White Hart Clinic Privacy Policy
The European Union General Data Protection Regulations (GDPR) which was adopted by the European Union in 2016 will automatically come into force on 25th May 2018. The Government is introducing a UK Data Protection Bill (currently in draft) which incorporates and supplements the GDPR to create a UK data protection regime pre and post Brexit.
To comply with the law staff who process personal information must ensure they follow Data Protection Principles. The obligation to keep information confidential arises out of the common law duty of confidentiality, professional obligations and staff/third party contracts. All staff with access to confidential personal information must keep the that information safe and secure.
Purpose and Scope
This document sets out the White Hart Clinic’s commitment to the confidentiality of personal information and its responsibilities with regard to the disclosure of such information.
It aims to ensure that all staff whether directly employed or self- employed within the Clinic are aware of their responsibilities towards the confidentiality of personal information.
Data Protection Principles
Personal data shall be
- Fairly and lawfully processed
- Processed for specific purposes only
- Adequate relevant and not excessive
- Accurate
- Not kept longer than necessary
- Processed in accordance with the data subject’s rights
- Secure
- Not transferred to countries outside the EU without adequate protection.
The Act requires the White Hart Clinic to register as a Data Controller with the Office of the Information Commissioner detailing the purpose for which personal information is used and use of data beyond that specified in the registration is unlawful. An annual fee is paid to the ICO’s to maintain notification on the register.
Disclosure of Personal Information
Whether personal information can be disclosed to others is dependent on a number of factors, including, whether the patient/service user has consented to the information being shared, to whom the information is being disclosed and the reason for its disclosure.
Information Security
In order to ensure the confidentiality of personal information, systems and procedures are in place to control access to such information. Such controls are essential to ensure that only authorised persons have physical access to computer hardware and equipment and access to either electronic or paper records containing confidential information about individuals.
Cookie Policy
We use cookies on our website (these small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you have accepted them) that enables the sites or service providers systems to recognize your browser and capture and remember certain information.
These cookies to help save your preferences for future visits and compile aggregate data about site traffic and site interaction so that we can provide an excellent site experience and tools in the future.
Staff responsibilities
Staff members who process personal data about clients, staff, job applicants, or any other individual must comply with the requirements of this policy.
Staff members must ensure that:
- all personal data is kept securely;
- no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- personal data is kept in accordance with the Clinic’s record keeping retention policy
- any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer (Practice Manager)
- any data protection breaches are swiftly brought to the attention of the Owner and/or Data Protection Officer
- where there is uncertainty around a Data Protection matter, advice is sought from the Data Protection Officer
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Owner and /or Data Protection Officer.
Where a third-party Data Processor is used ( ie Mindbody)
- the Data Processor must provide sufficient guarantees about its security measures to protect the processing of personal data;
- reasonable steps must be taken that such security measures are in place;
- a written contract establishing what personal data will be processed and for what purpose must be set out;
- a data processing agreement must be signed by both parties.
Self-employed Contractors (Therapists)
The Clinic is responsible for the use made of personal data by anyone working on its behalf. Such staff must be appropriately vetted for the data they will be processing. In addition the Clinic must ensure that:
- any personal data collected or processed, in the course of work undertaken for the Clinic is kept securely and confidentially.
- all personal data processed (eg notes) is held in the clinic, including any copies that may have been made.
- the Clinic receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the Clinic
- any personal data made available by the Clinic, or collected, in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from the Clinic
- all practical and reasonable steps are taken to ensure that self- employed contractors (Therapists) do not have access to any personal data beyond what is essential for the work to be carried out properly.
- Therapists must familiarise themselves with the principles of GDPR before they start.
- ensuring that their personal data provided to the Clinic is accurate and up to date.
3. Subject Access Requests
The Clinic is required to permit individuals to access their own personal data held by the Clinic via a subject access request. Any individual wishing to exercise this right should do so in writing to the Data Protection Officer.
The Clinic aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 14 days of receipt of the request .
4. Data Protection breaches
Where a Data Protection breach occurs, or is suspected, it should reported immediately to the Data Protection Officer.
The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
5. Contact
Queries regarding this policy or the Data Protection Act at large should be directed to the Owner/ Data Protection Officer.