On May 25th, 2018 the General data Protection Regulation (GDPR, 2018) comes into effect. It changes some of the current laws and regulations that constitute the Date Protection Act (1998), affecting the whole of Europe for businesses and organisations who collect and store data.
As a small company, Harborne Physiotherapy & Acupuncture clinic . has a strict policy on data protection. In 2014 we began using a software package called TM2 (Blue Zinc) for all our diary and appointments and which we use for storing personal data. When a patient comes into the clinic we ask them to sign and read our consent form. It is important that you understand that we will look after your data and not share it with anyone. Furthermore, if you want to see how we handle the data and how we ensure it remains secure you can ask to see our policy on data control.
The clinic owner and lead clinician , Gerard Greene and lead admin George Chinn have gone through many years of data protection training. For the purposes of fulfilling our GDPR obligations both represent the clinic, with George being the official Data Officer. You can email us on firstname.lastname@example.org if you have any queries about how we manage and handle your data.
This amounts to all the information we hold about a person. This includes: name; date of birth; address; email; phone number; and, GP. It also includes personal information concerning your health, information that you have volunteered to share during a consultation.
These are the clinical details about the injury or problem for which you have attended the clinic. They are highly sensitive and often contain personal and private information. Clinical staff are governed by the Data protection act, the competencies set out by the Health and Care Professions Council (HCPC) and the Chartered Society of Physiotherapy. They are not shared with anyone. Misuse or sharing without your consent will result in dismissal and reporting to the HCPC.
“permission for something to happen or agreement to do something” (Oxford.)
The added importance of the consent form is that you give your approval for an assessment and treatment with the clinic. We need you to be informed about the process of assessment and treatment and ensure you are clear about this process. For this we need your consent. Signing the document ensures we have your approval, even thought you have made the conscious decision to book and attend a consultation. In any case we treat your private information with absolute confidentiality.
Information Commissioners Office
Health and Care Professions Council
TM2 is a secure data base that is accessed via an encrypted server over the internet. For each practitioner there is a unique username and password for accessing the database. The system is logged out if the screen is left idle for 30 seconds ensuring that no one else can access the computer. Fortunately, as a very small company there is little opportunity for data breach. There is only ever one practitioner accessing the notes system at a clinic at any one time and the computer is never left unattended. TM2 is backed up by 3 servers so your data is safe from being lost and there is no chance the system can be accessed by a third party.
Medical and healthcare notes must be kept in a concise and intelligible way so that is clear a clinician has collected sufficient information and that this information tells a story about an individuals problem. We must keep this information as evidence that we have treated you as this forms an important part of your medical history. We are required by law to keep this for 7 years after you have visited the clinic, if you are over 18 years of age at the time of the 1st consultation. If you are under 18 then we must keep the information for 25 years. Should you wish to reflect on your treatment some time afterwards, then having accurate and available notes would support the involved parties. Your personal information relating to address and date of birth is essential so that we can accurately identify a patient. We may have 2 or 3 patients on our system with the same name. We may only be able to tell them apart by date of birth or address. These details are essential and must be included within your consent, so we can securely identify our patients. This information is kept as a minimum for the duration of the treatment.
Email is the standard way to communicate with patients and we have had great success in developing a business that relies on email. If you wish to book an appointment online then we will require an email. At our Physiotherapy clinic we only use emails to provide details about your appointment booking. Emails also provide a reminder about a booking. These are sent at the time of booking and also automatically sent out the day before your appointment. We may send you an email about your treatment and for communication relating to billing. Any sensitive information will only be passed to you via email if you approve. We do not send out marketing material via email. You do not have to give an email. However, we find this is best for appointment reminders.
We will not share your email with anyone else.
Yes, we will make this information available for you at any time you wish. You will need to write to us or email us and consent to the release of the information. A small administration charge is made for this.
Insurance companies can also request to see the notes. However, you must give your consent for this and we would require written approval from the patient.
Should you not wish this information to be kept after your treatment is complete you must be aware that it is the policy of The Physiotherapy clinic that notes would be kept for 7 years in the clinic. The law requires that your notes be locked for the required duration.
To ensure we are maintaining security we perform an audit once a year to ensure all our processes are in keeping with GDPR.
We have prepared our checklist in accordance with the guidelines set out by ICO (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/)
We take payments through World Pay. This is chip and pin and is one of the safest methods to take a card payment. We are compliant with the PCI DSS (payment card industry data security standard). This is something that we check annually with World pay.
You can have all the information relating to data storage by requesting a call back from the clinic or by emailing email@example.com
Audit Date: 21th April 2018
Article update: 21rd April 2018