Last amended 2nd May 2018
1 Personal Information
1.2 Cotswold Chiropractic Limited (we, us, our) is a registered data controller under the terms of the Data Protection Act 1998. Details of our notification to the data protection regulator may be found in the Information Commissioner’s Office Public Register of Data Controllers at ico.org.uk. Our registered office address is at Stoke Road, Bishops Cleeve, Cheltenham, Gloucestershire, GL52 8RP.
1.3 Our Data Protection Officer is: Nicola Matthews
2 General Information
- visit our website at www.cotswoldchiro.co.uk
- register as a patient or book an appointment online at https://online.tm2app.com/cotswoldchiropractic
- telephone or visit our reception in-person
- email our reception
- attend a clinical appointment
- complete and return online symptom and/or patient satisfaction forms via emailed links (https://www.care-response.com)
- write to us
and how we handle your information in respect of our agreement with you to provide information or advice that you request, to manage patient registrations and bookings that you request, to provide chiropractic clinical care that you request and related clinical management functions (together, our Services) to ensure that we protect your rights.
3 What information do we collect?
3.1 All website users
When you use our website, information collected may include:
- Information that you provide by filling in forms on our Site.
- This includes information provided at the time of registering to use our Site, subscribing to our service, posting material or requesting further services. We may also ask you for information when you enter a competition or promotion sponsored by us, and when you report a problem with our Site.
- If you contact us, we may keep a record of that correspondence.
- Details of transactions you carry out through our Site and of the fulfilment of your orders.
- Details of your visits to our Site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
3.2 Prospective patients or general enquiries about services
When you use the website and / or our Services we may ask you to provide certain information such as, your name, date of birth and contact details (including your address, email address, and contact telephone number), along with information that you give us about the nature of your enquiry. Unfortunately, the transmission of information via the internet is not completely secure. Although we employ security measures designed to protect your personal data, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
3.3 All Patients
When you first register as a patient with us, either online or by providing information to our reception staff or clinicians, your name, date of birth, contact details and details of any appointments made will be entered into the patient database and diary provided by our secure, hosted practice management system*. Information relating to further appointments will be collected on an ongoing basis within the system.
*Some non-chiropractor clinicians who practise on-site may not utilise our patient registration and bookings service. In this instance, your registration and booking-related data will not be collected and processed by Cotswold Chiropractic and the relevant clinician will be the Data Controller for any registration or booking information that they may collect from you themselves. Our receptionists will advise you of this, should you contact us to enquire, register or make a booking
3.3.1 Chiropractic patients
When you consult one of our chiropractors, clinical information will be collected, including that relating to your symptom(s), our assessment of the condition(s) for which you are seeking care, general health and medical history, any treatment given, clinical advice or information given or discussed. Accounts, billing and payment information will also be collected
3.3.2 Patients receiving non-chiropractic treatments
Cotswold Chiropractic does not collect, process or store any clinical information or accounts, billing or payment information for consultations with practitioners who work on-site, other than its chiropractors. Any non-chiropractor clinician that you see on-site may collect further personal, clinical or accounts, billing and payment data about you. They are the ‘Data Controller’ for any such information and as such are responsible for meeting requirements for the protection of that data.
3.3.3 Sensitive personal information**
Chiropractic patients: In order to provide you with chiropractic clinical services, information collected may include data relating to your physical or mental health, which the Data Protection Act 1998 (DPA 1998) and the General Data Protection Regulation (GDPR) regards as sensitive or special categories of personal data. We do not collect information for other sensitive or special categories of personal data. By providing data relating to your physical or mental health to us for the purposes of providing our Services, you will signify your explicit consent to such Sensitive Data being processed by us.
** Such as information relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation (Background Information) and/or information relating to any criminal convictions you have or offences you may have committed (Criminal Records Information), Background Information and Criminal Records Information, together, being Sensitive Data
4 What do we use your information for?
4.1 You have the right to be told the legal basis and purposes for the processing of your personal data. We are relying on your explicit consent to the processing of your personal data (including any Sensitive Data, as defined above). This means that if you exercise your right to withdraw your consent (please see paragraph 8 below) we will no longer be able to process your data. Please note we may retain a copy of your data in accordance with our Data Protection Policy, if necessary to fulfil legal obligations (including those for financial reporting or health records retention***)
*** HMRC requirements (see https://www.gov.uk/running-a-limited-company/company-and-accounting-records) or The Data Protection Act (see https://ico.org.uk/for-the-public/health/)
4.2 We may use your information for the following purposes:
Fulfilment of a contract (or agreement) with you:
- Communicating with you about your patient registration or bookings, as necessary to enable these
- Communicating with you about your chiropractic clinical care, as necessary
- Providing chiropractic clinical care, at your request
- Monitoring your progress and/or the outcome of your chiropractic clinical care
- Communicating with 3rd parties about your chiropractic clinical care or account/billing information, at your request or with your explicit consent (including medical referrals, private medical insurance companies, sickness, disability or injury reports)
- To ensure that content from our Site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
- Monitoring our overall performance with respect to chiropractic patient clinical outcomes and satisfaction (you will not be capable of being identified from such statistical and demographic information. data is pooled and anonymised for this purpose)
- Participation in data collection for research studies relating to chiropractic (you will not be capable of being identified from such statistical and demographic information. data is pooled and anonymised for this purpose)
- Fulfilment of our health, safety and fire procedure obligations
- Processing and retaining of payment and accountancy records that fulfil the obligations of financial reporting for companies
- Processing and retaining chiropractic clinical records enabling fulfilment of obligations for the retention of medical records and requirements of the General Chiropractic Council (the statutory regulator of chiropractors)
- Communicating important clinic or service-related information to you that enables you to use our Services
- For such purposes as are reasonably necessary to comply with any other legal obligations to which we are subject in the performance of our Services
4.3 We do not process your personal data for the purpose of marketing or promotional activities, unless you specifically request that we do so or join any social media forum that we control.
4.4 We shall periodically check that the personal data we store for you is accurate. If you would like to update the personal data we hold about you, please contact us with your request using the contact details at paragraph 12, below or by logging-in to your patient registration account online and updating your personal details.
5 Who do we share your information with?
5.1 As part of using our Services, you consent to us sharing your personal information with the following parties:
- Our data hosting/support service providers who process and store data on our behalf;
- Our professional advisers, or other organisations, only for the purpose of fulfilling our legal obligations
5.2 We may also share your personal information with third parties:
- In the event that we, our business, or substantially all of its assets are acquired by a third party (in which case personal information about registered patients will be one of the transferred assets);
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; or
- If such disclosure is necessary in connection with any law
5.3 We do not share your personal data with third parties for the purpose of any marketing or promotional activities
6 Transfers of personal data outside of the United Kingdom and the EEA (European Economic Area)
6.1We will only transfer your personal data outside of the United Kingdom or EEA if necessary to enable us to communicate with you in relation to our Services, or should we contract any data processing services from companies that are registered outside of these areas. By providing us with your personal information, you agree that we may transfer, store and process your information in this manner.
6.2 We shall ensure that any such transfers outside of the United Kingdom and the EEA are lawful and with an adequate level of protection and that your personal is kept secure in accordance with the DPA 1998 (up to and including 24 May 2018) and the GDPR (from and including 25 May 2018).
7 How long do we store your personal data for?
We only store your personal information for as long as necessary for the purposes listed in paragraph 4.
8 What are your rights?
8.2 Access to your personal data: You may request access to a copy of your personal data by contacting us using the contact details in paragraph 11.
8.3 Right to withdraw: You may withdraw your consent to us processing your personal data at any time. Please contact us using the details located at paragraph 11 if you would like to withdraw your consent and we will delete your data in line with your right to erasure at paragraph 8.5 below. Please note that in the event that you wish to exercise your rights under this paragraph 8.3, we may be unable to process your data any further or continue to provide our Services to you.
8.4 Rectification: You may ask us to rectify inaccurate information held about you. If you would like to update the data we hold about you, please contact us using the details in paragraph 11 or by logging-in to your online booking account and updating your registration information accordingly.
8.5 Erasure: You may ask us to delete your personal data. If you would like us to delete the personal data we hold about you, please contact us using the contact details in paragraph 11 and specify why you would like us to delete your personal data. Please note that in some instances we may have a legal obligation not to delete some parts of your personal data (See paragraph 4.1, above). Please note also that in the event that you wish to exercise your rights under this paragraph 8.5, we may be unable to process your data any further or continue to provide our Services to you.
8.6 Portability: You may ask us to provide you with the personal information that we hold about you in a structured, commonly used form or ask for us to send such personal data to another data controller by contacting us using the contact details in paragraph 11.
8.8 Make a complaint: You may make a complaint about our data processing activities to a supervisory authority, for the UK this is the Information Commissioner’s Office, at ico.org.uk.
9 Security and Data Storage
9.1 We will treat all of your information in strict confidence and we will endeavour to take all reasonable steps to keep your personal data secure once it has been transferred to our systems. We adopt and ensure any third party suppliers providing services on our behalf adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, and data stored on the Websites and associated databases.
9.2 Please note that the internet is not a secure medium and we cannot guarantee the security of any data you disclose online. You accept the inherent security risks of providing information and dealing online over the internet and will not hold us liable for any breaches of your data protection rights attributable to the transmission of your personal data over the internet.