Why and how we collect information and the type of information we collect.
We may ask for, or hold, ‘confidential patient information’ about you which will be used to support delivery of appropriate, safe and effective care and treatment. We need to be able to process such data (referred to as ‘data processing’) in all the locations where we provide care to you – whether that is in your home, or in the clinics.
The confidential patient information (and records of this information) about you, which we collect hold and use may include personal data such as:
Name, address, date of birth, next of kin.
Contact we have had over time with you, such as appointments and home visits.
Details and notes about treatment and care, including notes and reports about your health.
Information from people who care for you and know you well, such as health professionals and relatives.
Email address, IP address, and information regarding what Web pages are accessed and when.
If you pay for treatment or purchase a product from us, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions.
It may also include more sensitive information (defined in the GDPR as ‘Special Category’ Data) such as details relating to your sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver appropriate treatment and care plans and to provide improved care, to meet your needs.
Information is collected in a number of ways, but here are some of the most commonly used.
• verbally when you are with your Podiatrist or Podiatry Assistant;
• manually when you fill in referral, assessment and other forms;
• We obtain information about you when you use our website, online enquiry form;
• via electronic or postal communications or records completed by a nurse, GP, administrator, pharmacist or hospital-based staff;
• directly given by social services, carers, relatives and friends over the phone or in person;
How we use information.
• To help inform decisions that we make about your care.
• To ensure that your treatment is safe and effective.
• To work effectively with other organisations who may be involved in your care.
• To ensure our services can meet future needs.
• To review care provided to ensure it is of the highest standard possible.
• To train healthcare professionals.
• Send you communications which you have requested and that may be of interest.
• Notify you of changes to our services;
• Seek your views or comments on the services we provide;
• Remind you of upcoming appointments;
If you have any questions about how we are collecting and using your data, please don’t hesitate to ask our staff or contact our Data Protection Officer details of which are set out at the end of this privacy notice.
Legal Basis for Holding and Processing Personal Data.
All patient data is held by Feet by Phil staff under a common law “duty of confidence” and we work on the principle that personal data is only collected when needed for us to provide your care. Wherever possible, however, data is pseudonymised or anonymised.In the past, on the basis of informed and express consent from patients to their treatment, there was an assumption of permission inferred from the act of giving this consent, that the individual’s personal data could also be processed for the purposes of providing their direct care. It was usual practice in healthcare organisations that this so called “implied consent” meant that legally we did not need to explain why or how the data that we collected in this way was used or stored.
As from 25 May 2018 the GDPR specifies a new standard which requires patients to give a “clear affirmative act” when allowing Podiatry care staff to use their information. Therefore, the approach used previously does not fulfil the requirements of the new standard and nor would it qualify as “explicit consent” for us to process “special category” data or the health-related data we need to hold.
Feet by Phil will only use personal data in a way permitted by the law and this means that as from 25 May 2018 we will only process patient data and your data in accordance with common law and the lawful bases set out in Data Protection Law.
Processing personal data is deemed legal as defined in Article 6 of the GDPR, so long as at least one of the following applies:
1. purposes of the legitimate interests pursued by the organisation or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of their Personal Data, in particular where the Data Subject is a child;
2. to protect the vital interests of the Data Subject or of another person;
3. to perform a task carried out in the public interest or in the exercise of official authority given to the organisation;
4. to comply with legal requirements for the discharge of an organisation's tasks or functions;
5. because the processing is necessary for the purposes of a contract with the individual [for example, the person has an employment contract with Feet by Phil];
6. the Data Subject has given Consent to the processing of his or her personal data for one or more specific purposes.
In relation to the provision of Podiatry care provided by Feet by Phil the following should be taken into account:
a. in all situations subject to the interests and fundamental rights and freedoms of the Data Subject regarding the protection of their personal data, the processing of personal data will be undertaken within ‘legitimate interests’ and in (b) or (c) below, additional legal bases apply;
b. for emergency or life threatening situations, the processing of Personal Data will be undertaken ‘to protect the vital interest’ of the person or persons involved or if the Data Subject is physically or legally unable to give consent as defined under the Mental Capacity Act (2005);
c. when required by ‘legal obligation’ to an authority such as a coroner’s court, security services or the police.
In practice we will now only use ‘consent’ as a basis for processing your personal data in specific situations where use of the information is within your choice and control and the processes involved are transparent.
Legal Basis for Holding and Processing Special Category Data.
As stated above, Special Category Data is Personal Data which the GDPR says is more sensitive, and so needs more protection. There is a general prohibition on the processing of Special Category Data subject to a list of exceptions. The prohibition and exceptions are set out in Article 9 of the GDPR.
In accordance with Article 9 Feet by Phil can process Special Category Data (pursuant to one of the exceptions) where it is necessary for any of the purposes outlined in Article 9 (2) (h), for example, for medical diagnosis or for the provision of health care or treatment or the management of health care systems and services, but only on condition that:
1. those purposes are fulfilled on the basis of UK law or pursuant to a contract with a health care professional.
2. the data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy under UK law or rules established by a national body.
As far as Feet by Phil is concerned because our services are provided in accordance with UK law and pursuant to contracts with the patient which are under the responsibility of professionals who are subject to the obligation of professional secrecy as provided for by UK law we can process Special Category Data provided we continue to comply with the provisions of Article 9.
Our staff members are bound by legal, professional and contractual rules to ensure that they are qualified, trained and use competent and secure systems. In some circumstances for example, in relation to monitoring equality and diversity, we ensure that we have appropriate, specific policy documents which clearly outline the need for and the laws and rules which govern the processing of that data.
How information is stored and kept safe?
The laws and governance we have described also set out legally how we must store personal information including monitoring and managing the risk of ‘breach’ (for example data being lost or sent to a third party in error). Strict policies and procedures govern our use of your personal data and our duty to ensure it is kept safe and secure.
Information is retained in secure electronic and paper records on our information systems and accessed by staff through desktop computers. Paper records are kept securely locked away when not in use, or held by the patient themselves and key holders are strictly monitored. Such access is strictly restricted to staff provided with the equipment, passwords and other security devices we use to ensure that only those people who need to see your Personal Data in order to process it correctly can do so.
Ensuring that our staff and patients are aware of the importance of keeping personal records safe and secure at all times is also a key element of risk management around safety and security of record keeping. Staff sign up to their obligation of secrecy in their employment contracts and policies and procedures provide written, regularly updated guidance on our approach to storage and archiving Personal Data.
This is backed up by training commencing with induction when members of staff arrive, ongoing update training and special training if required (e.g. for staff who archive records) and audit to make sure that policies and procedures are being followed correctly.
How do we keep information confidential?
The reason why Personal Data is kept safe and secure is to protect your privacy and confidentiality. There are a number of ways in which your privacy is shielded; by removing your identifying information, adhering to strict contractual conditions, having up to date policies and procedures that all our staff are trained to follow, ensuring strict sharing or processing agreements are in place with our partners and auditing to make sure that staff are following the correct procedures.
Everyone working for Feet by Phil is made aware during their induction that they are subject to the Common Law Duty of Confidentiality, the GDPR and UK Data Protection Act (the Data Protection Laws) and our own Data Protection, IT Security and Information Governance policies and procedures.
All our staff are required to inform you, or people caring for you, of how the information they collect will be used, to explain the basis upon which we keep your data on our systems and share it where necessary. These conversations will be noted in your records and you have the right to view these if you wish to.
How long do we keep Personal Data?
Under Data Protection Law we must not keep any Personal Data for longer than we need to or process your data following your discharge from our service without explanation. Retaining records and archiving is covered in our Records Management Policy and Procedures which is followed by all relevant staff and departments.Patient records are kept for the length of time that is required by the Governing society code of practice.
Who will the information be shared with?
We cannot share or use any of your information unless it is necessary and in line with how you would reasonably expect the data to be used. Any sharing that takes place will always be in compliance with Data Protection Law. To provide best care possible, sometimes we will need to share information about you with others. We may share your information with a range of Health and Social Care organisations and regulatory bodies. You may be contacted by any one of these organisations for a specific reason; they will have a duty to tell you why they have contacted you. Information sharing is governed by specific rules and law and recorded on the register with the Information Commissioner’s Office
Sharing with other Healthcare organisations.
So long as there is a lawful basis for us to do so in accordance with Data Protection Law, we may also need to share information from your records with other Healthcare organisations, from whom you are also receiving care, such as social services or private healthcare organisations. However, we will not disclose any health information to third parties unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires the disclosure of information.
Other organisations may include, but are not restricted to: GPs, private sector hospital, specialist and community services, social care providers, education services, local authorities, the police, voluntary sector and other private or voluntary sector providers (e.g. health sector, podiatrists).
We may also be asked to share basic and special category information about you, which may include sensitive information from your health records. Generally, we would only do this to assist them to carry out their statutory duties (such as research into uses of healthcare services, public health or participation in national audits). In these circumstances, where it would not be practical to obtain your explicit Consent, we need to inform you through this notice so you know that we may be required to share your information for these purposes at some stage in the future.
What happens if there is a Personal Data Breach and you are involved?
Any incidents involving loss of Personal Data will be reported as incidents on our systems. Not all such breaches will require further action, all will be investigated internally and what happens next is based on what data has been exposed and what risk that poses. If we discover that a breach is likely to result in a risk to your and other people’s rights and freedoms or will adversely affect them, we will inform you under our Duty of Candour without delay and report to the Information Commissioner’s Office (ICO) within 72 hours.
Under our contracts with partners, organisations or individuals processing your Personal Data on our behalf are required to notify us in the event of a breach. It is then our responsibility to report to you and to the Information Commissioners Office (ICO).
Our staff are trained in the policies and procedures relating to incidents of this kind and in supporting our responsibility to you under the Duty of Candour.
Can I access my information?
Information requestsIf you have a request for a specific piece of information or for one of our policies or procedures, please contact us either using the online form on our website, or by calling or writing to us using the contact details below.
Under Data Protection Law , you may request access to information (with some exemptions) that is held about you and, as soon as we have verified your identity, and so long as it will not adversely affect the rights and freedoms of others, we will provide it free of charge and respond to your request within one month* of receiving it.
Contacting us about your informationWe have a senior member of our management team who is responsible for protecting the confidentiality of your information.
If you have any questions or concerns regarding the information we hold on you, the use of your information or would like to discuss further, you can contact the Feet by Phil’s owner by using the routes below.
Post: Feet by Phil – Podiatry Service
Data Protection Officer70 Quantock RoadWindmill HillBristolBS3 4PEEmail: Feetbyphilpodiatryservice@gmail.comPhone: 0117 9080916