The information contained in this website is for general information purposes only. The information is provided by North London Neuro Physio and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website you are able to link to other websites which are not under the control of North London Neuro Physio. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, North London Neuro Physio takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
North London Neuro Physio (hereafter NLNP) takes its data protection obligations seriously and is committed to the highest professional standards. We only collect data that is relevant to your treatment and is necessary for us to deliver the best possible service.
This policy provides detailed information on when and why we collect your personal information, how we use it and the very limited conditions under which we may share it with others.
We will ensure that all members of the team take the necessary steps to protect the personal data they hold against accidental loss or unauthorised access.
NLNP is a neuro-physiotherapy business, providing expert specialist treatment to a wide range of individuals. The office is based at 22a Beckwith Road, London SE24 9LG. The office number is 020 7737 6122.
NLNP has appointed Joanne Tuckey as Data Protection Officer (DPO). Please contact Jo at 22a Beckwith Road, London SE24 9LG or at firstname.lastname@example.org with any questions or requests about the personal information we process.
Collection of your personal information
In addition to your basic contact information (name, date of birth, telephone numbers, email and postal address), we will collect other relevant details including your current and past medical history, medication, your GP, the findings from our assessment, your treatment records and your goals for the future. We may also store associated, relevant information that we receive from other healthcare professionals, as part of your ongoing care.
We process the data because it is in our legitimate interests as expert clinicians to do so.
How we use this information
The information we collect is used to ensure that we provide you with the best and most appropriate treatment. We use your contact information to get in touch with you and to send you invoices. From time to time, we may need to liaise with other professionals involved with your care, such as your GP, hospital consultant, orthotist or other members of the multidisciplinary team. We will only do this with your consent and when it is necessary to your physiotherapy treatment.
We are committed to protecting your rights to privacy. They include:
- Right to be informed about what we do with your personal data
- Right to have a copy of all the personal information we process about you
- Right to rectification of any inaccurate data we process
- Right to be forgotten and your personal data destroyed
- Right to restrict the processing of your personal data
- Right to object to the processing we carry out based on our legitimate interest.
Storage, processing and retention of your information
Your personal data is securely stored electronically and is encrypted with restricted password protected access.
We retain your information for as long as reasonably necessary to provide our services and to maintain records that satisfy the legislation for medical records, accountancy and other legal requirements.
Personal data is retained for eight years, in compliance with our professional indemnity obligations. We are legally obliged to hold data on children until they reach the age of 21.
Administrative data is retained for up to six years as necessary, in the unlikely event that there are queries from HMRC. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible.
Personal data relating to associates who are no longer working with NLNP is also retained for up to six years as necessary.
How and when we share your personal information
We share personal data internally but strictly on a ‘need to know’ basis.
All emails are confidential and encrypted.
The subject line of emails will not contain any patient identifiable data.
Where necessary we may disclose your information to healthcare professionals, as outlined above. We may also pass information to external agencies and organisations, including the police, for the prevention and detection of fraud and criminal activity. Should any claim be made, we may pass your personal information to our insurers. If the business is wholly or partially transferred to a third party, your personal information may be one of the transferred assets.
Other personal data
We also process personal data pursuant to our legitimate interests in running our business such as:
- Invoices and receipts
- Accounts and tax returns
- Personal details, including bank details of our associates
The rights of data subjects include the right of access to personal data by means of a subject access request.
You have a right under the Data Protection Act 1998 and GDPR guidance 2018, to request access to view or to obtain copies of what information we hold about you and to have it amended should it be inaccurate.
In order to request this, you need to do the following:
- Your request must be made in writing
- There may be a charge to have a printed copy of the information held about you.
- You will need to give adequate information (for example full name, address, date of birth, and details of your request) so your identity can be verified and your records located.
It is important that you tell the person treating you if any of your details, such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date.
The DPO is responsible for responding to requests from data subjects and must do so within one month. The period may be extended by a further two months where that is necessary. In these circumstances the data subject must be informed within one month that more time is needed and given the reason why. On receipt of a request, the DPO conducts a search of the relevant files, email folders and inboxes as necessary.
If the DPO does not wish to accede to a request, they will seek legal advice.
You may choose how we send your communications, using any of the contact details we hold on our records, this may include your email, SMS, telephone and postal information. We will restrict our communications to clinically necessary messages and messages regarding your invoices. Your personal preferences can be changed at any time by contacting the DPO at the address above.
A ‘cookie’ is a small text file containing information that a web site transfers to your computer’s shared disk for record keeping purposes. A cookie cannot give us access to your computer or to your personal information. Most web browsers automatically accept cookies; consult your browser’s manual or online help if you want information on restricting or disabling the browser’s handling of cookies. If you disable cookies, you can still view the information on our website.
Information Commissioner’s Office
If you have any concerns about the way your personal information has been processed, please contact the DPO above. If you are still unhappy following a review by us you can then complain to the Information Commissioners Office (ICO). www.ico.org.uk Telephone: 0303 123 1113 (local rate) or using live chat via the website.
When there is a personal data breach, NLNP will report this immediately, truthfully and in full.
The DPO is responsible for handling data breaches and will evaluate what the breach is, how it occurred and the associated risk to data subjects.
If there is a risk to data subjects, the breach will be reported to the Information Commissioners Office within 72 hours. If the report is late, an explanation must be given as to why.
Where the risk to data subjects is high, the breach must be reported to them individually if at all possible.
The DPO will inform the ICO how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in future.
The initial report will contain a summary of the position. The DPO may wish to seek authority to obtain legal advice before submitting the initial and any subsequent reports.
A thorough investigation and corrective action will be undertaken so as to reduce the risks to data subjects arising out of any breach, and to make sure that something similar does not happen again in future.
Where a breach of a computer system is suspected, the DPO may engage the support of IT support, to better understand the nature of the breach.
The theft of data, whether as a result of shortcomings in the physical security arrangements on the premises, or the hacking and penetration of computer systems will be reported immediately to the police.
The breach, investigation and corrective actions must be documented and filed on the NLNP data protection risk register.
All personal data breaches, however minor, and whether reportable or not will be recorded in the data protection risk register, held by the DPO.
This security policy is designed to ensure that NLNP complies with the security requirements of the General Data Protection Regulation, and the rights to privacy of data subjects are protected.
In compliance with Article 32 NLNP has implemented appropriate physical, organisational and technical measures to ensure a level of security appropriate to the risk.
- Electronic data is encrypted with restricted access.
- Shredding of confidential information is carried out securely on site or outsourced pursuant to a GDPR compliant contract.
- Computers and other electronic equipment are disposed of in a safe manner.
- Anti-virus and anti-spyware tools are installed on physiotherapists’ computers.
- All computers are password protected.
- Team members have access rights to personal data on a strict ‘need to know’ basis.
- All emails are confidential and encrypted.
- Joanne Tuckey is responsible for data protection and has sufficient resources to carry out her role effectively as data protection lead.