Data Protection Policy

Introduction

At LJD Physiotherapy, we collect and process ‘personal data’ (see ‘What is personal data?’ below) for business purposes, including provision of our services, marketing, and business administration. This includes health data and other sensitive data relating to our Patients (i.e. individuals who are or who have had LJD Physiotherapy input for health advice and treatment), as well as other personal data relating to Prospective Patients (i.e. individuals who enquire about or express an interest in the services offered by LJD Physiotherapy), Patients, suppliers and other third parties.

Compliance with data protection law is essential to ensure that personal data remains safe, our business operations are secure and the rights of individuals are respected. LJD Physiotherapy is a controller under data protection law, meaning it decides how and why it uses personal data.

This Policy explains our procedures for complying with data protection law in relation to personal data.

Why is data protection compliance important?

Data protection law in the UK is regulated and enforced by the Information Commissioner’s Office (ICO). Failure to comply with data protection law may cause harm to individuals and expose LJD Physiotherapy to serious legal liabilities. These can include criminal offences and fines of up to £17.5million or 4% of total worldwide annual turnover, whichever is higher. In addition, an individual may seek damages from us in the courts if we breach their rights under data protection law. Breaches of data protection law can also lead to serious damage to our brand and reputation.

[In particular, Patients could suffer significant harm if data relating to their health is not handled appropriately and protected from loss or misuse. There are therefore particular risks for LJD Physiotherapy in its use of health data.]

What is personal data?

Personal data means any information relating to any living individual (also known as a ‘data subject’) who can be identified (directly or indirectly), in particular by reference to an identifier (e.g. name, NHS number, Patient number, NI number, email address, physical features). Relevant individuals can include Patients, members of the public, business contacts, etc. Personal data can be factual (e.g. contact details or age), an opinion or assessment about an individual, or information that may otherwise impact on that individual. It can be personal or business-related.

The rules apply to personal data held electronically (e.g. within local or cloud-based computer systems, within emails and other communications) or in structured paper (or other manual) files (e.g. individual Patient files). The rules also apply to paper records which are intended to form part of a structured paper or electronic systems (such as records awaiting filing).

Data protection law provides additional protection for certain categories of data known as special category data, which includes health data. This is covered in more detail below in this Policy.

What does ‘processing’ personal data mean?

‘Processing’ personal data means any activity that involves the use of personal data (e.g. obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying). Note that this includes sending or transferring personal data to third parties, as well as use within LJD Physiotherapy.

Related policies and procedures

There are other policies and procedures which impact on how we deal with personal data and data protection. The main ones are our “Client consent form” and “privacy policy”.

Data Protection Obligations

LJD Physiotherapy is responsible for and must be able to demonstrate compliance with data protection law. To ensure that LJD Physiotherapy meets its responsibilities, it is essential that we comply with data protection law and any other LJD Physiotherapy policies, guidelines or instructions relating to personal data when processing personal data in the course of our business.

We have set out below the key obligations under data protection law and details of how LJD Physiotherapy ensures its compliance with these requirements.

As noted below, if ever we are unsure about what we must do to comply with our obligations, we consult the guidance published by the ICO on its website (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/) and seek advice as needed.

1. Process personal data in a fair, lawful and transparent manner

Fairness and legal ground for processing

Data protection law allows us to process personal data only where there is a legal ground which justify using the information.

Examples of legal grounds for processing personal data include the following (at least one of these must be satisfied for each processing activity):

• processing is necessary for entering into or performing a contract with the individual (e.g. a contract for services with an individual Patient);
• processing is necessary to comply with a legal obligation (e.g. health and safety, or tax laws);
• processing is necessary in LJD Physiotherapy’s or a third party’s legitimate interests (e.g. maintaining records of business activities, monitoring business productivity), although this must be balanced against the interests and rights of the individuals.
• processing is necessary to protect the vital interests of an individual (such where it is necessary to share data with a health professional in a life or death situation);
• the individual has provided consent to the processing (e.g. for sending direct marketing communications).

Where consent is relied upon, it must be freely given, specific, informed and unambiguous. To this end, consent should be clearly separated from other matters, and should not be wrapped up within other agreements with the data subject (such as within terms of service). It should also be a genuine option (such that the activity will not take place if consent is not given and will cease if consent is subsequently withdrawn). LJD Physiotherapy must effectively demonstrate that consent has been given.

In most cases, consent is not required for standard business activities involving use of Patient, or supplier data, but it may be needed for activities which are not required to manage the main business relationship, such as some direct marketing activities. We do not generally rely on consent for processing Patient data. Mostly our legal basis for processing personal data is that we have a legitimate interest.

Fairness

Data protection law also requires us to process personal data fairly. This includes ensuring that we only handle personal data in ways that people would reasonably expect and that we do not use it in ways that have unjustified adverse effects on them.

Transparency

Data protection law also requires us to process personal data in a transparent manner by providing individuals with appropriate, clear and concise information about how we process their personal data.

We usually provide individuals with basic information about how we use their data on forms which collect data (such as in our “consent form”, application forms or website forms), and in longer privacy notices setting out details including: the types of personal data that we hold about them, how we use it, our legal grounds for processing the information, who we might share it with and how long we keep it for. For example, we provide information about our processing of patient data within our Patient Privacy Policy.

We supplement these notices, where appropriate, with reminders or additional information at the time particular processing activities take place or become relevant for an individual (for example when they sign up for a new service or event).

The standard privacy notices and statements that we issue to Patients are normally sufficient to ensure that we are processing their personal data transparently, i.e. that individuals have appropriate information about how we are handling their personal data in the course of our business. However, we take care to consider whether additional action or reminders may be appropriate at the time particular processing activities take place. For example, children or other vulnerable individuals may need additional assistance to understand clearly how their data may be used, and we recognise that we may need to take them through key points orally.

If we have any concerns about the legal ground for processing personal data or the fairness of processing, or if we are unsure whether individuals have been provided with appropriate information (in particular in relation to any new processing activities), we consult the ICO guidance and seek advice as needed.

2. Take extra care when handling special category data

Some categories of personal data are ‘special’ because they are particularly sensitive, and inappropriate use of such data is likely to have a significant negative impact on the data subjects. Special category data is personal data about an individual’s:

• physical or mental health;
• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• sex life or sexual orientation;
• biometrics (if used for identification purposes) or genetics; and/or
• criminal offences or convictions.

Where special category personal data is concerned, data protection law requires us to have (as well as one of the legal grounds described in section 1), an additional legal ground to justify using this sensitive information. The appropriate legal ground will depend on the circumstances.

Additional legal grounds for processing special category data include the following:

• processing is necessary to provide our health care and treatment services.
• processing is necessary to comply with a legal obligation or exercise a legal right in relation to employment.
• processing is necessary to assess working capacity (based on expert medical opinion, and subject to obligations of confidentiality).processing is necessary to carry out equal opportunities monitoring in relation to racial or ethnic origin, religious beliefs, health or sexual orientation.

LJD Physiotherapy’s Record of Processing Activities sets out the types of special category data that we process and lists the applicable additional legal grounds for such processing.

Of course, all of the obligations under data protection law that we refer to in this Policy are of particular importance when we process special category data and we take extra care to comply with them when doing so. LJD Physiotherapy has carried out an assessment of its processing of such data in order to ensure that we comply with these obligations in practice.

In particular, we ensure that:

• there are appropriate legal grounds for processing the data (both basic grounds under section 1 and additional grounds under this section 2) which have been assessed for the specific activities;
• individuals have received adequate information regarding how their data is being handled. [Our Patient Privacy Notice covers general use of health data, but we also consider whether additional information should be provided for clarity – see section 1 above on transparency.] In some cases, an existing privacy notice may need to be supplemented with more specific information regarding special category data;
• we apply additional security and confidentiality measures, taking into account that the impact on individuals of loss or misuse of their special category data may be greater than with other types of data. See also section 7 below.

If we are commencing a new project or updating an existing system which involves new types of processing of health or other special category data), or if we are unsure or have any concerns over the legal grounds that apply when we process special category data, the fairness of the processing, or the appropriate information to be provided to individuals, we consult the ICO guidance and seek advice as needed.

3. Only process personal data for specified, explicit and legitimate purposes

LJD Physiotherapy will only process personal data in accordance with our legitimate purposes to carry out our business operations and to administer our relationships with our Patients and other individuals or organisations.

Processing personal data for any incompatible or unauthorised purposes could result in a breach of data protection law. This may have potentially damaging consequences for all parties concerned, and it may also be a criminal offence.

If we believe there is a business need to process personal data for a different purpose from that for which it was originally collected, we conduct an additional data protection assessment before going ahead with processing the data for that additional purpose. If we are unsure, we consult the ICO guidance and seek advice as needed.

4. Make sure that personal data is adequate, relevant and limited to what is necessary for the legitimate purposes

Data protection law requires us to ensure that, when we process personal data, it is adequate, relevant to our purposes and limited to what is necessary for those purposes (also known as ‘data minimisation’). In other words, we ask for and use the information we need for our legitimate business purposes, but we won’t ask for or use more information than we need in order to carry out those activities.

If we are creating forms that collect personal data, or collecting information orally from individuals, we:

• ensure that we have sufficient personal data to be able to use it fairly for the specified purposes, and to take into account all relevant details. [This may include collecting adequate information from Patients to enable us to provide our services and treatments effectively]; and
• be able to justify why each specific category of data is being requested or recorded. We always consider whether less information, or less specific information could be recorded to achieve the same purpose.

We also regularly review existing forms.

We do not create unnecessary copies of personal data, particularly health data and other special category data.

We comply with our clinic policies about data retention and storage, ensuring that individual records containing personal data are only kept for as long as it is needed for any intended purpose (as also covered below).

5. Keep personal data accurate and (where necessary) up-to-date

LJD Physiotherapy takes steps to ensure that personal data is accurate and (where necessary) kept up to date. For example, we request that Patients provide us with any change in contact details or personal information via email (ljdphysiotherapy@proton.me) or telephone (+44 7526 373 257) contact.

We also take care that assessments and decisions impacting individuals are based on accurate and up-to-date information, particularly where this may have a significant impact on an individual (such as assessments affecting their health).

When collecting any personal data, we try to confirm its accuracy at the outset. If we are unclear on any detail, we seek to clarify it directly with the data subject. If we subsequently discover any inaccuracies in the personal data that we are handling, we correct or delete them without delay.

We limit the number of copies of personal data which are held, to avoid the risk that duplicate copies are not updated and become out of sync. Where possible, we work from and update a single central copy where possible (in accordance with standard LJD Physiotherapy procedures on retention and storage of records).

6. Keep personal data for no longer than is necessary for the identified purposes

Records containing personal data should only be kept for as long as they are needed for the identified purposes. LJD Physiotherapy has in place the following data retention, storage and deletion policies and internal processes/guidelines regarding various types of clinic records and information that contain personal data:

• Data Processing Activities
• Privacy Policy

We take appropriate steps to retain personal data only for so long as is necessary, taking into account the following criteria:

• the amount, nature, and sensitivity of the personal data;
• the risk of harm from unauthorised use or disclosure;
• the purposes for which we process the personal data and how long we need the particular data to achieve these purposes;
• how long the personal data is likely to remain accurate and up-to-date;
• for how long the personal data might be relevant to possible future legal claims; and
• any applicable legal, accounting, reporting or regulatory requirements that specify how long certain records must be kept, for example from the “Health and Care Professions Council” and the “Chartered Society of Physiotherapists”.
• We have a legal obligation to retain records for 8 years after your most recent appointment (or until you are age 25, if this is longer).

We securely destroy or erase all information that we no longer require in accordance with these criteria and the policies, processes and guidelines referred to above. If we are unsure, we consult the ICO guidance and seek advice as needed.

7. Take appropriate steps to keep personal data secure

Keeping personal data safe and complying with LJD Physiotherapy’s security procedures to protect the confidentiality, integrity, availability and resilience of personal data is a key responsibility for LJD Physiotherapy.

LJD Physiotherapy has a “Storage of personal information standard operating procedure”, which sets out its organisational and technical security measures to protect information, including personal data through:

-electronic storage with password access and hard drive encryption. Electronic devices have anti-virus protection.

-paper storage within locked cabinet in locked building.

-passcode protected mobile storage.

We regularly evaluate and test the effectiveness of these measures to ensure the security of our personal data processing activities as set out in our “Storage of personal information standard operating procedure”,

In particular, in order to ensure the security of the personal data that we process in the course of our business, we:

• only access and use personal data relevant to the business of LJD Physiotherapy.
• record and store records revealing specific health details separately from other Patient data (such as names, contact details and appointment dates), and apply appropriate security controls and access restrictions to such data
• save, store and communicate personal data only within or using authorised LJD Physiotherapy information and communications systems.

• use password-protected and encrypted software for the transmission and receipt of emails
• lock files in a secure lockable cabinet.
• never leave laptops, other devices or any hard copies of documents containing personal data in a public place.
• take care when observing personal data in hard copy or on-screen that such information is not viewed by anyone who does not have the right to that information, especially if we are viewing the personal data in a public place.
• when storing data on portable devices such as laptops, smartphones, or USB drives, ensure that the device is encrypted and password protected.
• ensure that information containing personal data is disposed of securely and permanently, using confidential waste disposal or shredding where necessary.
• if we come across information containing personal data that we are not meant to have access to, inform the document owner (if we know who this is) and securely delete or dispose of the document.
• immediately investigate any personal data breaches and report them to the ICO if required (see below for further details about personal data breaches).
• ensure that any sharing or disclosure of personal data is permitted on appropriate legal grounds and, where necessary, safeguards are in place (see below for further details of safeguards regarding overseas transfers or if sharing personal data with third party service providers).

8. Take extra care when sharing or disclosing personal data

The sharing or disclosure of personal data is a type of processing, and therefore all the principles described in this Policy need to be applied.

We will only share personal data with third parties where we have a legitimate purpose, and an appropriate legal ground under data protection law which permits us to do so. Commonly, this could include situations where we are legally obliged to provide the information (e.g. to HMRC for tax purposes) or where necessary to perform our contractual duties to individuals, or where we have the consent of the data subject (e.g. sharing of information with other health professionals). We will ensure that data sharing agreements are put in place if appropriate.

We may appoint third party service providers, for example to provide patient data management systems, data storage, or other technology services. Where the service provider handles personal data only on our behalf and under our instructions, they will be a ‘processor’ under data protection law.

LJD Physiotherapy remains responsible for ensuring that its processors comply with data protection law and this Policy in their handling of personal data. We must assess and apply data protection and information security measures prior to and during the appointment of a processor. The extent of these measures will vary depending on the nature of the activities, but will include appropriate risk assessments and reviews, and contractual obligations (within data processing agreements).

Details of the recipients or categories of recipients of personal data (including processors and other third parties) will be set out in privacy notices as described in section 1 above.

We only disclose the personal data we hold to service providers or other third parties where:

• there is a legitimate purpose and an appropriate legal ground for doing so (e.g. it is necessary for them to process the personal data in order to provide a service to us such as a technology service, or if we are legally obliged to do so);
• the individuals whose personal data is being shared have been properly informed (e.g. in an appropriate privacy notice);
• we have checked that adequate data protection measures are in place to protect the personal data concerned. In particular, appropriate security measures are needed;
• the service provider or other third party has signed up to a written data sharing or data processing agreement that contains the provisions required by data protection law (unless, following an appropriate assessment, we have determined that this is not required in context); and
• the data sharing complies with any overseas transfer restrictions, if applicable (see section 9 below on this).

We do not share data with any new external party, nor appoint new technology or service providers (including using new technology to process data) without first assessing whether additional measures or agreements are needed prior to disclosure. If we are unsure, we consult the ICO guidance and seek advice as needed.

9. Do not transfer personal data to another country (or receive it from another country) unless there are appropriate safeguards in place

LJD Physiotherapy must comply with additional rules where personal data is sent to or accessed by a third party outside the UK. This includes the use of technology systems hosted (or with backups) outside the UK. These rules aim to ensure that the level of data protection afforded to individuals is not compromised (as the laws of such countries may not provide the same level of protection for personal data as within the UK).

To ensure that data protection is not compromised when personal data is transferred to another country, LJD Physiotherapy assesses the risks of any transfer of personal data outside of the UK (taking into account the principles in this Policy) and puts in place appropriate safeguards where required.

The UK government has determined that countries in the European Economic Area (EEA – this is the European Union plus Norway, Liechtenstein and Iceland) and specified other countries (see the ICO’s list of adequate countries) provide an equivalent level of protection for personal data. No additional safeguards are therefore required for transfers of personal data to these countries.

Where a Patient requests that we send them their personal data (e.g. a copy of their health records) and they are located outside the UK, in a country which the UK government has not determined as providing an equivalent level of protection for personal data, we ask the Patient to complete an appropriate consent form prior to the transfer.

Where LJD Physiotherapy receives personal data from a third party in a different country, that third party may need to put in place particular safeguards in order to comply with the laws of that country regarding transfers of personal data to the UK. LJD Physiotherapy cooperates with such requests received from third parties in order to provide reasonable assistance to enable them to comply with their data protection obligations.

If we are unsure about any aspect of an overseas transfer of personal data, we consult the ICO guidance and seek advice as needed.

10. Report any data protection breaches without delay

LJD Physiotherapy takes all breaches of data protection law and this Policy very seriously. These can include lost or mislaid equipment or data, use of inaccurate or excessive data, failure to address an individual’s rights, accidental sending of data to the wrong person, unauthorised access to, use of or disclosure of data, deliberate attacks on LJD Physiotherapy’s systems or theft of records, and any equivalent breaches by LJD Physiotherapy’s service providers.

Where there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data – known as a ‘personal data breach’ – which poses a risk to the rights and freedoms of individuals, LJD Physiotherapy is required to report it to the ICO without delay and, where feasible, within 72 hours of discovery. LJD Physiotherapy will take immediate steps to identify, assess and address any such breach, including containing the risks, remedying the breach and, where necessary, notifying the ICO and any other appropriate parties. LJD Physiotherapy has internal processes for identifying, assessing and addressing personal data breaches.

We also keep an internal record of all personal data breaches regardless of their effect and whether or not we report them to the ICO.

If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals (which would often be the case if health data has been compromised), we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken. Guidance on how to approach this can be sought from the ICO, where appropriate.

11. Do not use profiling or automated decision-making without careful consideration

Profiling, or automated decision-making, occurs where an individual’s personal data is processed and evaluated by automated means resulting in an important decision being taken in relation to that individual. This poses particular risks for individuals where a decision is based solely on that profiling or other automated processing.

Data protection law prohibits decision-making based solely on profiling or other automated processing, except in very limited circumstances. In addition, where profiling or other automated decision-making is permitted, safeguards must be put in place and we must give individuals the opportunity to express their point of view and challenge the decision.  We do not generally conduct profiling or other automated decision-making in respect of patients’ personal data.

If we are proposing to undertake any new automated decision-making or profiling activities, we first consult the ICO guidance to determine whether it is permitted and identify the appropriate safeguards to put in place. If we are unsure, we seek specialist advice as needed.

12. Integrate data protection into operations

Data protection law requires LJD Physiotherapy to build data protection considerations and security measures into all of our operations that involve the processing of personal data, particularly at the start of a new project or activity which may impact on the privacy of individuals. This is known as ‘data protection by design and by default’.

It involves taking into account various factors including:

• the risks (and their likelihood and severity) posed by the processing for the rights and freedoms of individuals;
• technological capabilities;
• the cost of implementation; and
• the nature, scope, context and purposes of the processing of personal data.

We consider all new processing operations at the design stage to determine whether a DPIA is required, or if it would be beneficial to conduct a DPIA even if it is not strictly legally required. If we decide not to conduct a DPIA, we ensure that our reasons for this are appropriately documented.

We also seek to assess data protection risks regularly throughout the lifecycle of any project or activity which involves the use of personal data by conducting periodic reviews to ensure that any data protection risks continue to be addressed.

Individual rights and requests

Under data protection law, individuals have certain rights when it comes to how we handle their personal data. For example, an individual has the following rights:

• The right to make a ‘subject access request’. This entitles an individual to receive a copy of the personal data we hold about them, together with information about how and why we process it and other rights which they have (as outlined below).
• The right to request that we correct incomplete or inaccurate personal data that we hold about them.
• The right to withdraw any consent which they have given.
• The right to request that we delete or remove personal data that we hold about them where there is no good reason for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal data where they have exercised their right to object to processing (see below).
• The right to object to our processing of their personal data for direct marketing purposes, or where we are relying on our legitimate interests (or those of a third party), where we cannot show a compelling reason to continue the processing.
• The right to request that we restrict our processing of their personal data. This enables individuals to ask us to suspend the processing of personal data about them, for example if they want us to establish its accuracy or the reason for processing it.
• The right to request that we transfer to them or another party, in a structured format, their personal data which they have provided to us (also known as the right to ‘data portability’). The applicability of this right depends on the legal grounds on which we process it.
• Rights in relation to solely automated decision-making (including profiling), including the right to voice their opinion, to obtain human intervention in the decision-making, and to contest the decision.

When we receive a request from an individual seeking to exercise one of the above rights, we take prompt action to ensure that we can comply without undue delay and, where applicable, within the required one month timeframe. Data access requests can be made in writing to ljdphysiotherapy@proton.me.

Once we are aware of an access request, we take care not to do anything to prevent the individual from receiving information they would be entitled to in response to their request. For example, we do not amend, delete, or hide personal data that relate to the request, unless we would have done this in any event in the absence of a request. (It is a criminal offence to amend, delete or hide personal data that relate to an access request with the intention of preventing its disclosure.)

Individuals also have rights to complain to the ICO about and to take action in court to enforce their rights and to seek compensation for damage suffered from any breaches. If the ICO contacts us regarding a complaint raised by an individual, we do all that we can to cooperate with the ICO and resolve the complaint.

Direct marketing and use of cookies

LJD Physiotherapy does not make or send unsolicited direct marketing communications (by telephone, email, SMS, post or other method) to Patients or other individuals without obtaining any required consents and giving such individuals the right to opt-out or object (see also Individual rights, above). Consents must be specific, informed and freely given.

Marketing communications may include communications to Patients or other individuals which promote LJD Physiotherapy’s services, related events or training courses, or any other party’s goods or services.

We will assess our obligations to obtain consent or provide an option to refuse marketing at the time a Patient’s or other individual’s contact details are collected. All marketing communications will contain details of how to opt out of future marketing.

Communications with Patients about the services we are currently providing to them would not generally fall within the direct marketing rules, although we always follow the other requirements set out in this Policy with regard to such communications. We do not send any additional communications promoting the services of LJD Physiotherapy, or any third party goods or services unless the Patient has opted in to receive such communications.

The LJD Physiotherapy website uses cookies for the purposes of; ensuring the functionality of our website, analysing how people use our website so that we can improve the way it works and to personalise our website content for visitors to the website. We take steps to ensure visitors to the website are notified of such cookies and that appropriate consents are obtained.

If we are unsure about what we need to do to comply with the rules on direct marketing and the use of cookies, we consult the ICO guidance and seek specialist advice as needed.

Record Keeping

In order to comply, and demonstrate our compliance, with data protection law, LJD Physiotherapy keeps records of our data processing activities. These include our Data Processing Activities Record which contains: the purposes of processing; categories of data subjects and personal data; our legal grounds for processing; categories of recipients of disclosures of data; information about international data transfers; envisaged retention periods; general descriptions of security measures applied; and certain additional details (including legal grounds) in respect of particular types of processing of special category data.

If we collect any new types of personal data or undertake any new types of processing activities, either through the introduction of new systems or technology or by amending existing ones, we add the relevant details to our Data Processing Activities Record to ensure that it is kept up to date.

Departures from this Policy

There are some very limited exemptions from data protection law, which may permit departure from aspects of this Policy in certain circumstances.

Before departing from this Policy, we consult the ICO guidance to ensure that any such departure is permitted under data protection law and we seek specialist advice as needed.

We withhold the right to make any necessary changes to this policy as and when needed, without giving notice. The most up-to-date version of this policy is available on our website: www.ljdphysiotherapy.co.uk.