Privacy, security and data protection Notice
For Bedford Physiotherapy Centre (BPC) patients and service users (Full Version)
This guidance describes how and for what purposes we collect and use personal data from our patients and service users. It has also been made available electronically to help meet the needs of various users who may access it. For example, it can be enlarged to make it easier to read using the software on your computer.
We will only collect data that is necessary and relevant to the delivery of our services, or for any future products, or services, we may offer you from time-to-time.
How we will use your data
The information you give to us will be used to provide you with the physiotherapy service for which it was intended. We may, however, be required to share your data as part of our contractual requirements - for example if you are referred to us via the NHS we may need to share the information discussed, with your GP. In addition your data may be used to:
- Contact you if we need to resolve a query
- Enable us to deliver an effective physiotherapy service (E.g Appointment reminders)
- Assess the quality of the services we have provided to you
- Help us assure quality and safety of the services we provide to you in the future
- Provide us with information in order to keep you up to date with our services and to develop new services
Your consent regarding the use of your information submitted via the Bedford Physiotherapy website/Registration forms will be used in relation to your physiotherapy treatment only.
Your personal data will not be used for any marketing purposes unless you specifically opt in using our consent procedures. A separate consent form will be given to you when you first register with us or when you return for a fresh course of treatment
We may be legally obliged to share your data upon receipt of a legitimate request, but we will only do so in accordance with the law.
Lawful bases for processing - Legitimate Interests
We may share or discuss your data with appropriate parties involved in your care, but we will only do so if the processing of this information is necessary and unless there is a good reason to protect your personal data which overrides our legitimate interest. For example, we may need to discuss your progress with your referrer, or we may need to obtain information from your GP or NHS service provider, in order to ensure the service we are providing to you is clinically appropriate.
From time to time, we may use the data we obtain from you for statistical analysis and research. We may also provide data showing trends to third parties - for example, we share some data with the NHS to help improve patient care as part of our contract agreement.
Lawful bases for processing – Consent
We will use this bases for things such as appointment reminders, newsletters and other marketing purposes and when sharing or discussing your data with appropriate third parties. We will always ask you to make a specific opt in or out for specific things.
We will be clear and concise and name any third party controllers who will rely on this consent, although this is likely to be your GP, Private Insurance Company or whoever referred you to BPC
We will keep evidence of your consent – who, when, how and what we tell people and how we do this
We will keep your consent under review, and refresh it if anything changes
How to opt out of disclosure of your information
If you would like to explicitly refuse consent for information to be shared, for example with other healthcare professionals involved in providing care to you, it may mean that the care that can be provided to you is limited. If the service to which this applies is at Bedford Physiotherapy Centre you should advise BPC staff of your wishes and discuss the potential implications on your care or treatment.
If you have given us consent to use your information for other purposes such as marketing and no longer wish for this, you may opt out at any time. Please speak to a member of staff at BPC about any changes of consent
Where your data will be stored
Your data will be held on the computer system(s) within Bedford Physiotherapy Centre and on any paperwork relevant to the provision of physiotherapy services to you. Your data may also be held by systems and support networks within the NHS involved in your care - for example if you provide data to Circle MSK, your data may also be backed up or archived within purpose-built, professionally managed, secure data storage facilities in the UK, which will be monitored 24 hours a day, 365 days of the year. Appropriate security measures, in-house, are in place in line with our NHS requirements to protect your data.
How we comply with the Data Protection Act 1998 and as from 25th May 2018 will comply with the new General Data Protection Regulation (GDPR) and the Data Protection (Charges and Information) Regulations 2018
Bedford Physiotherapy Centre has internal procedures to ensure that all information which is collected and held about you is held in accordance with the legal requirements and principles of the GDPR 2018
The main principles are listed below together with an explanation of how BPC complies with these principles.
A summary of the GDPR 2018 principles
1) Personal data shall be processed fairly and lawfully
BPC has developed procedures to ensure that all information collected about you is processed fairly and lawfully. In addition, BPC has developed this guidance to help you understand the purpose of our data collection and the steps we have taken to protect your data.
2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
BPC has notified the purposes for which we will use your data to the Information Commissioner. (ICO)
3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
We ask only for data that is to be used to provide you with information relating to the service you are accessing. Sometimes we may aggregate data so we can identify trends and draw wider conclusions. In these circumstances the data will be processed to prevent identification of any individuals.
4) Personal data shall be accurate and, where necessary, kept up to date
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose, those purposes, or for the purpose of any future services provided by BPC.
The information that BPC collects from you and from which you are identifiable will be updated at your request. We may ask for appropriate evidence before updating this information.
5) Personal data shall be processed in accordance with the rights of data subjects under this act
Your rights under the GDPR 2018 are fully observed. If you feel that your rights are being contravened then you have full recourse to the Information Commissioner's Office (ICO)
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
BPC recommends that you review the paragraphs above which set out the measures which we have taken to protect your data.
6) Personal data shall be kept for no longer than necessary
We are legally required to keep some information for a certain length of time. Your information will be held in line with our legal requirements. It will be held for an appropriate period of time which allows us to provide an effective physiotherapy service to you and to refer back to the information in the future, if we may reasonably be required to do so. For example, in the event that you had a complaint about our services, we may need to check the information we held at the time.
7) Personal data shall be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage
We have various physical and technical security measures in place to prevent unauthorised access to your data, such as passwords on computer systems to which only our staff have access. We also have systems to prevent unexpected loss of your data, such as secure computer backup facilities.
8) Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
We abide by the high level of data protection regulation within the UK and consequently you can be assured that your information is processed in accordance with UK data protection principles.
Keeping your data up to date and requesting copies of the data held about you - If you would like to update your details, please contact BPC. If this does not meet your requirements, if you have a specific or detailed query about the use of your data, which is not covered within this guidance, or if you would like to obtain a copy of the data held about you, please contact BPC’s
Data Controller: Pauline Ware - Tel: 01234 266222