Data Protection Policy

Data Protection Policy

Fiona McDevitt Integrative Health Ltd

May 2018

Statement of Policy

Fiona McDevitt Integrative Health Ltd aims to achieve the best possible standards of protection for all the data, including personal, sensitive and medical data, which it collects and processes. It is committed to compliance with the requirements of the Data Protection Acts and the General Data Protection Regulations of May 2018.

Fiona McDevitt Integrative Health Ltd recognises its responsibilities, and will comply with, all relevant statutory legal requirements. It recognises its obligations to manage and achieve adequate standards of Data Protection on behalf of any patients, employees or others, who provide it with Personal Data. It recognises its responsibilities in terms of the collection of, storage of, retention of, sharing of, providing access to and the correction of inaccurate information. It recognises the rights of individual patients / data subjects to access to, to correction of, deletion of or portability of their data, and will comply with the GDPR in this regard – or will provide a full explanation where any conflict arises as set out in this policy.

It will carry out a regular audit of the types of personal data which it holds and processes. It will assess the risks associated with the data it processes and will takes the necessary measures to keep it safe and to comply with the legislation. It will provide appropriate instruction, training, information and supervision of any person who may process the data. It will provide for review periodically, in light of experience and changing circumstances in the future, but at least annually.

The legal basis for the processing of data in this clinic is by explicit consent and as a necessary requirement for the provision of physiotherapy / health care, for diagnosing a condition and for the treatment of that condition. The processing may also comply with the legitimate interests of the therapist and the patient and / or employee (employment contracts).

The purpose of collecting personal data from patients is to use this to arrive at a diagnosis and to inform the treatment plan.

The data may be stored in a variety of means as set out in this policy. All data is kept secure and considered confidential. Data may be shared with patients GP or other referring source, and will only be shared with other third parties with the written consent of the patient as set out in this policy.

The retention period for personal data is normally 7 years (beyond the age of maturity in the case of a child) except in exceptional circumstances.

It is recognised that in co-operating with this policy patients, employees and others will comply with the requirements of this policy. They will report any concerns about data protection to the practice without delay so that such concerns can be investigated.

 

Fiona McDevitt Integrative Health Ltd Profile

Fiona McDevitt Integrative Health Ltd is a small private practice offering out-patient physiotherapy, craniosacral therapy and manual lymph drainage services to the general public. This is a sole practitioner practice. Some services are provided outside of the practice premises – sports physiotherapy, health + Safety / ergonomic consulting, training, and some home based physiotherapy services.

The clinic occupies its own premises, a full suite within a medical centre with its own entrance from the street.

The clinic is laid out in three rooms – a waiting / reception area leading to two separate rooms. There is access to a toilet off the passageway from the waiting room to the treatment room. The second area contains a locked filing cabinet and other practice records in ring binder folders on shelving, and the door in is secured with a keypad lock.

There is a desk area within the larger treatment room against the wall. The practice Computer is located here with all accessories needed to link to the internet. The PC is password protected. There is an external hard drive for daily back up files and an additional external hard drive for monthly back up is stored securely outside of the practice premises.

The practice uses a clinical management software programme to collect demographic details for each patient, a diary function to keep records of attendances and can provide business related statistical reports as needed. This program is password protected for each individual with access to it. Therefore the system maintains a log of access. No clinical notes are currently recorded within this system beyond region of body injury and number of treatments attended. Clinical notes for current and new patients, from May 2018 onwards, will be stored on the clinical management software system.

Clinical Records are produced on paper record at present and have been since the practice commenced. A written record is maintained of each visit / attendance by a patient. Any reports, letters or other relevant materials are copied and the originals returned to the patient. DVD disks may be reviewed from time to time with MRI or other information on them but no copy is made – a note is made of anything relevant from them on the patient record. Clinical and other business letters are stored in a separate password protected folder on the PC. TO DO No laptop is used in relation to practice matters.

Current Patient Records are currently stored in a locked filing cabinet in a room with a keypad lock on the door. Non-current Patient Records are stored within the locked filing cabinet in the second room locked with keypad.
Long term discharges (>7 years since last contact) have been archived and stored securely up to the present. A programme of deletion of these records will be undertaken in the coming months and should be completed by mid-2019.

Employment Details
The clinic employs 1 person full time, the owner, practice principal and sole practitioner.
The clinic principal is the Data Controller for the purposes of this policy.
Any other employee(s) will act as Data Processors.

From time to time part time locum chartered physiotherapists may be employed, either on a contract or on a self-employed basis as required.

From time to time third party contractors are employed to complete development or routine maintenance works. All such persons report directly to the practice principal. The practice principal is usually present during these works. If they are unsupervised steps are taken to ensure all personal data is left secure, safe, protected from them and unavailable to them. Persons working in the clinic will normally work alone.

 

(Employee) Co-operation

All employees, or others attending this clinic as patients, visitors or contractors, will co-operate fully with the arrangements made by the clinic, as set out in this policy, for the protection of Personal Data.

Anyone with concerns about Data Protection issues should immediately report all such concerns to the practice principal, so that they can be investigated and acted upon appropriately without delay.

Any employee, or other person, is expected to comply with the requirements of this policy so that the clinic may remain compliant with the Data Protection Acts and the GDPR Any employee, and other person, is expected to avoid causing a breach of Data Protection by any of their actions.

Any employee, working as a data processor, is reminded that they have specific statutory responsibilities under the Data Protection Acts and the GDPR.  

 

Compliance & Disciplinary Policy

When advice and persuasion fail, and a patient, an employee, or other person continues to fail to comply with the requirements of the Data Protection Policy, it is the policy of Fiona McDevitt Integrative Health Ltd. to pursue the matter through an appropriate disciplinary code or other appropriate action.

Compliance with the arrangements set out in this Data Protection Policy is required of all employees, patients and visitors – it is not optional!

Compliance with the arrangements set out in this Data Protection Policy will be a requirement of securing contracts / the provision of services or products. Where a contractor fails to comply with, or to heed, representations made to him / her by the practice principal, then the clinic may seek to cancel the contract forthwith.  

 

Communication + Consultation

A statement of Policy will be prominently displayed in the waiting / reception area.

The Data Controller for this business is the practice principal, Fiona McDevitt. All personal Data is collected and used for the following purposes.

  1. To provide demographic + Contact Details of patients, and other persons, necessary for the normal running of a physiotherapy, craniosacral therapy and manual lymph drainage therapy practice business – i.e. Patients, doctors, consultants, legal advisors, business managers, other employers etc.
  2. To provide Clinical Information necessary for the development of a clinical picture, to be able to make an appropriate clinical evaluation of a patient’s condition and to arrive at an appropriate diagnosis in order to develop a treatment plan and to accurately record any treatment given and opinions arrived at.
  3. To provide a basis for developing Physiotherapy Reports for medical referees, GPs, Consultants and others who may reasonably require them. Patient’s data will not be shared, other than with the original source of a referral, without the patient’s permission. Where the patient specifically requests it they will be notified of any communication with the source of referral also.
  4. To provide an accurate record of all contact with, all clinical evaluations and opinions, treatments, response to treatment and professional opinions.
  5. To provide reasonable business related information to facilitate the normal business activity of a commercial physiotherapy practice – HR information, pay related information, taxation related information.

Patients or others with any concerns about matters related to Data Protection should discuss these directly with the practice principal, who is the Data Controller, and as such has the ultimate responsibility for such matters.

For the purposes of this policy the Data Protection Officer is also the practice principal / the Data Controller as it a small business with a minimal management structure.

The practice principal will consider all such concerns expressed and will act to minimise any risks identified as he sees fit. In the event of a Breach of Data Protection he will respond in accordance with the procedures set out in this policy.

Because of the size of the clinic no formal system or arrangement has been made for consultation with patients, employees or others in matters of Data Protection. All such matters should be discussed directly with the practice principal.  

 

Personal Data Audit (Collection)

The Personal Data that this practice collects and processes is as follows: 

  • Personal contact details of individuals may include:
    1. Title
    2. Name
    3. Address details
    4. Telephone numbers – landline + mobile
    5. Email addresses.
    6. Age / Date of Birth
    7. Male or Female Gender
    8. Next of Kin/Emergency Contact Name and phone number
  • Patient’s clinical information may include the following
    1. Subjective examination – what the patient tells me on questioning
    2. Any reports, letters of referral etc.
    3. Objective evaluation – what I find on clinical testing of the patient
    4. Clinical Assessment / diagnosis / Professional opinion
    5. Treatment Plan
    6. Treatment provided
    7. Clinical Summary / Discharge Summary
  • Employee Details / Locum Details
    1. Personal contact details as above
    2. A Curriculum Vitae
    3. Human Resources Information – performance reviews, employment contract, letters of commendation, letters of complaint, accident reports, sickness certificates / sickness records, CPD records and other related material
    4. Financial related information – PPS number, Tax Status etc.
  • Contact Details of other Individuals Businesses + of their Management.
    1. May include some financial and banking details for SEPA payments
    2. Sports Clubs Personnel including Team managers, coaches and club management
    3. Professional Body contact details.
    4. Course attendee listings / contact lists  

 

Personal Data Audit (Storage + Retention)

This practice stores the Personal Data records it has collected in the following manner 

  • On its patient management computer program (Physiolinked) on the practice computer
    1. Patient contact details
    2. Body Region Injured
    3. Number of attendances / non attendances
    4. Type of billing item – treatment, product
    5. Referral Source
  • On paper based Clinical Recording Sheets (changing to computer patient management programme)
    1. Subjective examination
    2. Objection Examination
    3. Clinical / professional opinion
    4. Treatment plan
    5. Treatments provided
    6. Dates of attendance
    7. Copy of signed consent form
    8. Copy of letters/Medical Investigation results e.g. MRI
  • On the Practice Computer
    1. Letters to Patients, their Doctors, referral Sources,
    2. Email addresses for business and some patient related communication
    3. Health + Safety / Ergonomic reports
  • In the Locked Filing Cabinet
    1. Non-Current Patient records
    2. Ergonomic Assessment + Reports
    3. HR Records
    4. Business Related Records – Accounts, taxation, insurance, investment
  • On shelving Unit, paper based records in ring binders
    1. Aged Financial Records
    2. Safety Records
  • On External Hard Drive attached to PC
    1. Archived records for Health + Safety consultancy
    2. Archived Ergonomic Reports
    3. Archived Letters – including business and clinical letters
    4. Archived Committee minutes and other committee related records
  • On External Hard Drive for monthly back up stored outside of practice.
    1. Physiolinked Database back up files
    2. Archived Letters back up
  • Principal Residence
    1. Non-Current Patient Records > 10 years since last contact

 

Child Data

This Practice shall seek appropriate valid consent from the child / patient/vulnerable adult and from their parent / guardian before any personal data is collected or before any physiotherapy is initiated in accordance with the ISCP policy on consent.

The need for data and how it will be processed will be explained to a child/vulnerable adult in a manner they can understand.

The personal data of child/vulnerable adult patients will be retained for 7 years past their 18th birthday, or beyond their last attendance.

Children’s data is used only for clinical purposes and no other use is permitted.

For the purposes of this document the following definitions apply

  1. Child – is a person under the age of eighteen (other than a person who is or has been married).
  2. Vulnerable adult - A vulnerable adult is a person aged 18 years or over who may require assistance to care for themselves, or protect themselves from harm or from being exploited. This may be because they have a disability (either mental health, intellectual or physical), a sensory impairment, are old and frail, or have some other form of illness.
  3. Parent – is the natural parent, the adoptive parent or the adopting parent in respect of a child, or is the person(s) acting in loco parentis to the child.
  4. Guardian – is a person having the right and duty of protecting the person, property or rights of another who has not the legal capacity or is otherwise incapable of managing his/her own affairs.
  5. Legal guardian - in relation to a child, means any person who is the guardian of a child pursuant to the Guardianship of Infants Act, 1964 or who is appointed to be his or her guardian by deed or will or by order of a court; (Children Act, 2001)..
  6. Treatment and Intervention - are used interchangeably throughout the document.
  7. Patient and Client - are used interchangeably throughout the document.

Minors between their 16th and 18th birthday may give their own consent to medical, dental and surgical procedures. (The Non-Fatal Offences Against the Person Act) This practice will normally also try to inform the parents / guardian of the proposed examination and treatment. It is normally preferred to have a parent / guardian present during all assessment and treatments of patients under the age of 18 years.

A parent or guardian can/must consent to treatment for all children and vulnerable adults (in certain cases). Sufficient information will be provided to ensure that such decisions are made on an informed basis.

Only persons who have guardianship (parental responsibility) can consent on behalf of a child. Consent for a child can be given by the following person(s):

  1. The mother
  2. The child’s father if married to the mother currently or in the past.
  3. The child’s father who, if not married to the mother, has acquired guardianship via a court order (guardianship rights in relation to his child).
  4. The child’s father when a guardianship agreement has been established between the mother and father.
  5. The child’s legally appointed guardian, appointed by a court or by a parent with parental responsibility in the event of their own death.
  6. A person in whose favour a court has made a residence order concerning the child.

The Health Service Executive can give consent in relation for a child who is under Statutory Care i.e. an Order has been made by the Court under Section 18 of the Child Care Act, A variety of situations may exist and clarity should be sought as appropriate for those in Voluntary care, Emergency Care Order, Interim Care Order, Care Order and Foster Care.

The Parent is themselves a Child/Vulnerable Adult similarly some clarification should be sought as a child by definition is legally incapable of providing a valid consent themselves.

In situations where the parent him / herself is a child, then: In loco parentis have limited rights to act in loco parentis, until the person with guardianship (parental responsibility) can be contacted.

 

Consent Policy

This Practice shall seek appropriate valid consent from the patient before any personal data is collected or before any physiotherapy, craniosacral therapy or manual lymph drainage is initiated, in accordance with the ISCP policy on consent.

Consent for Data Protection Purposes

There are new and specific requirements with regard to consent when collecting and processing personal data. This data / information must be

  • freely given,
  • specific, 
  • informed
  • unambiguous
  • verifiable
  • include a positive indication of agreement ]

A patient has the right to withdraw consent for Data processing at any time and exercise of this right must be notified to Any Physio.

The practice principal in this clinic, Fiona McDevitt - the Data Controller, will provide a form on which to record consent for data processing. This consent form will form part of the audit trail.

This policy applies to all Chartered Physiotherapists and other therapists working within the Practice.

It is the responsibility of all chartered physiotherapists and other therapists to ensure that consent is obtained for all interventions.

Treatment and Intervention are used interchangeably throughout the document.

Patient and Client are used interchangeably throughout the document.

Obtaining Consent

Consent is a patient’s agreement for a Physiotherapist to collect their personal Data. This consent will be recorded on a consent form.

Consent is also patient’s agreement for a Physiotherapist to provide care. It is a basic requirement under common law. Consent must be obtained prior to clinical examination, treatment or investigation. This is separate from consent to data processing.

Consent will not be obtained from a patient whose ability to provide consent is impaired.

Patients have the right to refuse consent for data collection, storage or processing. But this may make it impossible to carry out a physiotherapy evaluation and treatment.

Emergency

In a life-threatening emergency situation where a patient is unable to consent or to appreciate what is required, a physiotherapist may administer emergency treatment in the absence of the expressed consent of the patient. This is known as the Doctrine of Necessity. This is a common law doctrine developed through case law. It applies to an emergency situation where the clinician treats a patient in the best interests of the patient.

Consent for processing of personal data, or the withholding of consent must be recorded by the Physiotherapist. Patients, as data subjects, may withdraw consent at any time.

Consent is valid when it is:

  1. Given voluntarily;
  2. Given by a person with capacity to consent;
  3. Informed; and
  4. Given by someone entitled to give consent.

Informed consent protects the individual's freedom of choice and respects the individual's autonomy.

 

Consent for Data Collection

Consent for Data Collection, Processing and Retention
Fiona McDevitt Integrative Health Ltd

Fiona McDevitt Integrative Health Ltd collects and processes sensitive, healthcare related personal data on the basis of your explicit consent, and in order to form an opinion about, and to diagnose your presenting condition. Your personal data will not be used for any other purpose.

Your data will be processed in a fair manner and retained by Fiona McDevitt Integrative Health Ltd for a period of 7 years after your last attendance. Your data will be stored securely and protected during this time as set out in our Data Protection Policy which is available to you if you wish to have it.

Your personal data may be shared with the person who referred you for physiotherapy, with your family doctor (GP), with a medical consultant or other specialist practitioners. Other examples of people with whom your data may be shared with, subject to your prior agreement, include your Legal Advisors, employers, Insurers, team/club medical staff+ management in order to facilitate your return to normal activities. Your Data will not be shared with any other third party outside of the Clinic without getting you permission to do so.

Your data will not be subjected to automated processing by this clinic.

You have a number of rights in relation to your personal data held at this clinic.

These include

  1. the right to request from us access to and rectification or erasure of your personal data,
  2. the right to restrict processing, object to processing as well as in certain circumstances the right to data portability
  3. The right to withdraw your consent for the processing of your data (in certain circumstances) at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
  4. The right to lodge a complaint to the Data Commissioners Office if you believe that we have not complied with the requirements of the GDPR or DPA with regard to your personal data.

The Data Controller and the Data Protection Officer is the Practice Principal:

Fiona McDevitt I agree to my Personal Data being collected and processed by Fiona McDevitt Integrative Health Ltd.

Patient Name:__________________________________________ Date:

Guardian / Parent _______________________________________ Date:

 

Privacy Notice for Employees Data Collection + Processing

Privacy Notice:

How your information will be used

  1. As your employer, the Clinic / Company need to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately,
    • during the recruitment process,
    • whilst you are working for us,
    • at the time when your employment ends and after you have left This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of the Clinic / Company and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
  2. As Physiotherapy Clinic pursuing business activities, we may sometimes need to process your data as a result of your employment contract or to pursue our legitimate business interests, for example to promote the Clinic Team members skills on our website. We will never process your data where these interests are overridden by your own interests.
  3. Much of the information we hold will have been provided by you, but some may come from other sources, such as referees.
  4. The sort of information we hold includes your application form and references, your contract of employment and any amendments to it; correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; information needed for equal opportunities monitoring policy; and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records.
  5. You will, of course, inevitably be referred to in many company documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the company. You should refer to the Data Protection Policy which is available on request or in paper format from the practice principal.
  6. Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay.
  7. Where we process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, we will always obtain your explicit consent to those activities unless this is not required by law or the information is required to protect your health in an emergency.
  8. Where we are processing data based on your consent, you have the right to withdraw that consent at any time. In addition, we monitor computer [and telephone/mobile telephone] use, as detailed in our Computer/telephone/electronic communications/expenses policy, available from the practice principal. We also keep records of your hours of work by way of our clocking on and off system, as detailed in your employment contract.
  9. Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to payroll provider, auditors, pension or health insurance schemes. We may transfer information about you to other group companies for purposes connected with your employment or the management of the company’s business. In limited and necessary circumstances, your information may be transferred outside of the EU. We have in place safeguards to ensure the security of your data.
  10. Your personal data will be stored for a period of 7 years following your employment ending.
  11. If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
  12. Your rights under the General Data Protection Regulation (GDPR) and The Data Protection Act (DPA) with regard to your personal data. You have
    a. the right to request from us access to and rectification or erasure of your personal data,
    b.
    the right to restrict processing, object to processing as well as in certain circumstances the right to data portability

    c. The right to withdraw consent if you have provided consent for the processing of your data (in certain circumstances) at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
    d. The right to lodge a complaint to the Data Commissioners Office if you believe that we have not complied with the requirements of the GDPR or DPA with regard to your personal data.

Fiona McDevitt is the Data Controller and processor of data for the purposes of the DPA and GDPR.

If you have any concerns as to how your data is processed you can contact:

Fiona McDevitt
Tel: 0872226878
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Practice Principal / Data Protection Officer. 

 

Access Request Policy

Fiona McDevitt Integrative Health Ltd will provide access to a full copy of the personal data which it holds on any individual on receipt of a written request for same. An informal request will be sufficient to begin the process of retrieval and copying of the data.

The data will be made available to the patient / data subject on receipt of a written request. The written request must identify the data subject clearly and specify precisely what data of theirs the request applies to. The request in writing permits the clinic to maintain a clear audit of its records.

A copy of the data record will be provided in hard copy and either delivered by

  1. Hand
  2. Mailed to a specific name and addressed person
    The transfer of the data record needs to be documented and recorded itself to provide an audit trail.

Electronic copies can only be provided where it has been requested in this format and will be sent to a specified email address that is specific to a named recipient as set out in the original written request for the access / copy of the record. A ‘read’ or ‘opened’ or ‘delivery’ receipt will be requested from the email service provider in order to provide an audit trail.
Alternatively the data subject may provide a media device where the electronic record can be transferred and a written confirmation of receipt will be requested.

All email that includes personal data will be sent to specific named individuals email addresses.

Where a request is made to correct the data record the request to do so must specify exactly which data in the record is incorrect, and if possible indicate what change needs to be made in the record in order to correct it.

Changes to the electronic record within Physiolinked – the clinic practice management system – is straight forward enough. The system maintains a log of all actions taken. In this situation it is a simple alteration of factual information.

Where there is a difference of opinion the therapist may need to provide additional information to explain how they have come to a particular opinion or on what basis it has been arrived at. Professional and clinical opinion may be altered in light of new or additional information being provided but it does not necessarily negate the opinion reached up to that point .i.e. the processing that has been completed up to the time the request to alter or change was made.

Changes to a hard copy record / patient notes are made in a written form with an explanation for the action taken. The incorrect data is identified and highlighted but not removed or blanked out completely – the corrected information is added to the record and annotated where the original text occurs in the record. Incorrect or data otherwise to be changed may be highlighted by using a highlighter pen, by enclosing in brackets and / or by drawing a single line through the text The text in question should remain legible but clearly identified as having been altered.

Where a conflict arises between the rights of the data subject and the data controller – Fiona McDevitt Integrative Health Ltd – Fiona McDevitt will make contact with the data subject and outline the nature of and implications of the conflict, in order to achieve a mutually agreeable solution. i.e. where the data subject may request deletion of a record but there is a legal requirement for the clinic to retain it.

Once the requested change or deletion of a record has been completed the clinic will provide confirmation of having done so to the data subject.

 

Sharing Data / Transfer of Data Policy

Fiona McDevitt Integrative Health Ltd will not normally share your personal data with any other person or organisation. It is the policy of the clinic to seek and receive your permission prior to doing so.

However it is understood that your personal data may be shared with the person who has referred you for assessment and treatment should this be appropriate – a GP, a medical consultant, your legal advisors. It is normal to communicate to them the results of having assessed and treated you and the professional opinions arrived at.
You may, if you wish, restrict this communication by requesting that it be done only on your specific consent to do so.

Your consent will be required to share any information about you with any other third party. Your consent will be sought and recorded in your personal record / patient notes.

A written request will be required wither from you, the data subject, or from the third party themselves setting out clearly whom they wish information about, what information they require, when the require it, the purpose for which they require it and how it should be provided.
Any request from a third party will be checked with you, the data subject, before any information is shared.
A record of the request and the transfer of data will be made in the personal record / Patient record.

All personal data shared will be transferred to a specific individual either directly by hand, by mail to a specified person or by email to a specified personal email address. In the latter case the file may be password protected / encrypted and the password provided separately from the electronic file.

Records will be included in any sale of the practice and should be considered as a transfer of ownership and thus needs to be recorded

This practice will not share retained personal data with third parties for advertising or marketing / promotion purposes. It is not currently intended that any personal data collected or retained will be used directly by this clinic itself for marketing purposes.  

 

Records Retention Policy

It is the policy of this practice to retain the Personal Data it has processed for a period of not less than 7 years from the end of the last contact with a patient.

All retained records containing personal data will be stored safely, securely and in such a way as to preserve its privacy and confidentiality.

Access to personal data will be restricted to those who reasonably require it in order to perform their work within the practice.

Personal Data will not be shared with other persons except in connection with their clinical management and treatment, other than by the expressed consent of the patient / data subject.

Current patient records are stored in an expanding folder on the desk in the larger of the treatment rooms and remains under observation at all times when patients are present.
Non-current patient records are stored within a locked filing cabinet.
Archived records older than seven years have been retained in case they were needed in the past. It is the policy of the clinic to gradually begin reviewing these records and where no reason is found to retain them they will be destroyed or anonymised.

Records will be reviewed on an annual basis. Records that are older than 7 years, that have no apparent reason for retaining them longer, will be destroyed.

Records that are held beyond this period where possible will be anonymised. Where a record is retained and cannot be anonymised an explanation will be provided to the data subject and a further consent to retain the record will be sought.

The records relating to patients under the age of 18 years of age must be held for 7 years beyond their 18th birthday.

Destruction of the records will be arranged in such a way as to ensure the safety and confidentiality of the data.

This practice will not share retained personal data with third parties for advertising or marketing / promotion purposes. It is not currently intended that any personal data collected or retained will be used directly for marketing purposes by this clinic.  

 

Data Storage Policy

Hard Copy Data Records

Current patients’ paper records are stored in the locked filing cabinet, apart from the charts of the current days patients, which are out of view on the desk in the main treatment room. Going forward the patients’ records will be on the computer and protected by passwords and firewalls etc. They remain under direct supervision at all times when patients are present. When patients are not present they are usually directly supervised and safe.
When others are working unsupervised within the practice premises this expanding file folder will be placed within the locked filed cabinet along with the other sensitive data in the practice.

Non-current patient records are retained and stored within a locked filing cabinet in the office area which has a keypad lock on the door. This cabinet and room are kept locked when not directly supervised.

Employment and other HR Records are kept within the locked filing cabinet.

Hard copies of legal reports, letters and other sensitive information in hardcopy format are stored within the filing cabinet.

Patient records in excess of 7 years old have been stored in archive boxes in the attic space of the adjacent property – owned and occupied by the practical principal. This property is protected by the monitored alarm system.

Electronic / Digital Records

The standard of encryption required to adequately secure data changes with advances in technology. Whole-disk encryption of 256-bit strength should meet the requirement at present and is provided by the current computer.

A strong password would typically be 14 characters long, contain a random selection of letters, numbers and symbols and be impossible to guess Passwords used by this clinic include a combination of numbers, letters and some symbols.

The practice computer is protected by a password. The practice computer is protected by a firewall and the computer is provided with antivirus protection that provides daily updates and up to the minute protection for internet security.

The internet service provides additional paid for security protection at the service provider level – before the emails are downloaded – at source.

The WIFI internet used within the practice is password protected.

Files with sensitive personal; data are not backed up to the Cloud, nor are they stored for any length of time on a personal laptop of the practice principal, nor saved onto web based services. Files that need to be transferred outside of the practice to be worked on are usually saved to a memory stick and once use is completed with the file is deleted from the memory stick or external device.

An external hard drive is used to provide separate back up from the computer. This hard drive is generally connected to the computer but is powered down except when in use. A further non powered external hard drive is used for monthly back up of the Physiolinked system. This device is stored securely in the adjacent property – the home – of the practice principle.

Physiolinked the patient management system on the PC is protected by a password for each individual who needs it, clinical therapist and non-professional / receptionist / secretarial/admin staff.

The Letters Folder is password protected. This folder also contained Physiotherapy Reports and other sensitive data.

The Health and Safety Folder is also password protected. This folder contains data relating to health and safety consulting carried out by Fiona McDevitt.

Other Data

All desks surfaces are cleared of notes and other sources of personal data at the end of each day.

No sensitive record should remain visible when not in use – it should be replaced in the appropriate storage for its current status – current, non-current or archived.

Patients who provided original of legal or other medical reports or referral letters should have these copied and the original returned to the patient for safe keeping. Similarly other data records like MRI, video, photos etc should be copied and the originals returned to their owner.

Some sensitive data related to the business is stored on the shelving units within the ring binder folders. This is not personal data but is considered sensitive and must be supervised and kept confidential.

A phased programme of reviewing archived records and destruction of them as appropriate will commence in the summer of 2018. It is hoped to complete this task within 6-12 months.  

 

Registration Details Data Protection Commissioners

FMcD Physiotherapy Ltd trading as Fiona McDevitt Integrative Health

 

Reporting Data Breaches

Once detected all data breaches will be reported directly on the DPC website at the following link which provides detailed information on dealing with breaches.

More information is available at the following webpage data security breach Code of Practice

The Breach will be reported to the following contact options. 

  1. E-Mail - This email address is being protected from spambots. You need JavaScript enabled to view it.
  2. Phone - 1890 252231(lo-call); 00 353 (0) 57 8684800
  3. Fax- 00 353 (0) 57 8684757  

 

Housekeeping / Good Operational Practice

All information that may identify an individual is considered personal data. Therefore the concept of good housekeeping practice is inherent in keeping personal information private and confidential.

All phone conversations should be conducted in a manner to maximise privacy of the persons involved. Use of names and phone numbers in public areas in association with other clinical details should be avoided.

Some older archived patient records are stored offsite – in the attic of the adjacent overhead property owned and solely occupied by the practice principal. There is no access to other persons to this attic except by arrangement with the practice principal. Regular checks are made on the contents of the attic area. The attic is accessed through the residential apartment only, which is protected by a monitored alarm. There is a plan to delete / destroy these archived records in the near future.

Access to Patient Clinical Records is restricted to clinical staff in the normal routine. Reception / support staff will normally only have access to the demographic details in order to do their duties. Currently this is through the Physiolinked system where they have access only to demographic information.

The Filing cabinet has a fully functioning lock and is kept locked when not under direct supervision.

Careful use of computers will allow personal data to be kept safe and confidential. The computers are provided with appropriate levels of software protection, anti -virus protection, firewall protection etc. In addition the following should be noted

  1. All folders containing sensitive information are password protected
  2. All sensitive files are password protected
  3. Patient personal data is appropriately protected and the system should be able to provide an audit trail of who worked on the system, when and with what files.

Use computer screen with care to protect personal data.

  1. Use privacy buttons if available, turn off the screen or minimise the working screens when not actively using the computer.
  2. Turn the screen so it cannot be read easily by patients lying on couches.
  3. Do not leave personal data visible to other people – position the screen to prevent this, turn the screen away, turn the screen off, shut down the programme, clear notes from the desk area or otherwise ensure the information cannot be accessed by others.

This is particularly important when the room / screen is unsupervised. All written notes, clinical records and other sources of personal data should be removed from the desks and other areas where they can be accessed if left supervised.

All small non clinical notes should be shredded for security.

Files for destruction will be shredded / destroyed in a manner to ensure they cannot be reconstructed or retrieved.

Digital records may require specific programmes to delete the data completely.

It is the policy of the practice where possible to copy all digital media, referral letters, reports etc and return the originals to the patient for safe keeping by them.  

 

Detecting + Reporting of Breaches

Fiona McDevitt Integrative Health Ltd is a Sole Practitioner Practice – therefore the responsibility for all data protection lies with Fiona McDevitt, the practice owner and principal.

As the sole employee of the business, and the person responsible for all aspects of Data Protection, she is also responsible for Detection of and reporting of Breaches of Data security.

Under GDPR requirements on detection of a data breach Fiona McDevitt will report the breach to the DPC 72 hours, unless the data was anonymised or encrypted.

As the practice handles significant amounts of personally sensitive data it is the policy of this clinic to inform the individual(s) impacted by the breach and to keep them informed of progress of investigations + remedial actions taken.

If a data breach is discovered immediate action will be taken to minimise any further loss of data or unauthorised access to the data.

Disconnect the PC and other devices from the internet.

Disconnect the internet modem from the phone line.

Determine the extent of the breach and what data is affected / has been compromised and whose data it is.

Determine who has perpetrated the breach and how. Take steps or advice on how to close the breach and prevent further exploitation of this security weakness.

Prepare a report for the DPC and submit it within 72 hours or sooner if possible.

Hard copy data / patient records with personally sensitive data will be checked at least every week.

Files with personally sensitive data are handled in a systematic routine manner so that deviations from the routine will be immediately obvious. Departure from the routine if unexplained will be investigated.

Data and sensitive files are monitored at all times when patients or others are present within the premises. Files or data is not left unsupervised and easily accessible to others who are not authorised to have access to it.

Anyone acting suspiciously or apparently trying to gain access to data is warned that this is unacceptable behaviour. Failure to correct such behaviour or persistence with it will result in their exclusion from the premises and the termination of their care if they are patient. They will be offered the contact details of professional colleagues in the area if they request the same.

Specialist guidance will be sought from the website hosting company about apparent irregularities. The clinic website has information for public consumption but no direct personal data is collected or stored in any database as part of the website.

Security setting on websites and social media platforms will be set at HIGH.

 

Data Protection Risk Assessment

No. Data Hazard / Risk Risk Level Control Measure
1 Website being hacked Med Have suitable protection in place by Hosting Service.
Provide protection for website databases where present
2 Unauthorised access to PC High Use password protection for Starting Computer Password
protection for all users of clinical software systems Password protection of email programmes Password Protection for sensitive data folders and files.
3 Screen visible by patient / visitors High Position screen so they are not in direct line of sight Minimise / close sensitive files when not in use
Do not leave screen or PC unsupervised
4 Clinical notes open on desk High Do not leave notes open and unsupervised on desk – cover of place within a folder out of sight
when not in use Place in secure location when unsupervised Do not leave notes in any area unsupervised
5 Filing cabinet not secure  – lock broken High Replace broken lock Replace filing cabinet Keep locked when not directly supervised or being actively used for filing duties
6 Current patient records in expanding file folder

Medium
High

Keep records within the folder until needed and replace without delay. 
Place within the locked filing cabinet when not supervised and others are unsupervised in the premises doing other work 

7 Archived Patient records in attic Medium Review records with a view to destruction by shredding and or burning as necessary Aim to complete within 6-12 months.
8 Contractors working in premises unsupervised  High  Switch computer off Lock current patient records folder into filing cabinet Remove the diary Remove any sensitive data from the desk area and lock it away.
9 Patients entering treatment rooms Medium Always ensure doors to treatment is closed to waiting area. Speak in a moderate to low level of voice Close interlinking doors when needed for privacy. Provide a sign to warn people not to enter a room when door is closed.
10 Notes with contact details on desk Low Have a clean desk whenever possible. Keep notes to a minimum.
11 Phone conversations being overheard  High  Keep phone conversations where sensitive data likely to be discussed to a minimum until alone in clinic At a minimum close treatment room doors to maintain auditory privacy.
 12  Robbery / theft / unauthorised entry to the premises High Always lock the filing cabinet at night. Lock current patients records into filing cabinet. Remove the diary at night.