1.Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (GDPR), from 25thMay 2018.
2.Who is responsible for managing my information?
Southville Clinic Limited is the data controller(contact details in section 16). This means it decides how your
personal data is processed and for what purposes.
Southville Clinic Limited complies with its obligations under the GDPRby keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Our ‘Security Policy’ is available on request.
We are responsible for the collection and proper management of any personal information you submit. We will keep your personal details
3.What information do we collect?
Prospective practitioners: You will be asked to complete a ‘Professional Information’ Form. This data will be held securely until either you enter into a contract with Southville Clinic or you indicate that you do not wish to enter into a contract with Southville Clinic.
Practitioners, contract in place/process: You will be asked to complete a ‘Professional Information’ Form.
The following data will be collected via the ‘Professional Information’ Form:
Date of Birth:
Qualifications (Including where and when obtained; sight of documents required):
Website (If applicable):
The following details are a compulsory condition of tenancy at Southville Clinic:
1. Current member of recognised registration body (Sight of original documents and copy required):
a. Name of professional body:
b. Registration no:
c. Date of initial registration:
2. Current indemnity insurance (Sight of original documents and copy required):
a. Name of insurer:
b. Date of renewal:
a. Professional Referee
b. Previous business landlord (if applicable)
CCTV: We use CCTV monitoring outside our premises. Signs are in place to identify the locations of the cameras. Recording is 24/7 and images are stored securely on the premises. We run this security measure jointly with Southville Surgery. No images are recorded within our premises.
Website information (optional): If you wish to provide information on the Southville Clinic Website, please provide accurate and relevant information for public dissemination.
Bank Information:This data will only be collected if it is required to refund monies to a practitioner.
Telephone call recording: All incoming and outgoing calls are recorded.
4.Practitioners as Data Processors
Data processor have specific legal obligations; for example, they are required to maintain records of personal data and processing activities. They have legal liability if they are responsible for a breach.
Security: We expect practitioners to ensure they handle any client data supplied by us in a secure way. Please ensure your computer is secured appropriately and that you do not share your password with anyone. You may find the following guidance useful: https://www.ncsc.gov.uk/smallbusiness
Children (0-18): We are unable to collect or store information about children. When an appointment is
requested for a child, we will pass on parental contact details to enable you to deal with this type of query.
5.Practitioners as Data Controllers
Practitioners will also act as data controllers in relation to any additional information they collect from clients, such as consultation notes. We expect you to have appropriate policies in place for managing this data collection and storage. Southville Clinic has no role in the collection or management of this additional data i.e. we are not the data controller or processor, and accept no responsibility or liability for the collection, storage or security of this data.
6.Other Data Processors
‘Need More Time’
Where we use the following ‘Need More Time’ services:
Telephone answering – to supplement our in-house reception staff and manager
Calendar – secure appointment booking system
More information about this company can be found at: https://www.needmoretime.co.uk
In relation to joint CCTV monitoring only.
Telephone call recording only.
7.Lawful basis for processing
Contract – Practitioners who enter a contract with Southville Clinic
Consent – Prospective Practitioners
When we collect information directly from you, with your consent, consent is obtained verbally or in writing, depending on the method of contact.
8.How do we use your information?
Your personal data will be treated as strictly confidential and will be shared with relevant individuals only. The only exception to this is information provided to be displayed on the Southville Clinic website (optional), where this information is publicly accessible and as such we cannot control how this data will be used by third parties.
Specifically, the information you provide may be used:
- to enable us to draw up and administer our contract with you;
- to confirm and remind you of your professional registration expiry date(s);
- to put you in direct contact with clients;
- to enable us respond to your queries;
- to enable the directors to review and approve your contract with Southville Clinic;
- to provide a refund of any monies owing during or at the end of a contract term;
- CCTV: if an incident or crime occurs in the view of our cameras, we may review the images and resolve a minor matter internally or pass images on to the police, if relevant to a criminal offence.
- Telephone call recording: if an incident occurs when a client is abusive or inappropriate during a telephone contact. To establish appropriate billing for telephone calls (minimum call duration to do this).
We will never use your information for marketing. We will never use your images for any other purposes.
9.Who will we share your information with?
In order to provide you with the services that we offer we may share your information with:
- Reception staff;
- ‘Need More Time’ telephone answering staff;
- ‘Need More Time’ secure calendar software for appointment booking;
- Clinic Directors;
We will never share your information with 3rd parties for direct marketing.
10.When can we contact you in the future?
Other than the circumstances outlined above, we will never send you information about our products and services, or information from third
11.How long will we hold your information for?
We have a system of retention periods in place to ensure that your information is only stored whilst it is required for the relevant purposes or to meet legal requirements. Where your information is no longer required, we will ensure it is disposed of in a secure manner.
Practitioners, with a contract in place: We will hold your data securely throughout the duration of our contract with you. Our Policy is to delete information at the end of a contract term as soon as possible. This includes paper and digital copies of data held. If we have requested your bank information, in relation to processing a refund, we will need to hold this data for accounting purposes and in line with our legal obligations to HMRC (HMRC current requirement for limited companies; 6 years of accounts).
Prospective Practitioners: We routinely delete your data when either you have indicated that you do not wish to enter into a
contract with Southville Clinic, or within 3 months of non-contact. If you want us to remove your data ahead of this automated deadline then please contact us (see section 16 for full contact
details), either verbally or in writing. Please note we have 28 days to comply with any request for data deletion.
13.How can you access and update your information?
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email or write to us at the address below. We will process any requests for information (Subject Access Requests) within 28 days, subject to identity verification. We reserve the right to charge a fee if multiple requests are made for the same information or if the request is ‘unfounded or excessive’.
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think
is inaccurate at any time, either verbally or in writing. We have up to 28 days to consider and correct any inaccuracies. (Contact details, section 16)
14.Does the policy apply to linked Websites?
websites you should read their own privacy policies. Please note we are not responsible for the information or accuracy of information on these linked websites.
updated on 8th May 2018. Planned review date: 8thMay 2019. Please note that this policy can be updated at any time and without notice.
Clinic Manager: Sarah Leonard
By Telephone: 0117 963 2335
By email: firstname.lastname@example.org
Or write to us at: Southville Clinic, 68, Coronation Road, Bristol, BS3 1AS
17.How can you report a data breach?
If you have concerns that your data has been accessed, shared or otherwise used for purposes not outlined within this document or without
your consent. Please contact us as soon as possible and we will investigate the matter. (Contact details provided in section 16)
18.Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which Southville Clinic Limited (data controller) holds about you (supplied within 28 days);
- The right to request that the Southville Clinic Limited corrects any personal data if it is found to be inaccurate or out of date (corrected within 28 days);
- The right to request your personal data is erased where it is no longer necessary for Southville Clinic Limited to retain such data (erasure within 28 days);
- The right to withdraw your consent to the processing at any time;
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable).
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable)
- The right to lodge a complaint with the Information Commissioners Office.
Please contact us if you would like to exercise these rights (contact details in section 16). For more information about
data protection and your rights visit: www.ico.org.uk
If you have any comments or suggestions in relation to this policy or require additional information, please contact us (contact details in section 16).