For the purposes of the website and communication between Horizon Physiotherapy and its Associates, Horizon Physiotherapy is the data controller. For the purpose of GDPR with regards to services, Horizon Physiotherapy and its Associate Physiotherapists are joint data controllers. Our Associates are all affiliated to Horizon Physiotherapy but act independently as Chartered Physiotherapists, following the CSP guidance for management of your records (https://www.csp.org.uk/publications/record-keeping-guidance#storage PD061 version 3, November 2016).
Any enquiry regarding the collection or processing of your data should be addressed to:
Karen Blagojevic, Clinical Director, Horizon Physiotherapy, 1 Springwood, Chapel Hill, Speen, HP27 0SN. Karen is registered with the Information Commissioner’s Office (“ICO”) for this purpose. Certification number
GDPR has identified eight specific rights for individuals we must align to. These give you the right to:
- be informed about how your personal data will be used
- receive a copy of any personal data we hold on you
- have your personal data rectified if it is inaccurate or incomplete
- have your personal data erased without unnecessary delay
- ‘block’ or suppress the processing of your personal data
- obtain your personal data, if held electronically, in a format that will enable them to move, copy or transfer this information from one IT system to another
- object to certain types of processing, such as for direct marketing purposes
- not be subject to an automated decision-making process where those decisions have ‘a legal effect’ or ‘a similar, significant effect’ on you.
These rights are not absolute and where we have a legal requirement to retain or share information this may take precedence.
Information we collect
We will collect personal data on this Website only if it is directly provided to us by you the user via the Contact form e.g. your e-mail address, name, home or work address and telephone number, and therefore has been provided by you with your consent. Normally you will only provide such details if you wish us to make contact with you or to sign up for our free e-newsletter or other resources.
We also use analytical and statistical tools that monitor details of your visits to our website and the resources that you access, including, but not limited to, traffic data, location data, weblogs and other communication data (but this data will not identify you personally). We analyse visitor traffic via Google Analytics, the cookies in use are: _ga, _gat
& _gid . Google’s policy can be found here: https://policies.google.com/privacy
Your payment information (e.g. credit card details) provided when you pay for services by card machine are not stored by us and we do not have any access to this information.
How we will use your personal data
The personal information we collect and store is used primarily to provide our services to you and keep our clinical records, therefore meeting our legal and contractual commitments. We may also use your data to:
- Know who you are so that we can communicate with you. The legal basis for this is a legitimate interest.
- Deliver goods and services to you. The legal basis for this is the contract with you.
- Process your payment for the goods and services via card payments and invoicing. The legal basis for this is the contract with you.
- Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest.
- Compile risk assessments and record/share your address to protect our lone workers.
- Enhance your experience of our website. The legal basis for this is a legitimate interest. The legal basis for this is a legitimate interest.
- Provide you with a useful and relevant website. The legal basis for this is a legitimate interest
- Notify you of changes to our website, such as changes to products or services that may affect the service we provide to you. The legal basis for this is a legitimate interest.
- To provide you with an e-newsletter or information about goods and services similar to those that were the subject of a previous sale to you that may be of interest to you. The legal basis for this is a legitimate interest.
Checking and rectifying your personal information
If you have supplied your personal information via the website contact form or other format then we will assume that the information you have supplied is accurate. Where we have compiled a report or other information you have consented we share, we will ask you to check the personal data within this for accuracy. Clinical information and opinions are not open to such review.
How long will we keep your data?
Where you have made an enquiry regarding our services, we will retain this information on a database for up to 1 year. This is to ensure we provide you with the best possible service should things change and you contact us again. If you become a client, it will form part of your clinical record. If you do not become a client within this time, we will safely destroy your information.
Where we have provided clinical services to you, we follow the Department of Health guidance to retain clinical records for 8 years after our last contact with you. Our clinical records are paper-based and will be securely destroyed within a reasonably practicable timeframe from this point. We follow the CSP guidance on data handling and storage https://www.csp.org.uk/publications/record-keeping-guidance#storage PD061 version 3, November 2016.
How else we store your data
- Client database
An electronic record is kept of your name, address and contact details (phone/email). This is stored on an encrypted external hard drive, locked securely in a filing cabinet. No personal information is stored on computer hard drives.
- Paper Records
Clinical records are made on paper and stored by your Physiotherapist in a locked filing cabinet at their home address. If you are receiving domicillary services, these records will be carried to and from your appointment by the Physiotherapist in a manner compliant with the CSP guidance.
Communication by email will not openly use your personal data. In the event that personal data is to be used, we will seek to verify your email address. We will also password protect documents that contain personal data. Emails are stored indefinitely by the email provider (IONOS). Email correspondence will be kept during the time that we are providing you with services. After this, if they are pertinent to your clinical record, they will be printed and stored with these. All others will be deleted as soon as reasonably practicable.
Images for which we have your consent to obtain and use will be stored on an external hard drive, locked securely in a filing cabinet. A separate consent form will be provided to enable you to choose if and how your images are used.
Who do we share information with?
We will only share and send information necessary to achieve business purposes. We will not share your information with your family unless we have your explicit consent or legal documents permitting us to do so. We send reports to other professionals as required professionally. We send invoices to the agreed fee payer. Information is shared to the extent necessary for accounting and tax purposes. Your payment information (e.g. credit card details) provided when you pay for services by card machine are not stored by us and we do not have any access to this information or your bank details. That information is processed securely and privately by the third party payment processors that we use. They have stated that they are GDPR compliant. Please see https://www.izettle.com/gb/privacy-policy. We use a third party accountancy package for invoicing which uses and stores your personal information. They have stated they are GDPR compliant https://quickbooks.intuit.com/uk/privacy-policy.
Exceptions to the sharing of your personal data may be made to comply with applicable laws; to respond to governmental enquiries; comply with a valid legal process; or to protect our rights or property.
During the course of receiving services from Horizon Physiotherapy we will continue to check with you about your permission to use your data for specific purposes that arise e.g. sharing your information with another professional. We will document this permission in your clinical records.
Changing how we use your data
You can change your mind at any time about how we use data you have given additional consent for. E.g. receiving e-newsletters or use of your images. Please see the separate consent information for use of images. Some data will inevitably be irretrievable if consent has been given to share your data outside of Horizon Physiotherapy. Please get in touch with us to let us know what you would like to change.
Erasing your personal data
Please get in touch if you have a question about erasing your data. We will consider any request whilst also considering our legal obligations. If it is possible to delete the data you have requested, we will do so without undue delay. However, your personal and clinical information forms part of the legal documentation which we are obligated to keep by providing health care services to you so we may not be able to comply with a request to erase all personal data. We may also retain these records for so long as our legal counsel advices us to do so. We can however change how we process your information. For example, removing your personal contact details from our database once you stop receiving services.
Requests for information:
Please get in touch with us if you wish to receive a copy of any personal information that we hold on you. We may need to verify your identity and right to make this request. Horizon Neurological Physiotherapy will deal with requests from individuals for information within one month. If the request is particularly complex, up to a further two months may be required. We may charge a fee to cover reasonable costs associated with this request if it is repetitive. We will endeavour to keep you informed on the progress of your request. Please make any requests for Data Access in writing to the contact at the top of this policy.