In terms of the GDPR, I am the Data Controller and you are the Data Subject. Your rights under the GDPR written in italics.
As a data subject, you have rights regarding your data under the GDPR. As the Data Controller, it is my responsibility to inform you of rights that are relevant to my contract with you. This is your Right to be Informed.
What data do I collect, and why?
As a patient, it is necessary for you to provide information about yourself, so that I may provide you with the services I offer.
This information includes your name, date of birth and contact details, so I can manage your appointments and provide relevant information via email and text messages.
I also collect information about your medical history, general health and wellbeing, as well as your lifestyle. This enables me to perform clinical assessments, provide appropriate treatment and offer clinical advice.
It is important to keep me updated of any changes to the above data, so I can continue to provide the best service possible.
You may request to have changes made to the information I have collected if it is inaccurate. The GDPR defines this as the data subject’s “Right to Rectification”.
How and where do I store your data?
Depending on which practice location you attend, your data is collected electronically only (London), or both electronically and on paper (Cardiff).
All electronic data is collected and stored using a cloud based patient management service called Clinko, which is fully GDPR compliant. In terms of the GDPR, they are the Data Processor. A password is required each time I wish to sign in to Cliniko’s website to access the service.
Data on paper is stored securely in a filing box which is locked in a secure location.
For how long do I keep your data?
As a registered chiropractor, I am required to keep your data for eight years after the date of your first visit. As a Data Controller I have what the GDPR define as “Legal Basis” to retain your data for this period of time.
In the case of children, the data is stored until his/her 25th birthday, or the 26th birthday is he/she was 17 years old when the treatment ended.
After the eight years, as a data subject, you may request that your data is erased. The GDPR call this the “Right to be Forgotten”.
Who has access to your data?
I am the only person who has access to your data, unless you attend the practice in Cardiff where Clive Taylor and Anne O’Donohue also have access, for the same reasons described above.
To fulfil my contract I may share your data with a third party (e.g. referral to another health professional), but not without obtaining your consent first.
You, have access to your data on request. This request must be made in writing and is known as a Subject Access Request. GDPR call this the “Right to Access”.
I will provide the information requested in an easy-to-read format that is easily transferrable. GDPR define this as the “Right to Portability”.
If you wish to know more about the GDPR, further information is available from the Information Commissioners Office, also known as the ICO. Here is a link to their website.