Privacy Policy
As we record and use sensitive health data we take the protection of this data very seriously.
8.1 Who We Are ; We are The Oxford Body Whisperer, email address info@theoxfordbodywhisperer.co.uk. For the purposes of processing your personal data we are the controller.
8.2 Data controller – Nikki Carrol is your first point of contact for any matters regarding your personal data we process. Contact info@theoxfordbodywhisperer.co.uk
8.3 Personal data we process and what we do with it.
The following information is collected: Client name; address; date of birth; email address; phone numbers; GP details; health information including medical history, diagnosis and treatment data. Our lawful basis of processing this data is one of contract and for the health information, the provision of health related services. In addition we will only examine or treat you with your explicit consent. All client records are electronic.
8.4 How we collect the information
All information is given by the Client, their carer, parent or legal guardian.
Data and Medical Information is collected verbally on the phone by practitioners to book appointments, take contact details and prepare for appointments if appropriate.
Medical information is collected by practitioners verbally at a face to face appointment.
8.5 Data storage and disposal
8.5.1 We use several software packages at the clinic to provide Clients with the best service. Third party software providers are listed below.
Cliniko is the main provider from both appointment bookings and treatment note taking and they are GDPR compliant.
Rehab My Patient is the main provider of exercises prescribed and treatment note taking and they are GDPR compliant.
8.5.2. Data may be shared with NHS Trace and Test, if required, to minimise the spread of Covid 19.
8.5.3. Registration form via paper form are stored securely at TOBW clinic and are destroyed after 4 years as electronic copies are stored.
8.5.4 Whilst you are receiving treatment from the clinic we will continue to store and use your personal data. Once you have been discharged, statutory requirements for data retention are a minimum of 8 years for adults and 25 years for children.
8.5.5 Consent
8.5.6 Client data is also used for both operational and company marketing purposes. Operational communication includes but is not limited to appointment reminder emails or text messages, invoices and feedback requests.
8.5.7 We do send marketing including but not limited to newsletters, offers and discounts which Clients opt in to with a tick box on their first visit.
8.5.8 We check Client’s still want to receive communication on a regular basis.
8.5.9 We process your data using the lawful basis of consent for marketing and fulfilment of contract and legitimate interest for processing your medical records and sending you health information and exercises relating to your condition.
8.5.10 Your medical record is processed as Special Category Data under Article 9 2(h) of the GDPR. Parents must give consent for communication with children under 16 years old.
8.6 Your Rights
8.6.1 As we process our personal data, you have certain rights. These are a right of access, a right of rectification, a right of erasure and a right to restrict processing.
8.6.2 You may request a copy of your data at any time. Please make such a request in writing or by email to the Data Controller, whose details are shown above. Please provide the following information ; your name, your address , telephone number, email address and details of the information required. We will need to verify your identity so we may ask for a copy of your passport, driving license and or recent utility bill.
8.6.3 If you believe any of the personal data we hold on you is inaccurate or incomplete please contact the Clinic directly and any necessary corrections to your data will be made promptly.
8.6.4 If you believe we should erase your data, please contact the Data Controller, whose details are shown above.
8.6.5 If you wish us to stop storing or using your data, please contact the Data Controller, whose details are shown above.
8.7 Security and Data Breaches
8.7.1 Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms , we will contact you without delay. We will give you the contact details of the Data Controller who is dealing with the breach , explain the nature of the breach and the steps we are taking to deal with it.
8.7.2 Access to paper records is restricted to practitioners and admin staff who have signed a confidentiality and processor confidentiality agreement.
8.7.3 All electronic data is password protected and access to information can be restricted. Systems are kept updated and anti virus security systems are in place and updated.
8.7.4 Data breaches will be detected by observing signs of unauthorised entry to storage areas, monitoring communications or becoming aware of a security breach (e.g. a virus or unauthorised log on or change to permissions) on the computer system. Data breaches will be investigated and reported to the Information Commissioner’s Office within 72 hours by the appointed person. Client’s will be informed if we believe a data breach has occurred.
8.7.5 Clients may contact the information Commissioner’s Office if they believe a data breach has taken place . Information Commissioner’s Office 0303 123 1113. The ICO registration number is C1511529.
8.8 Disclosure of your information/data sharing
8.8.1 Information is only shared with other persons with Client’s permission. This would usually be with other health professionals. Client information is never passed on to other clinics, practitioners, persons or companies.
8.8.2 We may pass information with your permission to other medical professionals who may be involved in your care; this may include GPs, consultants, occupational health departments or other Health and Care Professions.
8.8.3 This information may be passed on in the form of a written letter which is given to you – if this is the case the letter becomes your responsibility and the protection of its contents is your responsibility.
8.8.4 If the information is passed electronically by email, we will seek your consent first and we will take all reasonable precautions to transmit the information securely.
8.8.5 Data may be shared without consent on rare occasions, if there was a legal order or in cases of serious safety risks.
8.8 Client Rights
8.9.1 Clients and anyone we hold data about have some rights under GDPR. You can request to see your data at any time, move your data to another practice, correct any inaccuracies, prevent marketing. You may request for details to be deleted but due to our legal obligation we cannot delete your health record but we can remove you from our contact list.
8.9.2 If the client requires copies of data it can only be released on receipt of a signed request or in exceptional circumstances. Any data sharing is detailed in the Client record.
8.10 Changes to our privacy policy
8.10.1 All changes will be notified on our website.
8.11
Should you wish to complain
8.11.1 Clients may raise any complaints about data processing with our Data Controller who may be contacted at info@theoxfordbodywhisperer.co.uk
8.11.2 You may also contact the Information Commissioner’s Office directly. www.ico.org.co.uk should you wish to make a complaint about the way we are processing your personal data. The ICO registration number is C1511529.
8.12 Automated Decision Making and Profiling
We do not use any system which uses automated decision making or profiling in respect of your personal data.
