top of page
MJS Osteopathy’s Data Protection & Privacy Policy


 

Background

 

  • General Data Protection Regulation (GDPR) – enforcement date 25th May 2018.

  • Most recent update 26th May 2020.

  • Applies to all companies processing and holding data in EU.

  • Data includes; customers, employees, suppliers.

  • Personal Data is any info related to a person that can be used directly/indirectly to identify a person (name, photo, email, bank, social media post, medical info).

  • Regular data processing is the collecting, storing and use of personal data.

  • Data Processor – processes info on behalf of a controller.

  • Data Controller – defines purpose, conditions and use of personal data.

  • Fine for serious breaches.


 

Personal data collected, used and stored by MJS Osteopathy (MJSO)

 

Insurance (paper and mobile devices), GOSC details (paper), Bank details (online banking - password protected), Personal Data (mobile devices), contact details (mobile devices), social media contacts (mobile devices).

 

*mobile device – phone, iPad, laptop (all password protected)

 

Patients – booking system online

 

  • Patient notes – mobile devices.

  • Data stored includes – contact details, personal details, sensitive medical details (as required for the service offered by MJSO and regulated by GOSC).

  • GP details.

  • Patients’ personal, medical and health information will be stored within our electronic data processing system. Any system used by MJSO will be required to meet GDPR requirements and we also will require that any party holding information is registered with the Information Commissioner’s Office (ICO).

  • Only persons making bookings, bookkeeping or administrating for MJSO will have access to the data stored in the booking system.

  • Only registered osteopaths representing MJSO have access to medical notes and information about your health.

  • If medical notes need to be printed and transported (for the facilitation of home visits or corporate visits) then they will be kept in a container which will remain on the person of the osteopath at all times until shredded (only shredded if an electronic copy is kept).

  • Professional medical letters (names, GP, medical info) stored on password  protected database. (Two lines of security – device code, database password).

  • Receipts with personal details on are handed over in person or emailed using only an email address confirmed by the patient. 

Booking system – mobile devices

  • Contact details – telephone, email, name.

  • Accessible by mobile devices – which are password protected: Reception personnel (for booking appointments and taking payments), Osteopaths (for booking appointments and running clinics), Director (for monitoring clinic availability) and Bookkeeper (for bookkeeping).

  • Current booking system is ‘Cliniko’, who facilitate for full GDPR compliance and are registered with the ICO.

  • Cliniko uses emails and text messages to confirm and remind patients of appointments. The emails are sent to the patient and clinic facility only.

  • There are no mailing lists used for marketing unless specifically agreed to by patients.

  • To increase security, any holder of one of our Clinko accounts must have a password protected mobile device. The system automatically times out any session if left inactive.

Suppliers – Contact details of previous suppliers

 

  • Suppliers – Contact details of previous suppliers (stationary, equipment, clinic room rent) who’s details are widely available online. 

 

The data we obtain is stored and is only used to facilitate further patient bookings or treatments. We do not share or distribute information to any other party. We use contact detail information to contact patients only for the purpose of providing due care as regulated by the General Osteopathic Council. We do not use contact information for advertising purposes unless specifically agreed to by our patients. Our employee and contractor’s data is stored to provide professional certification as required by the Osteopathy governing body. Data is not used or processed any further than this.


 

Consent

 

  • Must be given in intelligible and easily accessible format. With the purpose for data processing attached to that consent. Language must be plain and clear. It must be as easy to withdraw consent as to give it. Parental consent must also be given in less than 16 years old.  

  • Our stored data comes directly from a patient, contractor or employee. There is no 3rd party data.  

  • Patients are asked for their contact details when booking their initial appointment. We explain that their details are stored on our booking system but are kept confidential. If people give their details this is therefore implied consent. They also give specific consent to be contacted via phone or email on their initial appointment. This form is then signed by the patient or completed via a link sent only to their email address. During the coronavirus pandemic, an electronic form sent via an email link is deemed sufficient consent.

  • On the initial appointment patients are given a medical consent form to sign which explicitly and clearly explains that we store their medical details for 8 years (or until a child’s 25th birthday) confidentially in order to provide their treatments and is seen only by Osteopaths. Only Osteopaths have access to the sensitive medical details.

  • Sensitive medical information is only shared (verbally or written) with other medical professionals with explicit informed consent from the patient. This is a key part of professional confidentiality. Letters are posted to a named person or given directly to the patient themselves to hand to their Doctor in a sealed envelope. 

  • Our non-sensitive data is processed only by osteopaths, directors, receptionists, bookkeeper and managers of MJSO in order to manage clinic requirements using patient statistics. This data is not distributed in any way.

  • Employee and contractor’s data (contact details, contracts and professional data) is stored in a locked filing system and kept confidential. The only people with access to this are the directors and managers of MJSO.  

  • Social Media – any social media posts that have quotes from patients have been anonymised and explicit consent gained that their quote is to be put on a social media site.  

  • Children (under 16 Years) are required to have parental countersignature to give consent for treatment and therefore storage of their medical information. 


 

Privacy by design

 

  • Data should be held and processed as absolutely necessary for the completion of duties (data minimisation). Access to data should be limited to those needing to act.  

  • MJSO limits patient sensitive data to the osteopaths involved in their care only. Contact data is stored only for use when booking patients in. It is not processed or distributed any further.  

  • Medical notes are stored for 8 years (if adult) or until a child’s 25th birthday as per the Osteopathic regulating body (GOSC) guidance.

 

That the data controller should erase their personal data when: 

    a) The data is no longer relevant to the original purposes of processing 

    b) Data subject withdraws consent 

 

For MJSO patient medical data is stored for 8 years (or until the child's 25th birthday) in line with recommendations from the Osteopathy governing body. Should the subject request that their contact details are removed from the booking system this will be carried out immediately, however their medical records are stored as per legal requirements. 

 

For MJSO employee data this is stored for 5 years after they have finished working with MJSO, the data is then confidentially deleted or destroyed. The method of data deletion is confidential shredding for paper documents and deletion of data stored on electronic devices. 


 

Security

 

  • Our paper records are stored in a locked filing system within the clinic. Only the director has key access to this filing system.  

  • Patient notes are created and stored through the booking software that is used has a password security feature. Osteopaths, directors, bookkeepers and reception personnel have access to the booking software. There is no sensitive medical data accessible to anyone other than MJSO osteopaths through the software.


 

Data Protection Officer

 

Only required if the company is:

     a) Public authority 

     b) Does large scale systemic monitoring 

     c) Large scale processing of sensitive data 

 

As MJSO does not meet any of these specifications a data protection officer is not required.


 

Data Breach

 

  • A data breach for MJSO would consist of medical notes or the booking software being compromised.  

  • Serious breaches must be reported to the Information Commissioner’s Office, within 24-72 hours. Serious breaches are those which risk the rights and freedoms of individuals (discrimination, financial loss, loss of confidentiality). This is not likely for MJSO given the data we hold on patients.  

  • MJSO staff are trained as to what constitutes a data breach and are required to inform a director immediately. The Director will then manage the data breach.

 

Your Data

Upon request MJSO can confirm what information it holds about you and how it is processed.

Data subjects can request the following information:

  • Identity and the contact details of the person or organisation MJSO that has determined how and why to process your data.

  • The purpose of the processing as well as the legal basis for processing.

  • If the processing is based on the legitimate interests of MJSO and information about these interests.

  • The categories of personal data collected, stored and processed.

  • Recipient(s) or categories of recipients that the data is/will be disclosed to.

  • How long the data will be stored.

  • Details of your rights to correct, erasure, restrict or object to such processing.

  • Information about your right to withdraw consent at any time.

  • How to lodge a complaint with the supervisory authority (ICO).

  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.

  • The source of personal data if it wasn’t collected directly from you.

  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.


 

Subject Access Rights

 

  • Right for data subjects to obtain whether information on them is being processed, where and for what purpose. If requested the controller shall provide a copy of personal data free of charge in electronic format.  

  • Right to access all personal data, on request from the subject, will be completed within 1 month.

  • Right to information - about what data is being processed and the rationale for such processing.

  • Right of rectification to correct data that we hold about you that is inaccurate or incomplete.

  • Right to be forgotten in certain circumstances to ask for the data we hold about subjects to be erased from our records.

  • Right to restrict the processing of data. 

  • Right of portability to have the data we hold about data subjects transferred to another organisation.

  • Right to object to certain types of processing such as direct marketing, automatic processing or profiling. 

In the event that MJSO refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.

 

Access to Data

To access what personal data is held, identification will be required

MJSO will accept the following forms of ID when information on your personal data is requested: a copy of your driving licence, passport, birth certificate.

 

Queries & Complaints

If you have any queries about how MJSO uses or processes your data please contact us directly via email or phone call.

 

In the event that you wish to make a complaint about how your personal data is being processed by MJSO you have the right to complain to us. If you do not get a response within 30 days you can complain to the ICO.

bottom of page