Privacy Policy for Hampshire Neuro Physio
We are committed to protecting your privacy and personal data. This policy explains how Hampshire Neuro Physio (the Data Controller) collects, uses, stores, and shares your personal information and outlines your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller: Hampshire Neuro Physio
Address: Winchester, UK
Contact Email: admin@hampshireneurophysio.co.uk
1. Information We Collect
We collect information directly from you when you book an appointment, receive treatment, or contact us.
Personal Data
Contact Information: Name, address (for domiciliary visits), telephone number(s), and email address.
Personal Details: Date of birth, gender, and occupation.
Financial Details: Payment information, which is typically processed securely by a third-party payment provider and not stored directly by us in Cliniko.
Special Category Data (Health Data)
Health and Medical History: Details of your current complaint, relevant medical history, medication, allergies, test results, and lifestyle information.
Clinical Records: Treatment notes, assessment findings, treatment plans, and correspondence with other healthcare providers (e.g., GP letters).
2. Our Legal Basis for Processing Your Data
As a healthcare provider, we must have a lawful reason for processing your personal information. This legal basis dictates why and how we use your data:
To provide you with physiotherapy care and treatment:
Lawful Basis (UK GDPR): Contract. We process your data to deliver the services you have requested and agreed to.
Condition for Special Category Data (Health Data): Provision of Health Care. This processing is necessary for medical diagnosis and the provision of treatment.
To keep a record of your health, treatment, and progress:
Lawful Basis (UK GDPR): Legal Obligation. This is required to meet professional standards set by the Chartered Society of Physiotherapy and to comply with health law.
Condition for Special Category Data (Health Data): Provision of Health Care.
To send you appointment reminders and administrative communications:
Lawful Basis (UK GDPR): Legitimate Interest. This ensures effective service delivery and management of your appointments.
To share information with other healthcare professionals (with your consent):
Lawful Basis (UK GDPR): Consent. We will always ask for your explicit agreement to share your data outside our practice.
Condition for Special Category Data (Health Data): Provision of Health Care.
To handle any clinical negligence claims or complaints:
Lawful Basis (UK GDPR): Legal Obligation and Legitimate Interest.
Condition for Special Category Data (Health Data): Legal Claims. This is necessary for the defence of legal claims.
3. How We Store and Protect Your Data (Cliniko)
Your information is stored electronically using Cliniko, a secure, GDPR-compliant Practice Management Software.
Role of Cliniko: We are the Data Controller (we decide what data to collect), and Cliniko is our Data Processor (they provide the secure system to store the data).
Security: Cliniko provides a secure, password-protected, cloud-based system. Data is encrypted both when it's stored and when it's sent over the internet.
Access: Only your physiotherapist and authorised administrative staff have secure, password-protected access to your data within Cliniko, and only for the purposes outlined in this policy.
4. How Long We Keep Your Data (Retention)
We are legally and professionally required to retain your clinical records for a minimum period.
Adults (18+): Records are retained for 8 years after your last treatment session.
Children and Young People (under 18): Records are retained until the patient's 25th birthday (or 26th if they were 17 when treatment ended).
Deletion: After the retention period, all personal and clinical data will be securely and permanently deleted from the Cliniko system.
5. Sharing Your Personal Information
We will never sell your personal data to any third party for marketing purposes.
Shared with Your Explicit Consent
Referring you to another healthcare provider (e.g., GP, Consultant, or another specialist).
Liaising with your insurance company for payment or claims.
Shared Without Your Explicit Consent (Required by Law or Safety)
If a court order or other legal requirement compels us to do so.
If we believe you or another person is at serious risk of harm, to comply with our duty of care and safeguarding responsibilities.
Third-Party Service Providers
Cliniko: Our secure clinical management software.
Payment Processors (e.g., Stripe): To process payments securely.
6. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right to Be Informed: To know how your data is being used.
Right of Access: To request a copy of the personal information we hold about you.
Right to Rectification: To have inaccurate or incomplete data corrected.
Right to Erasure ('Right to be Forgotten'): To request your personal data be deleted.
Note: This right is not absolute for medical records, as we have a legal obligation to retain them for the minimum periods specified in Section 4.
Right to Restrict Processing: To limit the way we use your data.
Right to Object: To object to certain types of processing (e.g., direct marketing).
Right to Data Portability: To request your data be transferred to another organisation in a common format.
To exercise any of these rights, please contact the Data Controller using the contact details at the top of this policy. We will respond to your request within one month.
7. How to Complain
If you have any concerns about how we handle your personal data, please contact the Data Controller first so we can try to resolve the issue.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
ICO Contact Details:
Website: https://www.ico.org.uk/concerns/
Helpline: 0303 123 1113