We are NPP Neuro Group, a private provdier of neurological rehabilitation and allied health company. We collect and process personal data regarding members of staff, patients and relatives as part of our operation and shall take all reasonable steps to do so in accordance with our policies.
This policy has been written to ensure that we comply with the relevant provisions of the Data Protection Act 1998, the Freedom of Information Act 2000 and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). It has been written with reference to the information provided by the Information Commissioner’s Office (ICO).
The Company is registered with the Information Commissioners Office (ICO) and will act as the Data Controller determining the purposes and means of handling personal data for patients at our practice. Our registration number is ZA350901
The Company is Neurophysioplus ltd
In line with the principles of GDPR
We shall ensure that your information will be:
The Company will be the Data Controller responsible for information in respect of NPP Patients and personnel at our practice will process data in association with their role. Clinical staff are responsible for following their relevant professional and legal obligations. Whilst processors have legal responsibility for their actions the Controller has an obligation to ensure that they comply with GDPR. All processors are bound by their contractual obligations about client and patient confidentiality.
All personal information belonging to patients and clients seen by Clinical Associates will be the responsibility of the individual clinician. They will assume the role of Data controller for their own records and The Company will process data on their behalf solely for the purposes of booking appointments and day to day administration. Clinical Associates are to make an undertaking to The Company confirming that they comply with GDPR. Any questions regarding the GDPR policies of therapy professionals working at NPP Neuro Group should be directed to the individual practitioner concerned.
The Company will ensure that, where data is processed externally, for example by service providers, Cloud services or storage facilities, all external processors are compliant with this policy and relevant legislation.
What kind of personal information do we process?
Personal and contact details
Reception staff are required to collect personal data for making appointments and day to day administration. These details will be recorded on the clinical notes and diary system. It is a legal requirement for us to record attendance.
Reception staff are required to handle sensitive personal data but will never share this.
Clinical records contain sensitive personal information and will be recorded by clinicians in accordance with the relevant professional standards and legal obligations. Consent is to be obtained before sensitive personal data is shared for example with General Practitioners, other health professionals or insurers. Sharing information with other parties will not be done without your written consent specifying what details you wish to share and who you would like to share it with. You can ask to see a copy of any correspondence before it is sent.
The Company will be the owner of all treatment records. This is considered to be the most appropriate means of ensuring that sensitive data is managed in accordance with GDPR governance rules and yet still enable records to be freely shared by all of the practitioners involved in each episode of care. Associates will assume the role of Data Controller on behalf of The Company in this respect.
Every patient (or their guardian) will be asked to read a Privacy Notice at the start of each new episode of care and be required to complete the data consent section at the bottom of the form.
You have the right of access to information held by The Company. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. (Known as a subject access request SAR). An initial copy of your information will be provided at no charge. Requests for access to information held by our other Clinical Associates should be made directly to them.
The Company will endeavour to ensure that all data held is accurate. We ask you notify us of any changes to information held about you and you have the right have inaccurate data corrected or erased. This does not apply where there is a legal requirement to retain records of corrections or mistakes in the interest of all parties to which they apply, and no alterations can be made to the clinical record.
We will conduct a GDPR Risk Assessment annually. An annual data processing and information audit will be conducted to document the
Data Retention and Destruction
Information sharing