Privacy Policy for Sarah Smith Physiotherapy 

Sarah Smith Physiotherapy treats the privacy of its clients / patients (hereinafter referred to as the ‘data subject’) very seriously and take appropriate security measures to safeguard privacy and protect and manage any personal data provided by data subjects.

What data do we hold:
You provide us with personal data from a health and medical questionnaire/consultation either online, written, email or the telephone. This includes name, address, date of birth, email address, telephone numbers, emergency contact details, gender, employment status, medical history, health and lifestyle status and other relevant information pertaining to your physiotherapy condition and treatment. Further personal data is obtained before, during and after the treatment procedures. We may also store data provided by yourself or other relevant parties – such as referral information and create reports requested by you or other relevant parties with your consent.

How we store data:
The security of your data is taken extremely seriously, Paper data is stored in a locked filing cabinet, in a locked treatment room, in a locked building. Electronic data will be stored on password protected files, on a password-protected computer. Emails will be sent in an encrypted format. If any breach in security should arise you will be notified immediately and any other relevant parties.
How we use your personal data

Data subjects personal data will be used specifically to analyse, evaluate an individualised treatment plan best suited to the needs of the data subject consistent with a duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR)* We will also take reasonable security measures to protect your personal data in storage. *The Information Commissioner’s Office (ICO) may be contacted with any GDPR queries.

We do: use your personal data to provide a personalised treatment plan and we respect your privacy and work hard to meet strict regulatory requirements
We do not: sell your personal data to any 3 rd party

The General Data Protection Regulation – GDPR (May 2018) recognises there is a need to protect and to give the user greater control over personal data.

The rights of the individual include:
1. Right to be informed Why personal information is needed and how it will be used By reading this policy you accept and understand the need for your data to be obtained and kept in line with the GDPR and Health and Care Professions Council (HCPC) and Chartered Society of Physiotherapy (CSp) guidelines.
2. Right of subject access You can request a paper or scanned electronic copy of your personal data that we hold
3. Right to rectification You can have any incomplete personal data completed, but please note that if any individual is factually wrong then changing records of personal data will be falsification
4. Right to erasure Data subjects (with capacity) notes must be kept for eight years from the date of last treatment for adult records, and for children eight years after their 18 birthday or until 25 years of age. After which notes will be securely destroyed unless requested by the data subject.
5. Right to restrict processing On occasion your notes may be required by third parties, for example, other medical or medio-legal professionals. In this instance, this will only be permitted with your signed express consent.

6. Right to data portability You will be able to receive your personal data in a commonly used format and have the right to transmit this data to another
7. Right to object Sarah Smith Physiotherapy should not have cause to process personal data
8. Rights in relation to automated decision making Sarah Smith Physiotherapy does not carry out automated processing