8 Hillside Brae, Gulberwick, ZE2 9FD
We collect and process data because we have a legal obligation to do so and it is adequate, relevant and limited to what is necessary.
For the purposes of the GDPR, Linda Smith and Anne Williamson (directors), trading as PhysioFit Shetland Ltd, are the 'data controllers' (i.e. The entities who are responsible for and controls the processing of your personal data.)
We collect and process information when you telephone to make an enquiry or appointment or when you send a self-referral form.
At the point of enquiry or booking we may ask you for your name, date of birth, address, telephone number, e-mail address, registered health centre and details regarding your problem/condition
At your appointment at the clinic, we will ask for information regarding your general health, your previous health and information regarding the condition you are seeing advice about. We will also ask for information regarding any activities you undertake, your employment and any medication you take. We will record the findings of a physical examination. We record our diagnosis, treatment plan and specific problems/goals.
Information regarding your health is collected directly from you, or may be collected from another health provider with your permission.
If you enquire but do not attend an appointment you do not become a patient with us and we will not keep your data.
We do not collect any personal information from visitors to our website other than information that is knowingly or voluntarily given. Anonymous information may be collected, such as the number of visitors to the website in a given period but is purely statistical and cannot be used to identify an individual user. Cookies are not used to collect any other information from visitors to the website. Our website contains links to external sites, but we are not responsible for these sites.
How we may use your personal data
We may use your personal data for the following purposes:
We take all reasonable steps to ensure that our information is kept up to date and rectified if necessary. It is also your responsibility to inform us if any personal information changes.
Disclosure of your information
We may pass information with your permission to other medical professionals who may be involved in your care; this may include GPs, consultants, occupational health departments or other Health and Care Professions.
This information may be passed on in the form of a written letter which is given to you - if this is the case, the letter becomes your responsibility and the protection of its contents is your responsibility.
If the information is passed electronically by email, it will be password protected and we will take all reasonable precautions to transmit the information securely. Otherwise it will be sent via post with your consent.
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances PhysioFit Shetland Ltd will disclose requested data where it is necessary to do so. However, the data controllers, will ensure the request is legitimate, seeking assistance from legal advisers where necessary.
Data Security and Storage
We take appropriate measures to safeguard the information we hold from unauthorised access or improper use. Our database is stored in a secure, password protected location. Only users authorised by us have access to this data.
Whilst we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data which is transferred from you or to you via the internet. For this reason we prefer more secure means of transferring data.
Paper health records are stored in secure premises in locked cabinets. If we need to transport health records, e.g. to visit you at home, these records will be transported in a locked container.
Health records of adult patients must be stored for 6 years after the time of the last consultation. Child health records must be stored until the child's 25th birthday (or 26th birthday if aged 17 at the time of treatment). Maternity records must be stored for 25 years. When health records and other data are no longer required to be stored these will be destroyed securely and permanently.
Under the GDPR an individual has the right to be informed about the collection and use of their data.
The information must be clear and transparent.
We must provide individuals with information including: the purpose for processing their personal data, the retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
The right of access
Individuals have the right to access their personal data and supplementary information (subject access request). They may also request the purpose for which it is being collected, recipients, the retention period, rights of rectification, erasure and objections.
As an individual you must:
This will be provided within 30 days in compliance with GDPR.
We can decline subject access request if it is unreasonable.
The right of rectification
Individuals may request that a controller rectifies any errors in their personal data or completed if it is inaccurate.
The right of erasure (the right to be forgotten)
Data subjects are entitled to ask a controller to delete their personal data.
This is not an absolute right and is dependent on the legal basis for collecting the data.
Restriction of processing
Data subjects may be entitled to limit the purpose for which the controller can process the data.
This means that they can restrict the way that their data is processed.
Data subjects have the right to transfer their personal data between controllers and to use their data for their own purposes.
Object to processing
A controller must have a lawful basis for processing personal data. If the lawful basis is ‘public interest’ or ‘legitimate interest’ these are not absolute and data subjects have the right to object.
Right not to be evaluated on the basis of automated processing
Data subjects have the right not to be evaluated in any material sense solely on the basis of automated processing of their personal data.
Customers will be notified within 72 hours with any data breaches if this is high risk to the individual.
Further information is available from the ICO on the website – www.ico.org.uk.
Individuals also have the right to complain to the ICO.
All changes will be notified on our website
Terms and Conditions
Please also read Physiofit Shetland's Terms and Conditions for Assessment and Treatment and Terms and Conditions for Use of Physiofit Shetland's Website.
Updated 25th May 2018. Due for review 1st June 2019.