Sawbridgeworth Osteopathic Clinic
© Sawbridgeworth Osteopathic Clinic 2020
As from May 2018, all European businesses are required to adhere to more detailed and robust regulations with respect to data held and processed about their customers and clients. This includes: •Security of data storage •Security of data transfer •Consent to use data •Client’s right to see which data is held •Client’s right to request amendment or deletion of data •Client’s consent to receive communication As a medical practice, we are subject to stricter rules in some categories than other commercial organisations, particularly regarding data retention. We will outline these rules in the appropriate section of this guidance note.

Definitions under the new regulations:

Data Controller: Lauren Elder, Principal of Sawbridgeworth Osteopathic Clinic is the Data Controller Date Processor: Private Practice Software (The Rushcliff Organisation) is the Data Processor Legitimate Interests: As a small medical practice, we process data under the category of Legitimate Interests. Legal Obligation: We have additional legal obligations to maintain personal data over and above that defined under Legitimate Interests.

Personal Data- security of storage and transfer.

Personal data is defined as any information which might identify an individual whether in electronic or physical format. This might consist of contact details such as name, address, email addresses and telephone numbers. As a medical practice we are also registered and required to aquire and maintain some sensitve personal data such as age, current medical health, past medical history, marital status and domestic responsibilities, and where appropriate details of current and past mental and sexual health. Sawbridgeworth Osteopathic Clinic uses a proprietary patient management system called Private Practice Software (PPS), by The Rushcliff Partnership. This is a fully online, fully secure system which is managed entirely by The Rushcliff Partnership. They hold the responsibility for maintaining data security, data integrity and secure transmission protocols. All data is hosted on UK servers and data transmission uses secure encryption methods. PPS is fully GDPR compliant. We do not store any personal data on our physical premises. Case notes which are hand written during a consultation are transferred to the online server as soon as possible and the paper record is securely shredded using a confidential 'micro-confetti' shredder. Paper records such as letters and reports received direct from a patient or via the post are scanned and uploaded to the PPS server and then shredded once the upload has been verified. We accept payment using cash, cards and BACS payments. Card payments are made using an industry standard card processing machine. We do not accept 'cardholder not present' transactions and no card data is captured or stored. Payment slips are shredded once the payment has been reconciled from the card processing company. We maintain full compliance with the Payment Card Industry Data Security Standard which requires quarterly data security audits to be performed by an independent authority.

Consent to use data.

Data we hold on our patients is for our own use to provide appropriate care for patients. In addition to the rules on data protection, we are also bound by strict rules imposed by the General Osteopathic Council on how data is used. We never divulge any personal data to any other person or authority without the explicit consent of the patient, unless we are required to do so by a court order or appropriate warrant. Any registered osteopathic practitioner working in the practice in any capacity is bound by the same rules. To provide the best care, it may sometimes be necessary to seek information from other healthcare providers, or to send information to other healthcare providers should further investigations be required. Any such requests or referrals will always require the explicit consent of the patient and an appropriate note will be made in the case record. The data protection regulations do not apply to research data which is anonymised, and from which a data subject cannot be directly or indirectly identified. However, if you would prefer not to be included in such data, your request will be honoured.

Client’s right to see which data is held.

Any person who is a 'data subject' has a right to ensure that the data held is accurate. We will always honour any request from a patient to view their medical notes. We are happy to provide printed copies on request, and will endeavour to supply these within one week either in person or to a verified postal address.

Customers right to request amendment or deletion of data.

As a medical practice, we do our utmost to ensure the accuracy of our records, but there may occasionally be instances where some aspects of data held are out of date, inaccurate or incomplete. We routinely re-evaluate the health status of our patients, but should any inaccuracy be pointed out, we will amend the information as soon as possible. Such amendments will be implemented as an additional note in the patient record, as by law we are not permitted to amend past consultation notes. GDPR can confer the right of clients to be 'forgotten' or to have their data deleted. As a medical practice, we have a legal obligation to retain medical notes for a minimum period, so that right of deletion does not generally apply. We are legally bound to retain all medical notes  for a minimum of eight years after the last attendance. Our policy has always been to retain notes in perptuity, to assist in delivering the best patient care and maintaining a coherent clinical record. However, we will honour any request for deletion after the statutory eight year retention period.

Client’s consent to receive communications.

Under the new GDPR framework, communication with our patients requires their explicit consent for each form of communication. You will be given the opportunity to opt in to any or all of the following services: Appointment booking confirmations and reminders via SMS or email. Reminder notifications relating to missed appointments Information messages regarding local traffic delays or street closures on the day of your appointment. Consent to contact patients via any listed telephone such as home, work or mobile. We will consider answering machine messages requesting a callback to constitute consent to call the number provided. Correspondence via email. We will only send you emails if specifically requested. We will respond to incoming email requests without disclosing any personal details unless we have already verified your email address, and you have consented to its use. From time to time, to comply with clincial audit requirements, we may send SMS or email messages soliciting your opinion on aspects of our service. You are welcome to opt out of these messages should you prefer not to receive them Should you have any queries about any aspect of our GDPR policies, please contact us.

General Data Protection Regulation (GDPR 2018) Policy

Sawbridgeworth Osteopathic Clinic
© Sawbridgeworth Osteopaths 2020

General Data Protection Regulation

(GDPR 2018) Policy

As from May 2018, all European businesses are required to adhere to more detailed and robust regulations with respect to data held and processed about their customers and clients. This includes: •Security of data storage •Security of data transfer •Consent to use data •Client’s right to see which data is held •Client’s right to request amendment or deletion of data •Client’s consent to receive communication As a medical practice, we are subject to stricter rules in some categories than other commercial organisations, particularly regarding data retention. We will outline these rules in the appropriate section of this guidance note.

Definitions under the new regulations:

Data Controller: Lauren Elder, Principal of Sawbridgeworth Osteopathic Clinic is the Data Controller Date Processor: Private Practice Software (The Rushcliff Organisation) is the Data Processor Legitimate Interests: As a small medical practice, we process data under the category of Legitimate Interests. Legal Obligation: We have additional legal obligations to maintain personal data over and above that defined under Legitimate Interests.

Personal Data- security of storage

and transfer.

Personal data is defined as any information which might identify an individual whether in electronic or physical format. This might consist of contact details such as name, address, email addresses and telephone numbers. As a medical practice we are also registered and required to aquire and maintain some sensitve personal data such as age, current medical health, past medical history, marital status and domestic responsibilities, and where appropriate details of current and past mental and sexual health. Sawbridgeworth Osteopathic Clinic uses a proprietary patient management system called Private Practice Software (PPS), by The Rushcliff Partnership. This is a fully online, fully secure system which is managed entirely by The Rushcliff Partnership. They hold the responsibility for maintaining data security, data integrity and secure transmission protocols. All data is hosted on UK servers and data transmission uses secure encryption methods. PPS is fully GDPR compliant. We do not store any personal data on our physical premises. Case notes which are hand written during a consultation are transferred to the online server as soon as possible and the paper record is securely shredded using a confidential 'micro-confetti' shredder. Paper records such as letters and reports received direct from a patient or via the post are scanned and uploaded to the PPS server and then shredded once the upload has been verified. We accept payment using cash, cards and BACS payments. Card payments are made using an industry standard card processing machine. We do not accept 'cardholder not present' transactions and no card data is captured or stored. Payment slips are shredded once the payment has been reconciled from the card processing company. We maintain full compliance with the Payment Card Industry Data Security Standard which requires quarterly data security audits to be performed by an independent authority.

Consent to use data.

Data we hold on our patients is for our own use to provide appropriate care for patients. In addition to the rules on data protection, we are also bound by strict rules imposed by the General Osteopathic Council on how data is used. We never divulge any personal data to any other person or authority without the explicit consent of the patient, unless we are required to do so by a court order or appropriate warrant. Any registered osteopathic practitioner working in the practice in any capacity is bound by the same rules. To provide the best care, it may sometimes be necessary to seek information from other healthcare providers, or to send information to other healthcare providers should further investigations be required. Any such requests or referrals will always require the explicit consent of the patient and an appropriate note will be made in the case record. The data protection regulations do not apply to research data which is anonymised, and from which a data subject cannot be directly or indirectly identified. However, if you would prefer not to be included in such data, your request will be honoured.

Client’s right to see which data is

held.

Any person who is a 'data subject' has a right to ensure that the data held is accurate. As such we will always honour any request from a patient to view their medical notes. We are happy to provide printed copies on request, and will endeavour to supply these within one week either in person or to a verified postal address.

Client’s right to request amendment

or deletion of data

As a medical practice, we do our utmost to ensure the accuracy of our records, but there may occasionally be instances where some aspects of data held are out of date, inaccurate or incomplete. We routinely re-evaluate the health status of our patients, but should any inaccuracy be pointed out, we will amend the information as soon as possible. Such amendments will be implemented as an additional note in the patient record, as by law we are not permitted to amend past consultation notes. GDPR can confer the right of clients to be 'forgotten' or to have their data deleted. As a medical practice, we have a legal obligation to retain medical notes for a minimum period, so that right of deletion does not generally apply. We are legally bound to retain all medical notes  for a minimum of eight years after the last attendance. Our policy has always been to retain notes in perptuity, to assist in delivering the best patient care and maintaining a coherent clinical record. However, we will honour any request for deletion after the statutory eight year retention period.

Client’s consent to receive

communications.

Under the new GDPR framework, communication with our patients requires their explicit consent for each form of communication. You will be given the opportunity to opt in to any or all of the following services: Appointment booking confirmations and reminders via SMS or email. Reminder notifications relating to missed appointments Information messages regarding local traffic delays or street closures on the day of your appointment. Consent to contact patients via any listed telephone such as home, work or mobile. We will consider answering machine messages requesting a callback to constitute consent to call the number provided. Correspondence via email. We will only send you emails if specifically requested. We will respond to incoming email requests without disclosing any personal details unless we have already verified your email address, and you have consented to its use. From time to time, to comply with clincial audit requirements, we may send SMS or email messages soliciting your opinion on aspects of our service. You are welcome to opt out of these messages should you prefer not to receive them
Should you have any queries about any aspect of our GDPR policies, please contact us.