Unity Physiotherapy & Wellbeing is committed to protecting your privacy and will process your personal information in accordance with GDPR, UK data protection, and other current legislation. We want to be clear and transparent about what data we collect, how we collect it, how it is processed and protected. We are registered with the Information Commission to process personal data, our registration number is ZA069890.
What data do we collect?
If you become a patient, or make a healthcare related enquiry, we collect personal information which includes some sensitive data. This is necessary to offer the service to you and respond to your enquiry. We are permitted to process your personal information, including sensitive information for healthcare provision and to meet our legal and healthcare regulations.
We process your special category data (sensitive data), for example details of your physical or mental health, for healthcare purposes and to comply with our legal and professional healthcare obligations. Personal information collected includes name, address, email address, telephone numbers, demographic information such as date of birth and GP surgery and medical information, and how you heard of the clinic. Sensitive information collected includes medical information, your beliefs, and social factors including your religious beliefs (if this information is appropriate and shared by you). Financial data is not stored on any of our systems, payments are made by BACS, cash and cheque, the only financial data we record is the amount paid.
If you connect with us or interact with us on social media some details will be recorded by the social media servers, you can read their privacy policies online. We use social media to raise awareness of issues and things that can change health and wellbeing and promote awareness of our services. We may use aspects of case studies of patients we have helped but these would never include your personal information nor make you identifiable.
If you visit our website and make an enquiry we will collect your name and email address along with any other information you provide, such as telephone number and reason for contacting us. Under GDPR we have a legitimate interest to process this information, as with data subjects who have become patients, under the provision of healthcare. The information you provide on the contact form is only used to contact you and is stored in your file along with any information provided by email or over the phone if you become a patient. If you don’t become a patient of the clinic the information from the contact email and any phone calls is deleted. Data provided by you on the contact form is encrypted until it reaches our server.
If you visit our website then anonymous statistical information about your visit will be collected to assist us in understanding how our site is used, this is captured and managed using cookies. We also use Google analytics to monitor visitor numbers, they may gather your IP address, location and device information. Google analytics information is only used to monitor the use of our website and not for any other purpose, it is stored on Google servers. You can opt not to have your data captured for analytical purposes via your browser settings or add-on.
When video consultations are offered these will be done using third party software, such as Zoom which is hosted in the USA but is part of the Privacy Shield Scheme. No recording of the session will take place without expressed consent of the other party. You can read the GDPR policy, or privacy and security policy on the third parties website.
Why we need your data
How we receive your data and with whom we might share it
We receive personal and sensitive data from the owners of the personal data (either as patients, enquirers or website visitors), as well as their carers and family members, other healthcare professionals, solicitors, insurance companies and other third party funding organisations.
This information may be collected by phone, mail or email, following which it is recorded in the notes file and kept securely. Emails are printed and deleted once the email thread has ended. Occasionally communication is received by SMS text message this is to and from a phone that is locked with a security code.
Data leaves the business via phone, letter, and sometimes email to other healthcare professionals, solicitors, insurance companies and third party funders whom patients have given consent to share data with. When sensitive data is emailed to yourself or a third party, with your consent, the document is password protected (this is sent to the receiver in a separate email or by text message).
Your information is not passed to any third parties except in relation to your care, or unless an overriding lawful reason exists for sharing this, such as to protect yours or another person’s vital interests; where possible, this is usually only done with your consent.
Occasionally we may require IT support and it is possible technical staff will need access to emails to rectify any issues. We will take adequate technical and organisational security precautions to minimise any exposure to the information you have provided to us.
How we use your information
To provide you with our healthcare service.
We will use your information to provide treatment and to contact you, this includes to remind you of your appointment and emailing exercises.
Your information is not passed to third parties except in relation to your care, and as specified above unless any overriding lawful reason exists for sharing this, and is usually only done with your consent wherever possible.
It is important data is accurate and up-to-date, we will do our utmost to ensure it is, however, you must also advise of any changes to your circumstances whilst you are a patient of the clinic.
Direct marketing and publicity
We would like to stay in touch with you to provide general information that can help you live well, keep you up to date with any changes in our service, and generally send you information which the GDPR labels as direct marketing. We will only do this with your permission.
To keep clients and subscribers up to date with information we will use a third party email broadcast company which may be outside of the EEA, we will ensure that they have adequate technical and organisation measures in place to protect the information. Subscribers can change their preferences at any time by clicking on the unsubscribe link in any email broadcast, or simply email us at email@example.com and you will be removed from our broadcast list.
If you give a testimonial, we would attribute this to you in a way you choose although we don’t usually state your full name. At any time you can withdraw your consent, but any testimonial or case study used in hardcopy marketing materials or already indexed by search engines may be difficult to stop.
If you attend an event run by us some of the organisation of this may be managed by a third party company such as Eventbrite. When this is the case the company may eb outside of the EEA, we will ensure that they have adequate technical and organisation measures in place to protect the information.
How is your data stored and security?
Your data is stored in your notes file in a secure locked cabinet, for a time on email (later printed and put in the filing cabinet in your notes file), sometimes on a text message on a locked phone, and sometimes for a short time electronically with a password.
Whilst we always aim to keep your data within the UK, or EU, this may not always be possible. For example, we utilise some exercise management platforms to assist you with doing your exercises and these may be hosted outside the EEA. Your name, email and list of recommended exercises is the only data held on these sites. We will only use sites that can demonstrate adequate security to protect your information.
How long are records kept?
Legally medical records have to be kept 8 years from the date of your last treatment, and to age 25 years for children so this is the duration of time we store your data for.
Where specific concerns have been identified, it may be necessary to retain certain records for a longer period of time. Where this is the case they will be securely stored.
Under GDPR you have specific rights, those rights that are applicable to the data we hold on you include:-
- The right to be informed of what information we hold
- The right to access the information we hold on you
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to object
The above rights are not absolute, and there may be reasons why we are unable to comply which your request, for example we are legally bound to keep your notes for the period of time outlined above and would therefore not be able to erase your data if you ask us to Each enquiry will be treated and considered on a case by case basis in-line with GDPR guidelines.
If you have any concerns or questions please contact:
Information Commissioner’s Office
If you are unhappy with how we have processed your information, you have the right to lodge a complaint with the office of the Information Commissioner at:
Information Commissioners Office