What is personal data?
Personal data is any private, professional, or public information, relating to an identified or identifiable individual, who can be identified directly or indirectly, by an identifier, e.g. name or I.D. number.
Who processes the data?
Within Our clinic, access to patient medical records is restricted to chiropractors and patient record administrators. A specialist cloud-based healthcare record platform, with whom We have a Data Processing Agreement (DPA), is the ‘Processor’ of the Personal Data of Patients [“Patient Data”]. Under the DPA, the Processor is contractually bound to process Patient Data only as per Our instructions, in a confidential and secure manner, and to demonstrate their compliance with these responsibilities.
What data is processed by TargetHealth?
The Patient Data We collect includes Identity Data and Contact Data, e.g. name, date of birth, and home address, email, telephone numbers, as well as ‘Special Category Data’ concerning health, e.g. medical and treatment records, test results, referral letters. We also collect Transaction Data regarding payments for services patients receive from us, although We do not collect Financial Data such as bank or full card payment details. We may also collect anonymous Demographic Data such as age, gender, post code, etc.
Patient Data is collected subject to the principles of data minimisation, accuracy, and storage limitation, i.e. the data is necessary, recorded accurately, and kept no longer than required, and used only for the purposes declared below. It is important that the Patient Data processed by Us is accurate, so patients should keep us informed of any changes to the personal data that We process.
What lawful basis permits data processing?
We process Patient Data on a lawful basis to enable fulfilment of contractual obligations to patients through provided services, including provision of accurate diagnosis, appropriate treatment, and care review, and which meet the required conditions of explicit consent and healthcare purposes for processing Special Category Data. We also have a legitimate interest in contacting patients regarding management of their accounts and appointments. We are additionally subject to legal obligations from the chiropractic regulatory body, the General Chiropractic Council (GCC), regarding use and retention of Patient Data. Provided We have consent, We may occasionally send patients advice on health-related and clinic matters, although patients may withdraw consent at any time, and so opt-out of such communications.
How is data processed?
Data processing incorporates the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction of data.
Obtaining: We only obtain personal data directly from individuals, or their elected representatives, e.g. parent, legal guardian, health care or plan provider, solicitors, either via Our clinic and/or website; personal data may be provided physically and/or electronically by patients, or obtained during their treatments. We do not obtain any personal data from any other outside/ Third-party source.
Purpose: We only use personal data for the provision of patient services and management of patient records under the legal bases outlined above. We do NOT use any automated decision making, including profiling, to process personal data. We occasionally send informative health-related emails to patients who have provided specific consent relating to this, but such consent—or its withdrawal—has no impact on the provision of the patient services or care an individual receives. In the unlikely event of Our requirement to process Patient Data for any other purpose to that outlined here, We would notify patients to explain the legal basis that permits Us to do so.
Storage: We store Patient Data electronically with Our data Processor, protected by appropriate security measures. Access to Patient Data is restricted to Us and, under Our instruction on occasions to resolve technical issues, Our data Processor. We reformat for electronic storage any Patient Data obtained via paper-based means, whilst Our historical paper-based records are archived in locked cabinets in alarm-protected premises.
Sharing: We do NOT share or consensually grant access to Patient Data with any Third-party, be it for commercial or non-commercial purposes, other than to comply with legal requirements, e.g. HMRC. Only with their initial consent would any Patient Data be shared with other health or legal professionals, e.g. G.P., consultant, insurance provider, or solicitor. We do not process Patient Data for International Transfers outside of the European Economic Area [EEA].
Retention: We have a legal obligation to retain Patient Data in line with the chiropractic regulatory framework set out by the GCC code of practice. Patient Data is retained for 8 years from the last appointment and/or data entry, until the age of 25 if the patient was a child, or until the age of 26 if the patient was 17 at their last appointment, after which time the data will be securely destroyed. [Due the backup processes in place, partial data may reside in archived backups for up to 180 days following data deletion.]
Personal data breaches
A personal data breach is any security incident that affects the confidentiality, integrity, or availability of personal data. This includes the accessing or disclosing of personal data by, or to, any party that does not have specific permission to access such data, and includes both accidental, and deliberate but unlawful data breaches. A personal data breach may also involve accidental or deliberate alteration, loss, or destruction of personal data. In the event of a breach of security involving personal data that is likely to result in risk to personal rights and freedoms, We would advise the appropriate supervisory authority, the Information Commissioner’s Office (ICO), within 72 hours of becoming aware of the breach. In cases where there is ‘high risk’ to personal rights and freedoms, i.e. greater impact or consequences, affected individuals would also be informed, so that mitigating action can be taken as appropriate. Such individuals would also be informed of whom to contact at TargetHealth for further information, likely outcomes of the data breach, and what measures We have or would be taking to deal with and mitigate potential adverse outcomes.
Your personal data rights
- You have the right to be informed on how your data will be collected and used by Us.
- You have an ongoing right of access to your data by submitting to Us a ‘Subject Access Request’.
- You have the right to rectification of any inaccuracies in your data that We hold.
- You have the right to erasure of your data within one month of such a request, when that data is not directly related to provision of medical diagnosis or healthcare by a health professional, or when subject to a legal obligation regarding time-dependent retention.
- You have the right to restrict processing of your data whilst We investigate any claim of data being inaccurate or processed unlawfully, or an objection to your data being processed.
- You have the right to data portability regarding your data provided to us that We hold electronically and process under the basis of consent or contract, allowing you to obtain and retain an electronic copy and/or pass the data to another data Controller.
- You have the absolute right to object to the use of your data being used for direct marketing, and for this to cease within one month of such a request being submitted.
- You have rights related to automated decision making including profiling, although We do not process your personal data in such ways.
There is usually no fee involved for individuals to enact any such rights, although We may charge a reasonable fee if a request is clearly unfounded, repetitive, or excessive, or We may refuse to comply with a request in these circumstances and will provide details of why We have done so.
Queries, requests, and concerns
For more details on personal data and your rights regarding it, we recommend you refer to the Guide to Data Protection by the ICO at their website www.ico.org.uk.
Target Health Chiropractic Clinic Limited is registered in England and Wales; Company number 8303572;Address:
121 South Norwood Hill, London, SE25 6DD, UK. Email: [email protected]. Tel.: +44 (0)20 87712070.