NPP Neuro Group
Data Protection Policy for Patients
General statement of the Company’s Duties and Scope
We are NPP Neuro Group, a private physiotherapy and allied health company. We collect and process personal data regarding members of staff, patients and relatives as part of our operation and shall take all reasonable steps to do so in accordance with our policies.
This policy has been written to ensure that we comply with the relevant provisions of the Data Protection Act 1998, the Freedom of Information Act 2000 and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679).
It has been written with reference to the information provided by the Information Commissioner’s Office (ICO).
The Company is registered with the Information Commissioners Office (ICO) and will act as the Data Controller determining the purposes and means of handling personal data for patients at our practice.
The Company is NPP Neuro Group Limited
In line with the principles of GDPR
We shall ensure that your information will be:
• Fairly and lawfully processed
• Processed for a lawful purpose
• Adequate relevant and not excessive
• Accurate and up to date
• Not kept longer than necessary
• Processed in accordance with your rights
• Not transferred to other countries without adequate protection
Data Control for Patients
The Company will be the Data Controller responsible for information in respect of NPP Patients and personnel at our practice will process data in association with their role. Clinical staff are responsible for following their relevant professional and legal obligations. Whilst processors have legal responsibility for their actions the Controller has an obligation to ensure that they comply with GDPR.
All processors are bound by their contractual obligations about client and patient confidentiality.
Data Control for Clinical Associates
All personal information belonging to patients and clients seen by Clinical Associates will be the responsibility of the individual clinician. They will assume the role of Data controller for their own records and The Company will process data on their behalf solely for the purposes of booking appointments and day to day administration.
Clinical Associates are to make an undertaking to The Company confirming that they comply with GDPR.
Any questions regarding the GDPR policies of therapy professionals working at NPP Neuro Group should be directed to the individual practitioner concerned.
The Company will ensure that, where data is processed externally, for example by service providers, Cloud services or storage facilities, all external processors are compliant with this policy and relevant legislation.
What kind of personal information do we process?
Personal and contact details
Reception staff are required to collect personal data for making appointments and day to day administration. These details will be recorded on the clinical notes and diary system. It is a legal requirement for us to record attendance.
Reception staff are required to handle sensitive personal data but will never share this.
Sensitive Personal Data
Clinical records contain sensitive personal information and will be recorded by clinicians in accordance with the relevant professional standards and legal obligations.
Consent is to be obtained before sensitive personal data is shared for example with General Practitioners, other health professionals or insurers.
Sharing information with other parties will not be done without your written consent specifying what details you wish to share and who you would like to share it with. You can ask to see a copy of any correspondence before it is sent.
How will we collect your information?
• We will ask you to give your title, full name and date of birth, telephone number.
• When you come to your initial appointment you will be asked to complete our full patient registration form and sign our privacy notice to confirm your consent allowing us to process your information.
• Your therapist will collect all the medical information that they need to treat you during your assessment. The assessment will be recorded on the clinical record and not will be shared without consent.
Ownership of Clinical Records
The Company will be the owner of all physiotherapy treatment records. This is considered to be the most appropriate means of ensuring that sensitive data is managed in accordance with GDPR governance rules and yet still enable records to be freely shared by all of the practitioners involved in each episode of care. Physiotherapy Associates will assume the role of Data Controller on behalf of The Company in this respect.
Other Therapy Associates (Clinical Associates)
Therapists working in disciplines other than physiotherapy and speech and language therapy are separate businesses and have their own GDPR responsibilities.
All other allied health professionals (Clinal Associates) working at the clinic will retain ownership of their patient records and will be considered as the Data Controller for those records.
Privacy Notice and Consent
Every patient (or their guardian) will be asked to read a Privacy Notice at the start of each new episode of care and be required to complete the data consent section at the bottom of the form. This will be attached to the clinical record.
All associates from other disciplines are responsible for obtaining their own relevant consent and documentation.
Right of Access to Information
You have the right of access to information held by The Company. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. (Known as a subject access request SAR). An initial copy of your information will be provided at no charge.
Requests for access to information held by our other Clinical Associates should be made directly to them.
The Company will endeavour to ensure that all data held is accurate. We ask you notify us of any changes to information held about you and you have the right have inaccurate data corrected or erased. This does not apply where there is a legal requirement to retain records of corrections or mistakes in the interest of all parties to which they apply, and no alterations can be made to the clinical record.
Monitoring Data Protection
We will conduct a GDPR Risk Assessment annually.
An annual data processing and information audit will be conducted to document the
• Type of information the Company holds
• Where the data is being stored
• How data is being processed
• Whether the data is being collected and stored in accordance with our policies
• Records of Consent
• Records of data breaches
Data Retention and Destruction
• Your information will be retained in accordance with legal and operational requirements.
• Data will be securely destroyed once the retention period has expired.
• We will not share your personal information with anyone without your consent.
• If you are making a claim to pay for your treatment through a health insurer they will require us to share information. It will not be possible to process your claim without this but if you wish you can ask to see any information or reports before they are shared.
Is your information transferred outside the UK or EEA?
• We will not use your data for marketing ourselves unless we obtain specific consent from you first.
• We will not pass any of your information on to anyone for external marketing purposes.