Why we collect your personal data and what we do with it (Click here to download as PDF)
In providing your musculoskeletal healthcare and treatment, we will ask for information about you and your health. This privacy notice describes the type of personal information we hold, why we hold it, and what we do with it.
We are Body Spheres, Osteopathy & Physiotherapy Clinics, operating in The City & Marylebone.
Our Head Office address is 7B Addington Road, London, N4 4RP
Information that we hold
We only keep and use information for specific reasons set out in the law. Below, we describe the information we hold and why, and the lawful basis for collecting and using it.
We hold personal information about you including your name, date of birth, insurance details if provided, address, telephone number and email address. This information allows us to fulfil our contract with you to provide appointments. We will also use the information to send you reminders and recall appointments as we have a legitimate interest to ensure your continuing care and to make you aware of our services.
We hold information about your health, including:
- Clinical records made by our practitioners and other medical professionals involved in your care and treatment
- MRI scans, X-rays, clinical photographs and reports
- Medical histories
- Treatment plans and consent
- Notes of conversations with you about your care
- Dates of your appointments
- Details of any complaints you have made and how these complaints were dealt with
- Correspondence with you and other health professionals or institutions regarding your health and care
We collect and use this information to allow us to fulfil our contract with you, to discuss your treatment options and provide care that meets your needs. We also use this information for the legitimate interest of ensuring the quality of the treatment we provide.
We hold information about the fees we have charged, the amounts you have paid and some payment details. This information forms part of our contractual obligation to you to provide musculoskeletal health care and allows us to meet legal financial requirements.
How we use your information
When you supply your personal details to this clinic they are stored and processed for 4 reasons (the terms in bold are the relevant terms used in the General Data Protection Regulation - GDPR):
We need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide treatment.
We have a “Legitimate Interest” in collecting that information, because without it we couldn’t do our job effectively and safely.
We also think that it is important that we can contact you in order to confirm your appointments with us or to update you on matters related to your medical care. This again constitutes “Legitimate Interest”, but this time it is your legitimate interest.
Provided you have given us your explicit consent, we may occasionally send you general health information or marketing in the form of articles, advice or newsletters. You may withdraw this consent at any time – just let us know by any convenient method.
We may conduct patient surveys to find out if you are happy with the treatment you received for quality control purposes.
Keeping your information safe
We have a legal obligation to retain your records for 8 years after your most recent appointment (or age 25, if this is longer).
Your records are stored:
on paper, in locked filing cabinets, and the offices are always locked and alarmed out of working hours.
electronically (“in the cloud”), using a specialist medical records service. This provider has given us their assurances that they are fully compliant with the General Data Protection Regulations. Access to this data is password protected, and the passwords are changed regularly. We use a high quality management software that has a secure audit trail and all the information is routinely backed-up.
on our office computers which are password-protected and backed up regularly.
Only the following people/agencies will have routine access to your data:
Your practitioner(s) in order that they can provide you with treatment
Our secretaries and clinic manager in order that they can assist your practitioner(s) with referrals, correspondence, sending your test requests or results (but they do not have access to any other elements of your medical records or sensitive personal information)
Our reception staff, because they organise our practitioners’ diaries, and coordinate appointments and reminders (but they do not have access to your medical records or sensitive personal information)
Other administrative staff, such as our book-keeper. Again, administrative staff will not have access to your medical records, just the relevant details.
The secure medical records service who store and process our files
We also use Mailchimp and SurveyMonkey to coordinate our messages and surveys, so your name, email and IP address may be saved on their server.
Your information is normally used only by those working for the clinic but there may be instances where we need to share it in the context of your care – for example, with:
• Your general practitioner
• The hospital or other health professionals caring for you
• Medical services to which we may refer you
• Debt collection agencies
• Health Insurance schemes of which you are a member
We will only disclose your information on a need-to-know basis and will limit any information that we share to the strict minimum. We will give you notice if we send your medical information to another medical provider and we will give you the details of that provider at that time.
From time to time, we may have to employ external technical consultants to perform tasks which might give them access to your personal data (but not your medical records). We will ensure that they are fully aware that they must treat that information as confidential, and we will ensure that they sign a non-disclosure agreement.
In certain circumstances or if required by law, we may need to disclose your information to a third party not connected with your health care, including HMRC or other law enforcement or government agencies.
Access to your information and other rights
You have a right to access the information that we hold about you and to receive a copy. We do not usually charge you for copies of your information; if we pass on a charge, we will explain the reasons.
You can also request us to:
• Correct any information that you believe is inaccurate or incomplete. If we have disclosed that information to a third party, we will let them know about the change.
• Erase some of the information we hold. For legal reasons, we may be unable to erase certain information (for example, information about your treatment). However, we can, if you ask us to, delete some contact details and other non-clinical information.
• Stop using your information – for example, sending you reminders for appointments or information about our service. Even if you have given us consent to send you marketing information, you may withdraw that consent at any time.
• Stop using information if you believe the information is inaccurate or you believe we are using your information illegally.
• Supply your information electronically to another medical practitioner.
If we are relying on your consent to use your personal information for a particular purpose, you may withdraw your consent at any time and we will stop using your info
We want you to be absolutely confident that we are treating your personal data responsibly, and that we are doing everything we can to make sure that the only people who can access that data have a genuine need to do so.
Of course, if you feel that we are mishandling your personal data in some way, you have the right to complain.
**DATA PROTECTION & COVID-19**
In order to look after your healthcare needs and in accordance with legal requirements in place due to COVID-19, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are legally permitted to use your information and need to use it to help deal with the pandemic. This enables public health organisations to monitor the disease, assess risk and manage its spread. Please be assured that we will only share information and health data that is absolutely necessary to meet yours and public healthcare needs.
For any requests or any concerns about how we use your information, please contact our “Privacy Manager”:
Dr Mathilde Konczynski
079 6624 3498
Body Spheres Head Office – 7B Addington Road, London, N4 4RP
If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office (ico.org.uk).