Privacy Policy

The Therapy Centre (Bedford) Limited
Data Protection Policy For Patients
General statement of the Company’s Duties and Scope
We are The Therapy Centre (Bedford) Limited, a private physiotherapy and allied complimentary health company. We collect and process personal data regarding members of staff, patients, relatives, applicants and volunteers as part of our operation and shall take all reasonable steps to do so in accordance with our policies.
This policy has been written to ensure that we comply with the relevant provisions of the Data Protection Act 1998, the Freedom of Information Act 2000 and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679).
It has been written with reference to the information provided by the Information Commissioner’s Office (ICO).
Data Protection
The Company will be registered with the Information Commissioners Office (ICO). and will act as the Data Controller determining the purposes and means of handling personal data for Physiotherapy patients at the practice.
The Clinical Director has been given the role of Data Protection Officer and will have overall responsibility for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
The Company is The Therapy Centre (Bedford) Limited
The Principles of GDPR
We shall ensure that your information will be: • Fairly and lawfully processed • Processed for a lawful purpose • Adequate relevant and not excessive • Accurate and up to date • Not kept longer than necessary • Processed in accordance with your rights • Secure
• Not transferred to other countries without adequate protection
Data Controller Physiotherapy Patients 
The Company will be the Data Controller responsible for information in respect of Physiotherapy Patients and personnel at the practice will process data in association with their role. Clinical staff are responsible for following their relevant professional and legal obligations. Whilst processors have legal responsibility for their actions the Controller has an obligation to ensure that they comply with GDPR.
All processors are bound by their contractual obligations about client and patient confidentiality.
Data Controller Clinical Associates
All personal information belonging to patients and clients seen by Clinical Associates (other than Physiotherapy) will be the responsibility of the individual clinician. They will assume the role of Data controller for their own records and The Company will process data on their behalf solely for the purposes of booking appointments and day to day administration.
Clinical Associates are to make an undertaking to The Company confirming that they comply with GDPR.
Any questions regarding the GDPR policies of therapy professionals working at The Therapy Centre should be directed to the individual practitioner concerned.
External Processors
The Company will ensure that, where data is processed externally, for example by service providers, Cloud services or storage facilities, all external processors are compliant with this policy and relevant legislation.
What kinds of personal information do we process?
Personal and contact details
Reception staff are required to collect personal data for making appointments and day to day administration. These details will be recorded on the clinical notes and diary system. It is a legal requirement for us to record attendance. 
Reception staff are required to handle sensitive personal data but will never share this.
Sensitive Personal Data
Clinical records contain sensitive personal information and will be recorded by clinicians in accordance with the relevant professional standards and legal obligations.
Consent is to be obtained before sensitive personal data is shared for example with General Practitioners, other health professionals or insurers. 
Sharing information with other parties will not be done without your written consent specifying what details you wish to share and who you would like to share it with. You can ask to see a copy of any correspondence before it is sent.
How will we collect your information? • We will ask you to give your title, full name and date of birth, telephone number and payment basis when you book your initial appointment by phone in person. • We will ask you whether you wish to receive a text reminder. • When you come to your initial appointment you will be asked to complete our full patient registration form and sign our privacy notice to confirm your consent allowing us to process your information. • Your physiotherapist will collect all the medical information that they need to treat you during your assessment. The assessment will be recorded on the clinical record and not will be shared without consent.
Ownership of Clinical Records
Physiotherapy Records
The Company will be the owner of all physiotherapy treatment records. Individual Physiotherapists will use the same patient record. This is considered to be the most appropriate means of ensuring that sensitive data is managed in accordance with GDPR governance rules and yet still enable records to be freely shared by all of the practitioners involved in each episode of care. Physiotherapy Associates will assume the role of Data Controller on behalf of The Company in this respect.
Other Therapy Associates (Clinical Associates)
Therapists working in disciplines other than physiotherapy are separate businesses and have their own GDPR responsibilities.
All other allied health professionals (Clinal Associates) working at the clinic will retain ownership of their patient records and will be considered as the Data Controller for those records.
Privacy Notice and Consent
Every Physiotherapy patient (or their guardian) will be asked to read a Privacy Notice at the start of each new episode of care and be required to complete the data consent section at the bottom of the form. This will be attached to the clinical record.
All associates from other disciplines are responsible for obtaining their own relevant consent and documentation.
Right of Access to Information
You have the right of access to information held by The Company. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. (Known as a subject access request SAR). An initial copy of your information will be provided at no charge.
Requests for access to information held by our other Clinical Associates should be made directly to them.
The Company will endeavour to ensure that all data held is accurate. We ask you notify us of any changes to information held about you and you have the right have inaccurate data corrected or erased. This does not apply where there is a legal requirement to retain records of corrections or mistakes in the interest of all parties to which they apply, and no alterations can be made to the clinical record.
Monitoring Data Protection
We will conduct a GDPR Risk Assessment annually and a report included in our Practice Manual.
An annual data processing and information audit will be conducted to document the • Type of information the Company holds • Where the data is being stored • How data is being processed • Whether the data is being collected and stored in accordance with our policies • Records of Consent • Records of data breaches
Data Retention and Destruction • Your information will be retained in accordance with legal and operational requirements. Your clinical notes are kept for 8 years and anything financial is retained for 7 years. • Data will be securely destroyed once the retention period has expired.
Information sharing • We will not share your personal information with anyone without your consent. • If you are making a claim to pay for your treatment through a health insurer they will require us to share information. It will not be possible to process your claim without this but if you wish you can ask to see any information or reports before they are shared.
Is your information transferred outside the UK or EEA?
The exercise prescription tool that we currently use is provided by Physiotec, a Canadian company. This secure system requires your full name and email address so that you can receive your exercises. There is a contractual agreement that protects against them using this information for any other purpose.
Marketing • We will not use your data for marketing ourselves unless we obtain specific consent from you first.  • We will not pass any of your information on to anyone for external marketing purposes.
The Therapy Centre (Bedford) Limited                                                   26 April 2018