Data Protection and Privacy Policy

1.0     Introduction

Physio Science UK (PSUK) have a strict data protection policy in line with the Data Protection Act (DPA) 1998 and General Data Protection Regulations (GDPR) 2018.

Our data protection and privacy policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.

PSUK is required to process relevant personal data regarding staff, therapists, patients, clients and customers as part of its operation, and shall take all reasonable steps to do so in accordance with this policy.

This is the updated Data Protection Policy following an audit in February 2018, and in line with the new GDPR.

2.0     Data Protection Officer

PSUK has named Emily Webster as the Data Protection Officer (DPO) and Michelle Khoury as the Deputy Data Protection Officer (DDPO). These officers will endeavour to ensure all data is processed in compliance with this policy and the DPA and GDPR.

3.0     What information do we collect?

Your information will be collected and used appropriately to enable us to provide a high-quality service to you. We undertake to protect personal and sensitive data in a manner that is consistent with the requirements of the DPA and GDPR. We take appropriate organisational and technical security measures to protect your data against unauthorised disclosure or processing.

3.1       Physiotherapy Clinics

All data provided by clients is recorded and stored in accordance with the DAP and GDPR. Personal information that we collect may include name, address, contact numbers, email address, source of referral, a brief detail of the condition requiring physiotherapy, and insurance details if relevant.

These details may be collected in several different ways including:

  • Over the telephone.
  • By email.
  • Through our online booking website, which is provided by ‘simplybook.me’, and complies with the GDPR, please visit their website for details on their privacy policy. simplybook.me
  • On initial assessment where clients complete the necessary documents for the physiotherapy records.
  • At the point of referral from an external source eg from an insurance intermediary or surgeon.

When an individual discloses personal information about themselves verbally, in writing or electronically, they consent to our use of the information for physiotherapy purposes. This information is held and used in compliance with the DPA, GDPR and Charted Society of Physiotherapists (CSP).

Personal information is not disclosed to any third party without obtaining your prior consent, unless we are required to do so by the referral source, or by law.

Physiotherapy notes are kept in line with the CSP codes of conduct and record keeping guidance. These are stored securely, and access is restricted to relevant PSUK personnel only.

3.2       Pitch side therapists

Personal information is collected utilising the online ‘join us’ application form at www.physioscienceuk.com. Personal information is collected and processed in line with an application to work with PSUK.

Explicit consent is obtained via this application form and includes a clear description of the use and storage of personal information.

Therapists will be required to utilise ‘Egress’ when sending/receiving injury reports to PSUK, to ensure end to end encryption when sending/receiving this sensitive data.

3.3       Player Welfare Services

All personal information collected and used with regards to providing player welfare services to independent schools or sports teams, is done so lawfully and in conjunction with the DPA and GDPR.

Contact details for each team are stored securely and accessed only by appropriate PSUK personnel. It is up to the individual teams to ensure that all contact details held for them by PSUK, are up to date.

Independent schools and teams will be required to utilise ‘Egress’ when sending/receiving injury reports to PSUK, to ensure end to end encryption when sending/receiving this sensitive data.

4.0     Use of your Information

 

4.1       Physiotherapy Clinics

We will hold and use information in line with the DPA and GDPR. We require this information to ensure PSUK can provide a high-quality service to you.

Personal data and medical records are required to ensure we comply with the HCPC and CSP regulations, regarding accurate collection and documentation of clinical records for patients. PSUK complies with ‘the standards for the clinical structure and content of patient records’ compiled by HSCIC in 2013 and supported by the CSP. The standard retention period for physiotherapy notes is 8 years, as per the CSP guidelines.

In addition to this, we will also collect relevant insurance payment details, to allow us to receive payments directly from your insurance company. No personal payment information such as card details are held by PSUK. Any card payments are done utilising PayPal, you should see their website for details on their privacy policy.

We also collect other information such as your injury or how you were referred to PSUK, this is to help PSUK continue to improve the service we provide.

All patients complete and sign the PSUK ‘patient registration and terms and conditions’ at their first appointment.

4.2       Pitch Side Therapists

Personal data is stored following completion of the online ‘join us’ application form. Explicit consent is obtained during the online application process. The personal information collected during this application is collected and stored securely and is only used for its intended purpose.

Once the therapist has fulfilled the application process and begins working with PSUK, they consent that their contact details may be passed to the relevant teams/independent schools, to ensure effective communication regarding fixtures.

Therapists will be contacted annually to review their personal data and ensure we hold up to date records. It is the therapists responsibility to inform us of any changes in their personal data, and to ensure we hold accurate and up to date records for them.

If a therapist has not responded to any form of communication from PSUK in 3 years, their details will be removed from the database, and held on a ‘removal database’ for a further 1 year. Following this period their details will be erased completely from all PSUK systems.

Pitch side therapists are required to send all injury reports and medical records securely using ‘Egress’, which provides end to end email encryption.

4.3       Player Welfare Contracts

Personal data will only be held by PSUK to ensure effective communication regarding contracts held with each team or independent school.

This information will be stored securely on PSUK IT systems and only accessible to appropriate PSUK personnel.

During the sporting season contact details for the relevant staff members with each team/independent school will be passed to the relevant pitch side therapists to ensure effective communication regarding fixtures. This information is only shared with consent from the team/independent school and pitch side therapist.

Injury reports and medical records will be sent to the team/independent school securely using the end to end encryption system ‘Egress’. These notes will also be processed and stored in accordance with the CSP guidelines and have a retention period of 8 years.

5.0     Disclosure of your Information

We will not disclose your information without your prior consent, unless required to do so by law.

6.0     Controlling the use of your data

If you have given us permission to use your data for a particular purpose, you can change or revoke that at any time. Please see section 13.0 below.

7.0     What we store and transfer of your data

PSUK utilises several electronic systems that store your data securely, please go to their websites regarding their privacy policies.

  • Dropbox
  • Google docs
  • Simply Book
  • Kashflow
  • IRIS

8.0     Security

The transmission of information via the internet or email is not completely secure.  Although we will do our best to protect your personal data, we cannot guarantee the security of data while you are transmitting it to our site; any such transmission is at your own risk.  Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.

Where we have given you (or where you have chosen) a password so that you can access certain parts of our site or, you are responsible for keeping this password confidential.  You should choose a password that is contains multiple characters and is not easily guessed.

9.0     Third party links

Our website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. We accept no responsibility or liability for such other websites. You should exercise caution when entering personal information online and look at the privacy statement applicable to the website in question.

10.0   Sharing information

Our website allows you to share pages with social networks such as Facebook, Twitter and Instagram.

We do not share, sell or distribute your data to third parties.

11.0   Use of cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site.

Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website and services to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website and service, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

PSUK utilise Google Analytics, which is a web analytics tool that helps website owners understand how visitors engage with their website. Google Analytics uses cookies to track visitor interactions. We then use the information to compile reports and to help us improve our site. Google Analytics records information, such as the time that the current visit occurred, whether the visitor has been to the site before and what site referred the visitor to the web page. Google Analytics collects information anonymously. It reports website trends without identifying individual visitors.

12.0   Your rights

The DPA and GDPR give any client of PSUK to several rights of their personal data. This includes:

  1. Right to be informed

All clients have the right to be informed of the use of their data, PSUK upholds this within the relevant terms and conditions within each area of the business.

  1. Right to access

Any client of PSUK has the right to access information held by us. Please email us if you would like to request copies of the personal data held by PSUK. Once we have received and acknowledged receipt of your request, we will send copies of the requested information within one month. Please see the relevant contact email addresses below

  1. Right to rectification

All clients of PSUK have the right to update any inaccurate information held by PSUK. Please email us if you would like to update any of your personal data. Once we have received and acknowledged receipt of your request, we will send copies of the requested information within one month. Please see the relevant contact email addresses below

  1. Right to erasure

You also have the right that we cease using your data and for this data to be erased. You can exercise these rights at any time by writing to us via email. These requests will be actioned within one month of receipt of the request.

Pitch Side Therapists working with PSUK have three options with removal of personal data. 1. Completely removed from the database, only listing name and date of removal. 2. Removal from main database but kept on a separate individual database for potential appropriate future events. 3. Removal from database but stored on a ‘removal database’ for 1 year. It is the therapists decision as to which option they would prefer to opt for.

  1. Right to restrict processing

You have the right to change the permissions that you have given us in relation to how we use your data. Please email PSUK if you would like to change these details at any point. Once we have received and acknowledged receipt of your email, we will amend these details within one month. Please see the relevant contact email addresses below.

A small administrative fee will be payable for dealing with any data requests.

Contact details for personal data requests

Physiotherapy Clinic: healthcare@physioscienceuk.com

Player Welfare Services: info@physioscienceuk.com

Pitch Side Therapists: info@physioscienceuk.com

13.0   Changes to this policy

PSUK’s privacy statement is subject to change at any time. Please check regularly for updates to this policy to be informed of how we are protecting your personal data.

14.0   Contact

If you have any questions about this policy please contact us at info@physioscienceuk.com.