obtained via paper-based means, whilst Our historical paper-based records are archived in locked cabinets in alarm-protected premises.
Sharing: We do NOT share or consensually grant access to Patient Data with any Third-party, be it for commercial or non-commercial purposes, other than to comply with legal requirements. Only with their initial consent would any Patient Data be shared with other health or legal professionals, e.g. G.P., consultant, insurance provider, or solicitor.
Retention: We are required to retain Patient Data in line with the chiropractic regulatory framework set out by the GCC. Patient Data is retained for 8 years from the last appointment and/or data entry, until the age of 25 if the patient was a child, or until the age of 26 if the patient was 17 at their last appointment, after which time the data will be securely destroyed.
Personal data breaches
A personal data breach is the accessing or release of personal data by, or to, any party that does not have specific permission to access such data, and includes both accidental, and deliberate but unlawful data breaches. A personal data breach may also involve accidental or deliberate alteration, loss, or destruction of personal data. In the event of a breach of security involving personal data that is likely to result in risk to personal rights and freedoms, We would advise the appropriate supervisory authority, the Information Commissioner’s Office (ICO), within 72 hours of becoming aware of the breach. In cases where there is ‘high risk’ to personal rights and freedoms, i.e. greater impact or consequences, affected individuals would also be informed, so that mitigating action can be taken as appropriate. Such individuals would also be informed of whom to contact at TargetHealth for further information, likely outcomes of the data breach, and what measures We have or would be taking to deal with and mitigate potential adverse outcomes.
Your personal data rights
- You have the right to be informed on how your data will be collected and used by Us.
- You have an ongoing right of access to your data by submitting to Us a ‘Subject Access Request’.
- You have the right to rectification of any inaccuracies in your data that We hold.
- You have the right to erasure of your data within one month of such a request, when that data is not directly related to provision of medical diagnosis or healthcare by a health professional, or when subject to a legal obligation regarding time-dependent retention.
- You have the right to restrict processing of your data whilst We investigate any claim of data being inaccurate or processed unlawfully.
- You have the right to data portability regarding your data that We hold electronically, allowing you to retain an electronic copy and/or pass the data to another data Controller.
- You have the absolute right to object to the use of your data being used for direct marketing, and for this to cease within one month of such a request being submitted.
- You have rights related to automated decision making including profiling, although We do not process your personal data in such ways.
Queries, requests, and concerns
For more details on personal data and your rights regarding it, we recommend you refer to the Guide to Data Protection by the ICO at their website www.ico.org.uk.