GDPR: Connective Chiropractic are GDPR compliant
Connective Chiropractic are ready for the new GDPR legislation.
Connective Chiropractic are not exempt from the new GDPR data protection provisions, that will replace the Data Protection Act. So, as you would expect, we have been working over the last few months to ensure your data continues to be safeguarded and protected at all times.
We are going to be honest, a lot of what we have been doing is not the most interesting to read or know about. However, we decided to write this little blog post to let you know about some of the key ways we are handling your data and some of the big changes.
We hope this GDPR notice/blog is easier to understand than our refreshed policies on Privacy and Digital marketing, even though the policies may contain a bit more insight. If you need any more information from this blog post, please contact us or check out the main policy.
Conforming to GDPR regulations forms part of our registration requirements to practice.
As an independent company we are our own data controller. We are registered with the ICO and take your data protection and security seriously.
TYPES OF DATA
Through a rather longwinded and lengthy audit process, we have identified a number of key types of data that we store. These include not just your name and contact details but also more specialist, sensitive data such as medical information. Whilst most of this data is processed in-house and kept secure, the new GDPR rules have enabled us to provide a plan of action in the unlikely event of data leaks. Whilst we are keen to ensure as little information is shared to other parties as possible, this extends to data leaks from others having access to our data (including our email providers, booking systems, future staff and even figuring out how to make the data secure around the cleaners in our building!)
Sharing Your Personal Data
We only share your personal data with your explicit consent, where, for example we need to contact a third party and give them your contact details in order to resolve a technical issue. Where third parties are used by us to store your personal data, we ensure they are compliant with the data protection law.
A TIME FOR CLARITY
We’ve always been high up on our security and audit processes, but we’ve decided to tighten up even more. We’ve made some new data handling and privacy policies and you might also find that we double check your consent on a few things as we go forward.
This might be a bit of an administrative pain, for which we apologise, but from the end of May it will be actually illegal for us to contact you in certain ways without appropriate grounds to. You can expect us to ask you to sign consent forms when you next come in or double check your consent to receiving digital marketing, such as our newsletter.
GROUNDS FOR DATA PROCESSING
We have decided to use several of the legal bases open from the GDPR regulations in our clinic. These are detailed in our data policies in more detail.
Record Cards and Consent
Our consent processes throughout your care remains unchanged, but we will now also be asking all new patients for signed consent to receive our newsletters (and marketing in general). We might also ask others to confirm or check their consent when they come in next so that we can be sure. Whilst we have sufficient evidence of consent for most of our contacts, we may ask you for further confirmation before or after May 25 2018.
We have decided to pilot a change in our record cards to make this easier to note, so don’t worry if you see different paperwork on your next visit. Whilst we will still ask for consent confirmation, we hold these records under a legal base. We will use the contractual legal basis for storing business data and data associated to businesses or our workplace wellbeing workshops. We will review our records annually to ensure that we are only keeping necessary data, however you are able to unsubscribe or opt out at any time.
Our record cards and all paper records relating to your treatment care and payments shall be held under the legal basis for 8 years after your last visit. After this point we will treat you as a new patient in our clinic and will need to retake an initial consultation visit at the appropriate fee. We reserve the right to hold your record cards details for longer should it be considered that we have a legitimate interest to do so.
We consider our free text and email reminder service as part of our service to you, so the data for this will be held separately under the contractual legal basis. We of course, as always, are happy to opt you out of these if they are intrusive or annoying. Just let us know. We will also be using this basis to store contact details for all those who book in online, before they come to see us and for prospective business contacts (eg: made at events).
Data processing under our business-to-business side of our clinic services shall come under a contractual legal basis. We reserve the right to store or send marketing emails to businesses under this basis. This includes from contacts made at networking events.
All data disposed of shall be either shredded or deleted at source.
EMAILS AND WEBFORMS CONTAINING DATA
As we do not send many emails with sensitive data, we have decided not to go down the route of encrypting our emails further. For full security, we realise that doing so would increase our clinic costs significantly and will only be as reliable as the security of the recipients encryption. We have however decided that from 25th May 2018 we will no longer be sending foot scan reports by email.
Using pre-consultation questionnaires
We have decided to no stop using our new patient online questionnaire for the time being. Whilst this has helped us to gain data before our initial consultations it has not been essential to the running of our clinic. We have felt that it is one headache less in terms of GDPR to remove this function. It now means that we will ensure that all our information is gained at the point of initial consultation. Please do feel free to bring in notes with you if you are concerned that you might forget something!
Insurance policy changes
Because of issues with payments and also the security of data we decided to change our insurance policies. We are happy to accept patients claiming under their insurance policies and will provide receipts for patients to claim the cost of their sessions with us back. Some claims may be able to be sent through a secure system, so if in doubt please feel free to ask at your appointment. We will do as much as we can to help.
REQUESTS FOR INFORMATION
In line with new GDPR rules, there are changes to freedom of information requests. We will not be charging for the first copy of medical records sent on request (to the patient or insurers). Connective Chiropractic ask for formal, written requests for information and may check additional consents before doing complying. In line with the legislation, we reserve the right to charge for additional, vexatious or onerous copies of information.
As part of our GDPR planning, we have decided to sever/change contracts with some suppliers to make our processes simpler. We haven’t any staff right now (It’s all on James and Boney!) but when we do, we will be ensuring all our staff are adequately trained to ensure GDPR and data protection are maintained.
OUR REQUEST TO KEEP CONFIDENTIAL
If you need to talk to us about anything confidential or that may include identifiable data, please do not be offended if we ask you to step aside, talk about it at another time or to come into our clinic before doing so. This helps us to keep confidentiality and data secure as much as we possibly can
We won’t request you to sign in at our reception and the reception team will not hold your details
If you want to really bore yourself with finding more about our GDPR preparations, we have a folder in our clinic that goes through all the things we have considered and how we are processing it. We are happy to go through this with you if you are concerned or interested in what we are doing. We honestly wouldn’t recommend it, but it’s there if you have a great desire to see it or want to know more. Don’t forget our refreshed privacy and digital marketing policies too. Hurrah.
YOUR RIGHTS UNDER GDPR
Right to access
You may request a copy of your data at any time. Please make such a request in writing or by email. Please provide the following information: your name, address, telephone number, email address and details of the information you require.
Right to rectify
If you believe any of the personal data we hold on you is inaccurate or incomplete, please contact us directly and any necessary corrections to your data will be made without undue delay.
Right to erase data
If you believe we should erase your data, please contact us in writing.
Right to restrict processing
If you wish us to stop storing or using your data, please contact us in writing. Where you have provided explicit consent for us to use your data you have a right to withdraw this consent at any time
Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay. We will explain the nature of the breach and the steps we are taking to deal with it.
Should You Wish to Complain
Visit our blog
Find out how Connective Chiropractic might be able to help but also some general tips and trick on how to move, feel and stay better …
Arena Business Centre,
01256 213 765
EMPOWER WELLBEING WITH A CONNECTIVE CHIROPRACTIC MEMBERSHIP
Registered Company (10788728) in England & Wales, Registered Address: Arena Business Centre, Basing View, Basingstoke, RG21 4EB.
Site information updated 1st November 2017.