Privacy Policy Notice

This privacy policy notice is for Amanda Sullivan Physiotherapy and their website, www.pelvichealthphysio.co.uk, and governs the privacy of those who use their service and/or website. The purpose of this policy is to explain to you how we control, process, handle and protect your personal information while browsing or using this website, including your rights under current laws and regulations.

Policy key definitions:

  • “I”, “our”, “us”, or “we” refer to the business, Amanda Sullivan Physiotherapy.
  • “you”, “the user” refer to the person(s) using this service and/or website.
  • GDPR means General Data Protection Act.
  • PECR means Privacy & Electronic Communications Regulation.
  • ICO means Information Commissioner’s Office.
  • Cookies mean small files stored on a user’s computer or device.

You are encouraged to read this policy carefully and, should you have any questions, please contact the data controller at:

Data Controller
Amanda Sullivan Physiotherapy
The Old Rectory Clinic
High Street
Iron Acton
Bristol, BS37 9UQ

Or by emailing privacy-info@pelvichealthphysio.co.uk.

This is document is subject to change at any time.

Processing of your personal data

In our communications with you and in the provision our service to you, under the GDPR, we control and/or process personal information about you using the following lawful bases:

Lawful basis: Legal obligation

  • The reason we use this basis: We are required by law to maintain complete records of the healthcare service(s) that we provide to you.
  • We process your information in the following ways: Hardcopy of client records including session notes, initial consultation notes and client overview form

Lawful basis: Legitimate interests

  • The reason we use this basis: To record contact and appointment details; to communicate with you; to liaise with your medical insurance company (where applicable).
  • We process your information in the following ways: For communication with you which may take place via telephone, email or letter.

Additionally, we process your special category data (i.e. your health records) using the following specific condition:

Specific condition: Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional as per Article 9(2)(h) of the GDPR

Collection of your personal data

In the provision of our service to you, it is necessary for us to collect the following personal data.

Standard personal information: Such as your name, address, telephone number, email address, date of birth.

  • Why this information is required: To record contact and appointment details; to communicate with you; to liaise with the provider of your insurance company (where applicable).
  • This data is retained for: Up to three months following the completion of your treatment. In the event that we collect this information but no treatment is provided then your data will be deleted up to three months after our last communication.
  • This information may be shared with: This data may be shared with the provider of your medical insurance (where applicable).

Special category personal information: Such as your medical history, sexual orientation, race and genetic history.

  • Why this information is required: As a healthcare provider, it is necessary for us to process your special category data. Without this information it is not possible for us to provide healthcare to you.
  • This data is retained for: There is a legal requirement for your health records to be retained, the precise duration depends upon on your age and personal circumstances (please see the NHS Records Management Code of Practice for Health and Social Care 2016, linked at the end of this document, for more information). Generally, the retention period is as follows:
    • Adult health records: 8 years after final session
    • Child health records: until the child’s 25th birthday (unless the child is 17 when treatment ends, in which case the records must be retained until the child’s 26th birthday)
    • Maternity records (including all episodes of maternity care): until 25 years after the last live birth.
  • This information may be shared with: Your records may be shared with;
    • Your referring medical practitioner i.e. if you have been referred by your GP or consultant then we would notify them of the treatment you had received
    • Another medical practitioner (such as your GP) only with your consent i.e. if you wish for them to have a record of the treatment you receive

Additionally;

  • In order to safeguard you and the people around you, if you were to disclose that you were going to carry out harm to yourself or someone else then, under our duty of care, we would be obligated by law to inform the relevant authorities. This is to support you to live well and we would always aim to discuss this with you prior to contacting anyone.
  • If we were issued with a police warrant or court order for your information, by law they would also have to provide the relevant authorities with your information.

Your information rights and choices

Under data protection law, you have the right:

  • The right to be informed. You have the right to know; the name and contact details of our organasition, the purposes for processing your information, the lawful bases for doing so, the categories of data we will process, who we may share this with and for how long we will retain these types of information.
  • The right of access. You have the right to ask us for the data that we keep on you (known as a Subject Access Request). Subject Access Requests can be made verbally or in writing. We will act on a Subject Access Request without undue delay and within one month following the day of receipt however, we may extend this period by a further two months where a request is complex or where we have received a number of requests from you. We may also seek to confirm your identity prior to responding to your request. Where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request.
  • The right to rectification. You have the right to have inaccurate personal data rectified. Such requests can be made verbally or in writing. This right isn’t absolute, however, and we would be bound by our legal obligation to retain accurate medical records. We may seek to confirm your identity prior to responding to your request. We will act on such a request without undue delay and within one month following the day of receipt however, we may extend this period by a further two months where a request is complex or where we have received a number of requests from you. Where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request. Should we refuse to comply with any request for rectification we will inform you within one month from receipt of your request, notifying you of; our reason(s) for not taking any action, your right to make a complaint to the ICO or other supervisory authority and your ability to seek to enforce this right through a judicial remedy.
  • The right to erasure. You can request that we erase all records that we hold on you. Such requests can be made verbally or in writing. This right isn’t absolute, however, and we would be bound by our legal obligation to retain records of the treatment that you had received. Note also that the right to erasure does not apply to special category data “if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional)”. We may seek to confirm your identity prior to responding to your request. We will act on such a request without undue delay and within one month following the day of receipt however, we may extend this period by a further two months where a request is complex or where we have received a number of requests from you. Where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request. Should we refuse to comply with any request for erasure we will inform you within one month from receipt of your request, notifying you of; our reason(s) for not taking any action, your right to make a complaint to the ICO or other supervisory authority and your ability to seek to enforce this right through a judicial remedy.
  • The right to restrict processing. You can request that we restrict processing your personal information. Such requests can be made verbally or in writing. Note that, whilst such a restriction remained in place, we would not be able to provide medical care to you. We may seek to confirm your identity prior to responding to your request. We will act on such a request without undue delay and within one month following the day of receipt however, we may extend this period by a further two months where a request is complex or where we have received a number of requests from you. Where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request. Should we refuse to comply with any request for restriction we will inform you within one month from receipt of your request, notifying you of; our reason(s) for not taking any action, your right to make a complaint to the ICO or other supervisory authority and your ability to seek to enforce this right through a judicial remedy.
  • The right to data portability. Because we legally have to keep patients notes and we are not using consent as our lawful basis for our handling of your data, you do not have the right to data portability in relation to your medical records. Such requests can be made verbally or in writing. We may seek to confirm your identity prior to responding to your request. We will act on such a request without undue delay and within one month following the day of receipt however, we may extend this period by a further two months where a request is complex or where we have received a number of requests from you. Where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request. Should we refuse to comply with any request for data portability we will inform you within one month from receipt of your request, notifying you of; our reason(s) for not taking any action, your right to make a complaint to the ICO or other supervisory authority and your ability to seek to enforce this right through a judicial remedy.
  • The right to object. You may object to our processing of your personal data if it is for direct marketing purposes or if the basis for processing is our legitimate interests. Such requests can be made verbally or in writing. This right isn’t absolute, however, and we may continue processing if there are compelling legitimate grounds for processing or if the processing were for the establishment, exercise or defence of legal claims. We will act on such a request without undue delay and within one month following the day of receipt however, we may extend this period by a further two months where a request is complex or where we have received a number of requests from you. Where a request is manifestly unfounded or excessive we may charge a reasonable fee for the administrative costs of complying with the request. Should we refuse to comply with any objection we will inform you within one month from receipt of your request, notifying you of; our reason(s) for not taking any action, your right to make a complaint to the ICO or other supervisory authority and your ability to seek to enforce this right through a judicial remedy.
  • The right to lodge a complaint. Although we would ask that first contact us if you wish to raise a concern about our handling of your personal information so that we can attempt to resolve any issue, you have the right to lodge a complaint with a supervisory authority such as the ICO.

Internet cookies

We use cookies on this website to provide you with a better user experience and to determine/improve upon the effectiveness of our web site. We do this by placing a small text file on your device / computer hard drive to track how you use the website. We use Google Analytics to collect information about how visitors use the site. These cookies do not collect information that identifies you.

Many web browsers such as Internet Explorer, Google Chrome or Safari, will allow some control over cookies through their settings. To manage your cookie settings, please refer to your browser software.

Data security and protection

We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR compliance requirement. Some examples of the security measures we implement include (but are not limited to); data handling training, regular password changes, data encryption, password-protected documents and locked access to hardcopy files (both in storage and in transit).

Transparent privacy explanations

We have provided some further explanations about user privacy and the way we use this website to help promote a transparent and honest user privacy methodology.

Resources and further information