Beechwood Physotherapy General Data Protection Regulations Policy

  1. The DATA Controller for Beechwood Physiotherapy is ‘Beechwood Physiotherapy’.
  2. The nominated DATA Processor is Fiona Lucas, on behalf of Beechwood Physiotherapy.
  3. Beechwood Physiotherapy has nominated Fiona Lucas as their DATA Protection Officer.
  4. DATA HELD
    • Beechwood Physiotherapy holds only essential DATA by which to identify its patients(clients), and suppliers.
    • Beechwood Physiotherapy holds the following personal DATA – name, address, date of birth, telephone numbers, Email address, GP, medical insurance details(if appropriate)
    • This DATA enables Beechwood Physiotherapy to contact you regarding appointments, exercise plans or updates on progress
    • Relevant medical details & clinical information pertinent to the patient’s condition, to assist in planning and executing treatment plans.
    • Invoicing details
    • This DATA is legitimate, accurate, specific, and explicit and limited only to that which is necessary.
    • At present Beechwood Physiotherapy does not send out marketing material via post or Email but may do in the future.
    • The patient has the opportunity to opt out of this when signing their treatment consent form
  5. DATA STORAGE
    • BW has a practice management system that stores all personal data in a single, secure place through Blue ZINC TM2.
    • ALL patient Clinical records are kept in paper format only, in a locked room, in locked metal filing cabinets, at Unit 15, Cygnet Business Centre
    • Beechwood physiotherapy is bound by its legal and professional responsibilities to retain all patient records for a minimum of 8 years following the patients last consultation.
    • In the case of children under the age of 16, they will be kept until the child reaches the age of 25.
    • Beechwood Physiotherapy will endeavour to keep all DATA accurate and up to date and it will be reviewed on a regular basis.
  6. DATA SHARING
    • On occasions it may be necessary to share Clinical DATA with the patients GP or medical consultant. On these occasions the patient (client) will be informed and verbal consent attained.
    • DATA will only be shared with any other third parties eg medical insurance companies, solicitors upon written request and signed consent.
    • In theses instances DATA will be sent to the third party via post, or secure Email, which will be password protected and the recipient advised via separate Email how to access such DATA.
    • DATA received from a third party via Email will be uploaded to, and stored on the patient management system OR
    • Printed out and stored with that patient’s other clinical records.
    • Once this has been done the email will be permanently deleted.
    • An encrypted backup memory stick, is updated on a regular basis, and is held, in a secure place by the DATA controller.
  7. SUBJECT ACCESS REQUEST
    • The subject has the right to access the personal DATA held by Beechwood Physiotherapy.
    • This request MUST be made in writing to the DATA controller at Beechwood Physiotherapy.
    • The subject may request that the DATA controller rectify any inaccuracies of the personal DATA held about them
    • The subject may request erasure or restriction of their personal DATA, excepting that Beechwood Physiotherapy has a legal requirement to maintain clinical records for 8 years following completion of their last episode of care.
    • In the case of children all clinical data must be kept until the child reaches the age of 25.
    • In the event of a subject access request, Beechwood Physiotherapy will comply with the subjects request.
    • A copy of that information will be supplied within 1 month at no cost to the subject.
  8. DATA BREACH
    • Beechwood Physiotherapy will implement appropriate technical and organisational measures in an effort to prevent a DATA breach.
    • In the event of a DATA breach Beechwood Physiotherapy will inform the Information Commissioners Office, where possible within 72 hours or as soon after as BW becomes aware of such a breach.
    • If appropriate, where a risk to the individual is likely, inform those individuals affected.
  9. DISPOSAL OF DATA
    • Clinical notes and personal DATA will be destroyed after 8 years.
    • Personal DATA will be deleted from the patient system after 8 years.