Metro Physio Privacy Notice
At Metro Physio we strive to achieve the highest possible standards of practice in all we do. We therefore want to ensure we extend this to the way we handle and manage your personal data. You can be assured we take the safe keeping and privacy of data very seriously and do all we can to comply with the Data Protection Act 1998 and the General Data Protection Regulations (GDPR) 2018
The data we hold and legal grounds for processing this data
* Patients – We process your data under the lawful basis of ‘consent’ as we will ask you to sign a consent form and / or for your verbal consent, it is also within your ‘legitimate Interests’ to ensure we provide you with the most effective service possible. If we share your information we will have gained your explicit ‘Consent’ to do so, in most cases this will be written but, in some cases, may be verbal. We process your health data under the specific regulation of the GDPR guidelines; – (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
We will ensure that all personal data is collected, held and when required transferred in line with GDPR ‘good practice guidelines’.
Who controls and processes the data we hold?
Metro Physio Ltd acts as the ‘Data Controller’ for data we collect although ultimate control of this is with the individual in line with their rights unless there is a legal obligation for us to disclose or retain information.
Metro Physio staff will act as ‘Data Processors’ along with third parties we use for our patient management system, exercise prescription software and IT support because they will gather, save, transfer and delete data in line the guidelines or the wishes of the individual (unless there is a legal obligation for us not to comply with the wishes of the individual). We will only process the data for the purposes for which it was collected so will not edit, transfer or delete this without legal basis or an individual’s express wishes. Please note data will not be transferred outside of EU borders.
The GDPR advises that as we process ‘Special Category’ data i.e. data about your health we should appoint a ‘Data Protection Officer’ but is only compulsory if processing greater than 5000 subjects within a 12-month period. They advise this person should not be a ‘Data Processor’ i.e. responsible for the inputting of data as this would create a conflict of interest. This is not possible within our organisation as all staff act as data processors. This role will therefore be carried out by our Operations Manager Stuart Ainsworth who is the most suitable person within the organisation.
The rights of individuals (Data Subjects) whose data we process
The GDPR regulations give the below rights to ‘data subjects’:
* Right to be informed – regarding how we legitimately process your data.
* Right to access – any data we have about you.
* Right to rectification – of any data you inform us inaccurate.
* Right to erasure – of your data (‘right to be forgotten’) unless we are legally obliged not to.
* Right to restrict processing – to prevent further processing of the data we hold.
* Right to data portability – you may request we transfer your data to another data controller
* Right to object – to processing, profiling, direct marketing and some forms of research
* Right to question automated decision making – i.e. profiling
We will ensure we comply with your requests regarding your rights under GDPR unless there is a legal reason for us not to do so.
How long do we retain data for?
There are differing legal ‘retention periods’ we must comply with for example medical and personnel records. Personal data will be held for no longer than is in the interests of the individual. For example, to destroy medical records for a patient would potentially result in poor service as we may be required to go through a lengthy process of retaking information that had previously been provided. We may at any point be requested for information from an individual, so it is in their legitimate interests to keep this on file. Individuals have the right at any time to ask for their data to be destroyed or transferred (providing we that we are not legally bound to keep the data).
Information collected through our website
When you visit Metro Health & Wellbeing’s website, as is usual on almost all websites, the server automatically collects anonymous information such as; –
* IP address
* Date and time of visit to website
* The pages visited
* The browser used
* The country from which you are accessing the website
* The language of the browser used
* The website from which it is accessed
* The search word/s used
* The type of connection
* The operating system
The only reason this information is collected is to constantly improve the user’s website experience.
We do not collect any personal information other than information that is knowingly or voluntarily given. Visitors will not be contacted by us, unless such information is given, and contact is specifically requested.
Harmless cookies that are designed to enhance your user experience of this website are stored on your device. These consist of small data files relating to you and this website.
Information stored in cookies created by First Internet Marketing Ltd. are not shared with any third party unless required to do so by law.
By continuing to browse this website you are consenting to the storage of its first party cookies on your device.
The first party cookies used by this website include (but may not be limited to):
_ga = Google Analytics – Google Analytics = Online identifiers including cookie identifiers internet protocol addresses and device identifiers client identifiers
_gat = Google Analytics – Google Analytics = Online identifiers including cookie identifiers internet protocol addresses and device identifiers client identifiers
_gid = Google Analytics – Google Analytics = Online identifiers including cookie identifiers internet protocol addresses and device identifiers client identifiers
Disclosure to a Third Party
We will ensure we only pass on personal information to a third party when we have gained your explicit consent to do so. If your treatment is being paid for under a contract of insurance (e.g. BUPA, AXA-PPP etc policies), the terms of that insurance contract may require us to tell your insurer:
* Your name, address and insurance policy number
* Any pre-authorisation number you may have for treatment with us
* The dates you attend, or fail to attend, for assessment and treatment with us
* A brief description of your condition which may include diagnosis and relevant history.
* The name of the person who has referred you to us
* Our charges to the insurance company.
If you do not allow us to pass this information about you to your insurer as part of their monitoring of their contract with you, then we may not be able to treat you as an insurance-funded patient. You should discuss any concerns with your insurance company prior to commencing treatment with us.
We ensure we take the appropriate measures to safeguard the information we store to prevent unauthorised access or improper use. It is securely stored in a protected environment and that only authorised people have access to the data.
Accuracy and Integrity of Data
We take appropriate measures to ensure the information we hold is accurate and up to date. If you are at all concerned that any data, we hold is inaccurate please contact us and we will ensure we comply with a request to amend this unless there is a legal reason not to comply.
Complaints & Concerns