This Privacy Notice is to inform you, our patients, of the types of data we process about you, the reasons for processing your data, the lawful basis for processing, your rights and the retention periods of your data.
Who are we
The Forge Clinic is the trading name of Trading Terms Limited. The Forge Clinic Ltd (“We”) is registered as Data Controller, Registration Number Z2868621, with the Information Commissioners Office (www.ico.org.uk)
We take your data protection very seriously and have reviewed and updated our policies and procedures to comply with the General Data Protection Regulation (EU) 2016 / 679 (“GDPR”) and have updated this Privacy Notice accordingly.
We act as Controllers in common with organisations listed below when we work in conjunction with them to treat you medically:
- Your nominated Insurance Company
- Your nominated health professional
Please contact us on firstname.lastname@example.org if you have any questions about the protection of your data.
Purpose of Processing
We are legally bound to capture and store personal and sensitive information about you in order to deliver the types of medical and therapeutic services we provide.
We operate under the guidelines of bodies such as the Chartered Society of Physiotherapy, Health & Care Professions Council, NHS and General Osteopathy Council.
We collect the following data from you, with your consent, in order to deliver our medical and therapeutic services:
- Personal contact data – name, address, email, phone number
- Sensitive personal data – such as medical details including medical history
- Sensitive personal data – ethnicity for NHS audits only
- Photography – on some occasions and with your consent, we may take photographs or short videos to demonstrate the correct exercise techniques and monitor treatment progress
- Credit card details
The types of processing we undertake include:
- Contacting you to arrange appointments, invoice our services or inform you of changes
- Medical assessments as part of providing our services
- Information about the treatments provided and progress of the treatments.
- If you have been referred for an NHS package of care you will be required to complete a questionnaire at the start and end of your treatment
Where you have consented to us sending you Newsletters from time to time as part of the registration process or through our website. If you no longer wish to receive these, please either unsubscribe from the Newsletter or email us at email@example.com. We will action your request immediately.
When you use our website:
- To help us to improve our site and to deliver a better and more personalised service
- To estimate our audience size and usage pattern
- To store information about your preferences, and so allow us to customise our site according to your individual interests
- To recognise you when you return to our site
- To notify you about changes to our service
Source of your data
We primarily receive information about you from you as part of the registration process and during consultations with our practitioners for assessment and treatment.
Where you have been referred from other Health Professionals you will have consented to your information being sent to us prior to transmission.
We do not receive or buy-in lists of personal data from other sources.
When you use our website
We may collect and process the following data about you:
- Information that you provide by filling in contact request forms, if you do so we may keep a record of that correspondence
- Name, address, email address, date of birth – when you register to our online booking facility
- We may also ask you for information when you report a problem with our site
- Details of transactions you carry out through our online booking facility
- Details of your visits to our site and the resources that you access
IP Addresses and Cookies
Recipients of your data
Your information is provided to GPs, Consultants, Insurance Companies, hospitals and other health professionals directly linked to your treatment and with your consent.
If you have been referred for an NHS package of care, we are required to send a letter on discharge to your GP.
During your medical treatment you will be asked to consent to the transmission of this information. In some instances, you will be able to withdraw your consent and the implications of this will be made clear to you during the consultation (as this may not be in your best interests).
We do not pass on your information to any other parties, unless required to by law or in connection with the sale or purchase of our business or assets.
Security of your data
We have taken all reasonable steps to ensure that we and our Data Processors adapt Industry standard security protection systems to ensure the security of your data.
In some instances, your email address and credit card details are stored in locations other than the EEA (USA) and in this instance, we have assured ourselves that the Data Processor is aware of their responsibilities for the privacy and security of your data under GDPR. All other data is stored in the EEA.
We adhere to the guidelines from our industry bodies such as the Chartered Society of Physiotherapy, Health & Care Professions Council, NHS and General Osteopathy Council, regarding the retention periods of your medical and contact data, which will be at least for 8 years from last treatment or until the age of 25.
All other data will be kept only as long as is required by law or for performance of our contract of services with you.
Transmitting your personal data via the internet
The transmission of information via the internet is not completely secure. We cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
Credit/Debit Card payments
We never collect or store your payment card details, because they are processed either in person or by telephone via a third-party payment gateway. For credit card transactions made by telephone, the payment card details are cross-shredded immediately.
We cannot accept credit/debit card payments by email and will decline to accept payment by that means.
We only use PCI-DSS complaint payment systems procured from reliable third- party providers.
Your rights under GDPR
The GDPR provides the following rights for individuals: (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
If you would like to exercise any of your rights please email us firstname.lastname@example.org or write to us at The Forge Clinic, 37 Red Lion Street, Richmond, Surrey, TW9 1RJ. We will make every effort to respond to your queries promptly and to your satisfaction.
However, if you are still not satisfied, you have the right to complain to the Information Commissioners Office (ICO). Follow the link below to report a concern to the ICO.
https://ico.org.uk/concerns/ by telephone on 0303 123 1113 (local rate) or 01625 545 745.
Changes to our Privacy Notice
Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by e-mail.
25th May 2018