General Data Protection Regulation Policy
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Act Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Inline Health Limited is committed to protecting the rights and freedoms of individuals with respect to the processing of client’s personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR includes 7 rights for individuals
1) The right to be informed
Inline Health needs to know client’s names, addresses, telephone numbers, email addresses along with relevant medical history for the treatment or activity they are involved in for the safety and interest of the client. This information is confidential and will not be shared with any external companies for marketing purposes.
2) The right of access
At any point an individual can make a request relating to their data and Inline Health will need to provide a response (within 1 month). Inline Health can refuse a request, if we have a lawful obligation to retain data, but we will inform the individual of the reasons for the rejection.
3) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Inline Health has a legal duty to keep client details for 7 years Data is archived securely and removed after the legal retention period.
4) The right to restrict processing
Clients can object to Inline Health processing their data. This means that records can be stored but must not be used in any way, for example for communication purposes.
5) The right to data sharing
Inline Health requires data to be shared with our online booking system (Practice Pal) and/or from our virtual reception team (Best Reception) to our online booking system. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) The right to object
Clients can object to their data being used for certain activities like marketing or research.
7) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing based organisations. Inline Health does not use personal data for such purposes.
Storage and use of personal information
All paper copies of client records are kept in a locked filing cabinet in our clinic. The information provided on registration forms is entered on to our secure password protected database with Practice Pal who have their own policies and procedures in place in relation to GDPR. Members of staff can have access to these files but information taken from the files about individual clients is confidential and apart from archiving, these records remain on site at all times. These records are removed after the legal retention period.
All office computers are securely protected, with passwords required for access. Any portable data storage used to store personal data, e.g. USB memory stick, camera and iPads are password protected and/or stored in a locked filing cabinet.
GDPR means that Inline Health must;
- * Manage and process personal data properly
- * Protect the individual’s rights to privacy
- * Provide an individual with access to all personal information held on them
This Policy was adapted in May 2018.
Policy review date: May 2019