Hoxton Chiropractic – Patient Privacy Notice
This Patient Privacy Notice describes how we, Hoxton Chiropractic, collect and use personal data relating to our Patients (i.e. individuals who attend or who have previously attended Hoxton Chiropractic for health advice and treatment). It also covers our use of personal data relating to Prospective Patients (i.e. individuals who enquire about or express an interest in the services offered by Hoxton Chiropractic) with whom we may communicate (such as over our website or by email). We also refer in this notice to Patients and Prospective Patients as ‘you’.
We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other information that we might give you from time to time about how we collect and use your personal data.
Where our Patients are children, depending on the maturity of the child, the child should read this, or parents (or carers) should talk it through with their child, if appropriate.
This Privacy Notice has effect from March 2021 and supersedes any previous versions. We may update this Privacy Notice at any time.
Who is the controller?
Hoxton Chiropractic is the 'controller' for the purposes of data protection law (also referred to in this notice as 'we' or 'us'). This means that we are responsible for deciding how we hold and use personal data about you. We can be contacted at firstname.lastname@example.org.
What is personal data?
Personal data means any information relating to a living individual who can be identified (directly or indirectly), in particular by reference to an identifier (e.g. name, email address, physical features). Personal data can be factual (e.g. contact details or age), an opinion or assessment about an individual, or information that may otherwise impact that individual in a personal or business capacity.
Data protection law provides additional protection for personal data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation, criminal convictions or offences, biometrics (if used for identification purposes), or genetics. This is referred toas special category data. We refer to personal data that is not special category data as ordinary personal data.
What type of personal data do we hold about you?
We hold personal data about you in order to provide our services, including, for example: name, contact details, age / date of birth, your requirements for our services, related biographical and background information relevant to our services, records of the services we have provided, and associated payments.
This includes special category data relevant to our services, including: background medical information and health details from you, information about our assessments and treatments for you, and other information about your health which is collected or recorded by us in providing our services.
If you are a Prospective Patient, we may hold your name and contact details, and other information relating to your enquiry or our communications with you.
If you visit our premises, we may also collect images of you via our CCTV system.
Why do we hold your personal data and on what legal grounds?
We hold and use your personal data for the purposes of providing our services, responding to your enquiries, and for sending you related communications.
Both during and following the end of our relationship with you, we may retain your personal data in case it is needed to address enquiries from you, or to address any concerns or legal issues relating to our services or our business. See also below:
How long do we keep your personal data?
Data protection law requires us to have a legal ground for each use of personal data. Most commonly, we rely on the following legal grounds when we process your personal data.
· Where we need to process your data to perform the contract we have entered into with you for the provision of our services (performance of the contract). This would apply for most of our activities, for example, collecting background information about you (including health details), maintaining records of our assessments, treatment and services, managing payments from you, and communicating with you in relation to our services.
· Where we need it to comply with a legal obligation (legal obligation). This may include where law enforcement authorities require us to collect, use or share personal data, or where necessary to comply with other laws such as to confirm compliance with the expectations of our professional regulator.
· Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). This may include, for example, using your data to respond to any enquiries, use of our CCTV system, and retaining or using your data to exercise or defend any legal claims, or otherwise to protect our legal rights.
· Where we have obtained your specific consent. For example, we may request your consent to participate in our social media and marketing activities.
We are required to have an additional legal ground in order to use data relating to your health (because it is special category data). As healthcare professionals, the applicable legal ground is that our use of health data is necessary to provide our health care and treatment services.
We may also process special category data, e.g. concerning your race, ethnicity, gender identity, sexual orientation etc. for the purposes of equal opportunities monitoring.
In exceptional circumstances, we may also use personal data (including special category data) where needed to protect your vital interests or those of another person, to detect or prevent unlawful acts, to establish, exercise or defend legal claims, or where it is in the public interest in the area of public health.
How do we collect your personal data?
You provide us with most of the personal data about you that we hold and use. Other personal data about you is generated by us in the course of providing our services, for example records of our assessments and treatments, and information within internal communications or communications with you.
Some of the personal data about you that we hold and use may come from external sources. For example, if you have had previous treatment, we may, with your consent, request records from your previous healthcare provider.
If you give us someone else’s personal data
Sometimes, you might provide us with another person’s personal data – e.g. details of a chaperone, family member or next of kin. In such cases, please inform the individual what personal data of theirs you are giving to us. Please also give them our contact details and let them know that they can contact us if they have any queries about how we will use their personal data.
Who do we share your personal data with?
We may share relevant personal data with the following parties (and our legal grounds for doing so are described in brackets).
· Legal authorities or regulatory bodies, our legal and professional advisors or auditors, or other parties where we are required by law to do so (for compliance with a legal obligation, or otherwise in our legitimate interests to protect or enforce our rights, or to exercise, establish or defend legal claims).
· Prospective or actual purchasers or our organisation or our business (in the legitimate interests of the purchaser).
· Other parties with your consent (for example if you give your consent to share your records with another healthcare provider).
· Other parties where necessary to protect your rights and interests, or the rights or interests of another individual (in our legitimate interests, or for compliance with a legal obligation).
· Our service providers may also handle your data, such as providers of email, document management and accounting systems or online patient management systems. They act as processors on our behalf, meaning that we remain primarily responsible for how they use your data in line with the purposes and lawful bases identified in this Privacy Notice.
Consequences of not providing personal data
We only ask you to provide personal data when we have a good reason and there may therefore be consequences if you do not provide particular information to us.
Some of the personal data you provide to us, for example background information about you, is required in order for us to provide our services effectively and to perform our contract with you.
If you choose not to provide us with any personal data requested, we will tell you about the particular implications of any such decision at the relevant time.
How long will we keep your personal data?
We will not keep your personal data for longer than we need it for our legitimate purposes.
If you are a Patient, we generally keep records relating to our services to you for 7 years from the date of your last visit to us.
If you are a Prospective Patient, we generally keep records of our communications with you for a period of 12 months following our last communication with you. Note that you also have the right to withdraw any consent you have given, and to object to use of your data for direct marketing purposes (see ‘Your rights’ below), in which case we may delete your personal data sooner.
Our retention periods may be changed in appropriate circumstances, for example we may need to retain your details for longer if there is a dispute in relation to our services. You may contact us for additional information about retention periods.
Please note that personal data that is held on IT back-up data sets for disaster recovery purposes may be retained for a different period. This is because it may not be possible to apply retention periods to individual records without erasing the whole back-up data set.
Transferring personal data outside the UK
We do not ordinarily transfer your personal data outside the UK.
You have a number of legal rights relating to your personal data, as follows.
• The right to withdraw any consent you have given in relation to the use of your personal data.
• The right to make a subject access request. This enables you to receive certain information about how we use your personal data, as well as to receive a copy of it.
• The right to request that we correct incomplete or inaccurate personal data that we hold about you.
• The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it, or where you have withdrawn any consent relating to that processing. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• The right to object to our processingyour personal data where: (a) we use it for direct marketing purposes; or (b) where we are relying on our legitimate interest (or those of a third party) as our legal ground. In the case of (b), note that we may continue the processing if we can show a compelling reason to do so.
• The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
If you would like to exercise any of the above rights, please contact email@example.com. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact firstname.lastname@example.org.