The clinic is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely & transparently. This policy sets out, in line with GDPR, the types of data that we collect, store and process and how we use that data, how long we keep it for, plus other relevant information.
Six Principles of Data Processing
Personal data shall be:
- Processed in a lawful, fair and transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and necessary
- Kept accurate
- Only retained as long as necessary
- Processed in a secure manner
We must have a valid lawful basis for processing data, there are six available lawful bases and the lawful basis must be determined before processing begins:
- The data subject gives consent
- Processing is necessary to meet contractual obligations
- Processing is necessary to comply with legal obligations
- Processing is necessary to protect data subject’s vital interests
- Processing is necessary on basis of public interest
- Processing is necessary for legitimate interests
Data Controller Details
For the purposes of processing your personal data, we are the Data Controller.
Align Spinal Health Ltd
Room 11 Pure Offices
Cheadle Royal Business Park
Brooks Drive, Cheadle
Data Protection Officer
As we record and use sensitive health data we take the protection of this data very seriously.
We have therefore appointed our Practice Director as our Data Protection Officer; she is your first point of contact for any matters regarding your personal data that we process.
Telephone number: 0161 524 0555
Email address: firstname.lastname@example.org
Information We Collect
Personal data means any information capable of identifying an individual, it does not include anonymised data.
We may process certain types of personal data about you as follows:
- Identity Data – your first name, last name, marital status, title, date of birth and gender.
- Contact Data – your home address, email address and telephone numbers.
- Transaction Data – details about payments you have made to us.
- Sensitive Data – we collect information about your health and medical information.
How We Collect Your Data
We collect data about you when you complete a new patient forms or an enquiry form on our website, or when you communicate with us by phone, email or otherwise when you:
- Become a patient;
- Request a quote for our services;
- Subscribe to our reminder service or newsletter publications;
- Give us feedback.
Why We Process Your Data
- The law on data protection states that when processing your personal data, we must comply with one of the 6 lawful bases.
- Our lawful basis of processing your data is consent. You provide health information to us and we provide health-related services as a chiropractic clinic.
- We will only examine or treat you with your explicit consent and we review consent annually.
- We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
- If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing.
- We may process your personal data without your knowledge or consent where this is required or permitted by law.
Whilst you are receiving treatment from us, we will continue to store and use your personal data. Once you have been discharged, we are required to retain your personal data, for a minimum of 8 years. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
As a data subject, you have certain rights, these are:
- The right to be informed
- The right for any inaccuracies to be corrected
- The right to have information deleted
- The right to restrict the processing of the data
- The right to portability
- The right to object to the inclusion of any information
- The right to regulate any automated decision-making and profiling of personal data
- The right of access
Subject Access Requests
You may request a copy of your data at any time. We respond to all legitimate requests within one month, occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated
Please make such a request in writing or by email to the Data Protection Officer, details above.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay. We will give you the contact details of the Data Protection Officer who is dealing with the breach, explain to you the nature of the breach and the steps we are taking to deal with it.
You can contact the ICO via their website: www.ico.org.uk should you wish to make a complaint about the way we are processing your personal data.