Data Protection Statement
25th May 2018
Your information and GDPR
Mid West Physiotherapy collects personal details and information relating to our patients’ health. Medical information is classed as sensitive data and termed as special category data under the General Protection Data Regulations (GDPR), effective 25th May 2018.
This document advises you of our policies and procedures for dealing with your personal and medical information in our clinic. If you would like to find out our policies and procedures relating to our website, please visit our Website Pricacy Policy and Cookies Policy.
Why is information collected
The processing of personal and medical data is necessary so that we can deliver the best quality of physiotherapy care to you, the patient:
- Your date of birth is used as a unique identifier for your records.
- Your postal address allows us to post invoices, receipts and statements, or other requested information to you.
- Your email address allows us to send you confirmation of bookings, appointment reminders, invoices, receipts, statements, personalised exercise programmes or other requested information to you. You may also receive an e-surveys following completion of your treatments, and/or and e-newsletters, but only if you have subscribed to these.
- Your telephone number allows us to send text reminders of appointments and communicate with you outside of appointment times. You may also receive SMS/text news updates should you subscribe to same.
- Having next of kin contact details informs us of who to contact in the event of an emergency.
- We ask you whether you are a student or an OAP, as we offer a concession for same.
- We ask you for information regarding your current and past health so that a detailed and accurate physiotherapy assessment may take place and an appropriate physiotherapy plan put into action.
- We ask you for your occupation, as some occupational factors can contribute to musculoskeletal problems.
- We ask you to outline your hobbies, as some physical factors can contribute to musculoskeletal problems.
Who has access to your information
All staff members at Mid West Physiotherapy have access to client records. All staff members at Mid West Physiotherapy are bound by GDPR legislation, the Irish Chartered Society of Physiotherapy (ICSP) code of conduct, and the standards of conduct, performance and ethics of CORU (Regulating Health & Social Care Professionals).
Your information will not be shared with any personnel outside Mid West Physiotherapy unless you have given consent, except when;
- Requested by law
- In your best interests and you are unable to give consent
- In the public interest to prevent serious harm to others
How is your information stored and protected?
Mid West Physiotherapy has implemented appropriate operational and technical measures to safeguard your personal information:
- We use a patient management system called Cliniko to record all patients’ personal and medical information. Cliniko is GDPR-compliant and has robust access and security measures to protect against unauthorised access, alteration, interception, disclosure, loss or destruction of any personal information.
- We use GDPR-compliant email and software packages, and our computers are fully up-to-date with password, firewall and antivirus protection so as to protect against unauthorised access, alteration, interception, disclosure, loss or destruction of any personal information.
- We use Xero, a GDPR-compliant accounts system for financial recording purposes.
- We use GDPR-compliant third party service providers to administer activities such as e-newsletters (Mailchimp) or e-surveys (SurveyMonkey). We will only share your name and email address with these third parties for those limited purposes, provided that you have given us your permission to do so.
- Old paper records (relating to patients who attended prior to the introduction of our electronic system) are stored in a staff-access-only room which is locked when not attended.
- All staff are trained on how to safeguard our patients’ personal information.
- In the unlikely event of a data breach, you will be notified immediately as will the Data Protection Commissioner.
Managing Your Information
Mid West Physiotherapy is committed to maintaining the accuracy and relevance of your personal data. To this effect:
- We will only ask for and keep information that is necessary.
- We will endeavour to keep your information as accurate and up to-date as possible.
- We request that you keep us informed of any changes to your contact details.
- Please inform us of any relevant changes to your health which may impact upon your physiotherapy care (e.g. medical diagnosis, treatments, investigations etc).
Use of information for training, teaching and quality assurance
It is usual for physiotherapists to discuss patient case histories as part of their continuing clinical education or for the purpose of training physiotherapists or physiotherapy students. In these situations, the identity of the patient concerned will not be revealed.
In other situations, however, it may be beneficial for other physiotherapists within the practice to be aware of patients with particular conditions and in such cases this practice would only communicate the information necessary to provide the highest level of care to the patient.
Feedback is important to us so that we can continually improve our services; in order to gather feedback, we issue e-surveys to clients following completion of their treatment. You will only receive an e-survey from us if you have consented to receive same.
Occasionally we send out information via email to our client database regarding clinic news, events or other important information. You will only receive an e-newsletter from us if you have consented to receive same. You can easily opt out of direct marketing communications by clicking the unsubscribe email at the bottom of the correspondence, or by contacting the practice directly.
24-hour CCTV recording is in operation in the reception area only of our premises. Images are recorded for the purposes of crime prevention and public safety. Recordings are stored for 5 days. Per GDPR legislation, any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.
We use Google Analytics on our website to collect anonymised tracking data including the pages you have visited, the amount of time spent on each page, the website you have come from before visiting this website, your location (country and/or region) and other non-personal information. We do not collect any Personally Identifiable Information. If you would like to opt out of having your anonymous usage data tracked you may do so by clicking this button
Your right of access to your health information
You have the right of access to all the personal information held about you by Mid West Physiotherapy. If you wish to see your records, in most cases the quickest way is to discuss this with your physiotherapist who will review the information in the record with you. You can make a formal written access request to the practice and receive a copy of your medical records. These will be provided to you within 30 days, without cost.
Your right to amend the information held
Under GDPR legislation, all individuals have the right to have incorrect information that is held about them amended. If this was to arise within the notes held by Mid West Physiotherapy, the patient record would be “restricted” i.e. not used until the issue is resolved. However, if Mid West Physiotherapy deems the information to be accurate then no amendment will be made.
Your right to restrict the information held
You have the right to have the information we hold restricted;
- If you contest the accuracy,
- You need the information to establish, defend or exercise a legal claim,
- Or you object to the information held.
In this instance all treatment will be stopped until the issue is resolved. You also have the right to object to Mid West Physiotherapy holding your personal information on grounds relating to your particular situation and, as with restriction, all treatments will stop and the notes will become restricted until the issue is resolved.
Data retention period
We hold onto a patient’s personal information and medical records for a period of 10 years after their last treatment, or at the date of death. In the case of minors, we hold personal data until the age of 18, and for 10 years thereafter.
In the event that you do not consent to this policy
We require consent from the patient for us to collect and store their personal and medical data, in accordance with this Data Protection Policy. In the event that you do not wish to consent to this policy, we regret that we will be unable to provide you with physiotherapy services.
We hope that this policy document has explained any data protection queries you may have. If you have any questions please don’t hesitate to ask us for clarification.