At BodyEvolve, we take the protection of your personal data and rights very seriously and we have aligned our clinic in accordance with GDPR legislation (25th May 2018).
The date of the latest policy update is found at the end of this document.
As a data controller, we will only use information collected lawfully in accordance with:
• General Data Protection Rules 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• General Chiropractic Council Code of Conduct
We are registered on the ICO Data Protection Register, registration number: ZB343944
2. Who we are.
We are BodyEvolve Spinal Health & Wellness (previously, BodyEvolve Family Chiropractic).
Siren House. 437a Stockport Road, Hyde, Cheshire. SK14 5ET.
The data controller is Mrs M. Knowles, email: email@example.com. Siren House. 437a Stockport Road, Hyde, Cheshire. SK14 5ET.
3. What information we collect.
We collect personal information about you to enable us to provide our services. This may include:
• Name and address, email address and telephone numbers.
• Gender and date of birth.
• Details of your health concern/s, medical and family history, marital status, and occupation.
• Next of kin contact details.
• Details from your parent or guardian if you are under 16, or about your child if they are under 16 years of age.
• Photographs or videos for care and treatment.
• Details of services and treatments you may have received from us.
• Reports or notes on your health or any treatment and care you have received or need.
• Patient feedback and treatment outcome information, you provide.
• Information about complaints and incidents.
• When you visit our website, we collect information about your IP address and pages you visit. This does not tell us who you are or your address, unless you choose to provide that information.
• Your payment information (e.g. credit card details) provided when you make a payment to us.
• Information from customer surveys, promotions or competitions that you take part in.
4. How do we collect Personal Information?
We collect the personal information in the following ways:
• When you enquire about our services or treatments.
• When you provide information by completing a form on patient registration.
• When you correspond with us by email, phone, text, website enquiry, social media or other ways.
• During the course of the provision of services to you.
• When you visit our website.
• Fill in a form or survey for us.
• Information form at public/social/workplace event or organisation.
• When you enter a competition, promotion or survey.
5. What do we do with your data?
We only retain your data for as long as necessary, according to its purpose. We use the following regulation guidelines and recommendations:
Whilst you are under care at our centre we will continue to store and use your personal data.
The health care team who provide your care have to maintain records about your health and any treatment you have received here or previously. These records help provide you/your child with the best possible health care. Our lawful basis of processing this data is one of contract and will only examine or treat you/your child with your explicit consent. Our records are electronic and on paper and we use a combination of working practices and technology to ensure your information is kept confidential and secure.
As an adult, your patient data by law is retained for 8 years from the last visit, or if a child, then until they reach their 25th birthday. If aged 17 years old at the last visit, then records are kept until age 26. After this period, all records are destroyed. If you believe we should erase or stop storing your data, please contact the Data Controller detailed in paragraph 2.
Information may be used within the clinic for clinical audit purposes, to monitor the quality of the services we provide. All of your information is held securely on our premises and on a secure encrypted cloud system and may be used for statistical analysis. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
We retain your data within any time limits for making a legal claim.
We retain your data for as long as we have a reasonable need for managing our relationship with you or running our company.
6. Who will see the information?
Every member of staff who works at the company has a legal obligation to keep information about you confidential. We will never sell your information or let other organisations use it for their own purposes.
We will only share your personal information, if necessary:
• When consent is necessary, we will have obtained your consent and detailed the reason why your consent was required. You can withhold or withdraw consent when you complete the GDPR form in clinic on your initial visit, or you can do so by contacting the data controller, as above.
• Medical, medical imaging or healthcare providers.
• Your GP – where clinically necessary we may share your information with your GP.
• Emergency services or law enforcement agencies
• Where we use other organisations to provide services on our behalf for processing, mailing, delivering, answering patients, members, supporters’ questions about services, sending mail and emails, data analysis, assessment or processing credit/debit card payments.
• To any organisation requesting a employment reference if you are to join the company
• Organisations providing IT systems, IT support and hosting in relation to IT systems on which information is stored. Our website and email is hosted by Platform 81 LTD.
• If we merge with another organisation, form a new entity, sell our business or purchase a business.
Where a third-party data processor is used, we ensure they operate under a contract which includes confidentiality and security of personal data and their obligations under the Data Protection legislation.
8. Your rights
As we process your personal data, you have certain rights. These are a right of access, a right of rectification, a right of erasure and a right to restrict processing.
Access to your personal information
You have a right under the GDPR 2018 to request access to view or obtain copies of information that BodyEvolve Spinal Health & Wellness holds about you and to have it amended should it be inaccurate. In order to request this you need to:
• Make your request in writing to the clinic
• There is no charge for copies of your file
• We are required to respond to you within 40 days
• You will need to give us proof of name, address and date of birth, so that your identity can be verified (photo ID)
If you wish us to stop storing or using your data for communication/marketing/auditing purposes, please unsubscribe from email content, ask to be removed from any text/phone/mail communications by contacting the data controller in paragraph 2. At your first visit as a new patient to the clinic, you can tick to ‘opt out’ from our communications when presented with our GDPR policy form.
You can also request that we erase all personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes. Contact the data controller, details in paragraph 2, to request erasure.
Should you have any concerns about how your information is managed at the clinic, please contact Data Controller Mrs M. Knowles, detailed in paragraph 2. If unresolved, you can then complain to the Information Commissioner’s Office via website (www.ico.gov.uk)
10. Change of details
It is important that you inform us of any changes to your details, such as name or address. If any of your details are incorrect, please notify us in order to correct it.
11. Notification & Data Controller
In any breaches of personal data where information we control is lost, stolen or otherwise breached and constitutes high risk to your rights and freedom, we will notify you immediately. We will explain the nature of breach and steps taken to deal with it.
11.2. Mrs M. Knowles is the Data Controller for BodyEvolve Spinal Health & Wellness.