Osteopaths in Hinchley Wood, Wimbledon and Woking

Schedule Appointment

Or call us at 020 8545 0965

GDPR Summary Action List

1)   Register with Information Commissioners Office

All osteopaths collect personal data from patients so therefore should be registered with the Information Commissioner's Office: www.ico.org.uk   It does not matter whether you are recording information manually or electronically you are still required to register.

2)   Appointed Person

Accountability is central to the GDPR.  Data controllers are responsible for compliance with the principles and must be able to demonstrate this to patients and the regulator.  Clinics must assign responsibility for data protection, this will either be the principal or individual osteopaths.

3)   Demonstrate Compliance – Data Protection Procedure

Under the GDPR one of the biggest changes is that data controllers must demonstrate compliance.  This means you need to document your processing activities – you should:

  • justify the data you collect
  • explain what it is used for
  • describe how you store and process that data – where, access, security and disposal.

Every clinic should have data processing procedures whether electronic or paper format.  They should state how you store the data, who has access to it, the security controls in place and when and how you dispose of the data.  Records must be disposed of securely.  If you are using clinic software you should check with your provider how you can securely delete records.

4)   Opt in for patients

You must have permission for the way you use your patient’s data.  They need to opt in to receiving direct marketing.  This may include text message appointment reminders and marketing communications.  Children under 16 years are not able to consent to communications, you must have procedures for obtaining consent from a person with parental responsibility.

5)   Periodic data checks

Keeping data up to date and accurate is an important responsibility for osteopaths.  You should periodically check addresses and medical information are kept up to date.

6)   Amount of data

You need to consider your case history and make sure that all the data you collect is necessary – it should be adequate and relevant to helping you make informed clinical decisions.  Consider whether any of the data is unnecessary and could not be justified.

7)   Subject access requests

You need to provide copies of notes within 1 month of receiving a written request from patients.  You must not charge for releasing information.  Make a record of when and how you responded to subject access requests.

8)   Privacy information

You should make information available for patients regarding how you use their personal data and keep it secure.  You may wish to write a separate notice or issue your data protection procedure if it is short, clear and easy to understand.

9)   Information security

You need clear procedures for secure storage and destruction of patient records – both manual and electronic.  You also need to consider your actions if there was a data breach in your clinic.

Back on track healthcare Clinic Data Protection Procedure

This is a starting template but you will need to significantly modify this for your practice. Please delete as appropriate and add or remove information for your own clinic policy.  You may wish to share this document or a modified version to fulfil your duty to inform your patients how you process their data. Remember you may also process data for employees and you will need to share your procedure with them and give them data protection rights.

 This is not just a form to complete, it is a policy that your practice must be following to comply with the law.

Appointed person with responsibility for data protection Kieran Chhabra and Emily Chhabra
Registered with the Information Commissioners Office Both are ICO registered

Clinic Data Protection Policy

Information Held
The following information is collected: Patient name, address, date of birth, email address, phone numbers, and GP details, past medical history, family medical history and case history for treatment carried out at clinic. All information is given by the patient or their carer, parent or legal guardian.

Data Collection
Information collected is sufficient for the purpose of making informed clinical decisions.
Data is collected verbally on the phone by reception staff or practitioners to book appointments and take contact details. Medical information is collected by osteopaths verbally at a face to face appointment.
Patient contact details and appointments are stored on the computer and manually. Patient clinical records are manual and electronic.

Data Storage
The information is stored via our clinic software package from Rushcliff Ltd, which uses an encrypted and password protected cloud based server.
In the event of the death of the holder of the patient records, arrangements are in place for patient’s to access patient records.

Data disposal (minimum 8 years, 25 years of age for children)
Records cannot be deleted before statutory requirements for data retention – 8 years or up to 25 years of age for children
Notes are audited which are archived monthly. They are then securely stored at Rushcliff Ltd.
Paper notes and records are destroyed by shredding/incineration after 8 years or 25 years of age for children.
Electronic records can be deleted from the system after 8 years or 25 years of age for children.

Consent
Patient data is also used for appointment reminder text messages, a newsletter and clinic marketing which patients opt in to with a tick box/verbally on their first visit. We check patients still want to receive communications on a regular basis.
We process your data using the lawful basis of consent for marketing, and fulfilment of contract and legitimate interest for processing your medical record and sending you health information and exercises relating to your condition. Your medical record is processed as Special Category Data under Article 9 2(h) of the GDPR.
Parents must give consent for communication with children under 16 years.

Data Sharing
Information is only shared with other persons with patient’s permission. This would usually be with other health professionals. Patient information is never passed on to other practitioners, persons or companies.
Data would extremely rarely be shared without consent if there was a legal order or in cases of serious safety risks.

Data Checks
Every year Rushcliff Ltd continually perform checks on our patient’s data records to make sure they are accurate.
AND every year we check all active patient data is correct.

Security
Access to paper records is restricted to practitioners and admin staff who have signed a confidentiality agreement.
All electronic data is password protected and access to information can be restricted. Systems are kept updated and antivirus security systems are in place and updated.
Passwords are changed regularly.
Data breaches will be detected by observing signs of unauthorized entry to storage areas, monitoring communications or becoming aware of a security breach (e.g. a virus or unauthorized log on or change to permissions) on the computer system. Data breaches will be investigated and reported to the Information Commissioner’s Office within 72 hours by the appointed person. Patients will be informed if we believe a data breach has occurred.
Patients may contact the Information Commissioner’s Office if they believe a data breach has occurred. Information Commissioner’s Office: 0303 123 1113

Subject Access Requests
All staff know that subject access requests must be responded to within a month and no charge can be made.
Data is only released on receipt of a signed request from patients or in exceptional circumstances. Any data sharing is detailed in the patient record.

Patient Rights
Patients and anyone we hold data about have some rights under GDPR: You can request to: see your data at any time, move your data to another practice, correct any inaccuracies, prevent marketing. You may request for details to be deleted but due to our legal obligation we cannot delete your health record but we can remove you from our contact list.

Complaints
Patients or staff may raise any complaints about data processing with our Data Controller who may be contacted at the clinic reception on 020 8545 0965
You may also contact the Information Commissioner’s Office Directly on: 0303 123 1113

 

Name: K Chhabra & E Chhabra Signature:
Position: Directors Practice Wimbledon/ Woking/Hinchley Wood
Date: 27.4.18 Review Date: 27.4.19

 

Confidentiality Policy

Our patients have trusted us to provide their osteopathic care. As part of the practice team we all have a responsibility to maintain the trust of our patients. Our patients must be able to trust us with their information.
Confidentiality is a legal requirement of practices but it is also of great value to us as a practice and therefore we would like the whole practice team to agree to make the following commitments:
• patient records and information will be stored securely when not in use
• practitioners and reception staff will only view patient information they need to see
• practitioners and reception staff will not access records unnecessarily
• we will keep confidential who visits our practice, where they live, the date and times of their appointments and any other personal or medical details
• we will not disclose information to relatives or friends of patients without permission from the patient
• we will not discuss our patients or colleagues and breach confidentiality
Please note that it is a criminal offence to unlawfully obtain or access personal data. This applies to the access of patient data and has resulted in prosecutions in healthcare settings in the past.
If anyone asks you for patient information either face to face or on the phone, please explain to them our confidentiality policy and hopefully that will increase their respect for our practice.
Please sign below to confirm that you have read and understood the confidentiality policy of the practice and that you agree to follow our requirements and continue to give our patients every reason to trust the practice.

 

Name: K Chhabra & E Chhabra Signature:
Position: Directors Practice Wimbledon/ Woking/Hinchley Wood
Date: 27.4.18 Review Date: 27.4.19

 

Processor Confidentiality Policy

Our practice has trusted you to provide a service to assist us in running the practice. As such you may at times act as a data processor and have access to confidential patient or employee data. Our patients must be able to trust us with their information.
Please familiarise yourself with the clinic privacy policy. Confidentiality is a legal requirement of practices but it is also of great value to us as a practice and therefore we would like you to agree to make the following commitments:
• patient records and information will be stored securely when not in use
• you will only view patient information they need to see
• you will not access records unnecessarily
• you will keep confidential who visits our practice, where they live, the date and times of their appointments and any other personal or medical details
• you will not disclose information to relatives or friends of patients
• you will not discuss our patients or colleagues and breach confidentiality
Please note that it is a criminal offence to unlawfully obtain or access personal data. This applies to the access of patient data and has resulted in prosecutions in healthcare settings in the past.
If anyone asks you for patient information either face to face or on the phone, please explain to them our confidentiality policy.
Please sign below to confirm that you have read and understood the confidentiality policy of the practice and that you agree to follow our requirements and continue to give our patients every reason to trust the practice.

 

Name: K Chhabra & E Chhabra Signature:
Position: Directors Practice Wimbledon/ Woking/Hinchley Wood
Date: 27.4.18 Review Date: 27.4.19

Tell Your Friends About Us

News From Our Blog

Follow Us On
Social Media