Helix House needs to collect and store information (data) regarding its patients, employees, contractors, practitioners, in order to:
- provide treatment
- arrange appointments
- manage fees and payments
- carry out day-to-day running of the clinic
- respond to enquires
and to respond to enquiries from the general public
This document explains:
- what data we collect and store
- who we obtain this data from
- why and how we use the data to achieve the objectives listed above
- what we do to keep it safe
- how you can find out more or raise a concern about data protection with us
Who uses my data at Helix House?
People who give their personal data to Helix House are Data Subjects - they could be patients, employees, practitioners, contractors or members of the general public.
Helix House is the Data Controller, responsible for determining the purposes and means of processing personal data. Helix House is committed to ensuring any personal data is dealt with in line with current data protection legislation. Helix House contact details are shown at the top right of this page. Helix House is registered with the Information Commissioner’s Office number Z6194497 and this registration is renewed annually. Helix House is compliant with the Payment Card Industry Data Security Standards Validation scheme.
Employees, practitioners and contractors are Data Processors, who are responsible for processing data on behalf of Helix House. Processing means; obtaining, using, holding, amending, disclosing, destroying and deleting personal data. Data includes paper and digital information.
Contractors include services which:
- process payments and accounting data, such as PDQ (debit and credit card) machine payments and bookkeeping
- provide a remote reception service when our receptionists are away from the desk
- provide IT support and software for running the clinic, including functions for making appointments and holding accounts
- provide email and phone services
Helix House is not required to designate a Data Protection Officer in addition, as processing of data is not on a large-scale (see ICO guidance).
In line with General Data Protection Regulations 2018 (GDPR), Helix House will ensure that personal data will:
- be obtained fairly and lawfully
- be obtained for a specific and lawful purpose
- be adequate, relevant but not excessive
- be accurate and kept up to date
- not be held longer than necessary
- be processed in accordance with the rights of data subjects
- be subject to appropriate security measures
Summary of data use
The following table 1 shows:
- what data is collected, what type of data it is and where it obtained from
- why this data is collected and processed
- the legal basis for processing this data
- how this data is processed and by whom
- how data is kept safe and for how long
- what happens to data once it is no longer needed
Helix House ensures that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures are taken:
- Locked cabinets
- Password protected computer and electronic device access
- GDPR compliant email, CMS (Content Management System) and telecom services
- Employees, practitioners and contractors who process data are required to sign a confidentiality and data protection agreement
Data transfer outside of the EU
Helix House uses an email service which is GDPR compliant, which means that any data stored in the Helix House email inbox is appropriately protected should the data be stored on a server outside of the EU. Data transfer outside of the EU can also occur if we communicate via email and your email inbox is hosted on a server outside of the EU, or if we communicate by phone and one of us is located outside the EU. In such cases this data transfer will be because:
- it relates to provision or administration of your healthcare
- is for reasons of public interest
- is necessary for legal reasons
Subscribing to the Helix House newsletter
Helix House periodically distributes a newsletter to a subscriber opt-in mailing list. Recipients can withdraw consent for personal data to be held for this purpose at any time, by clicking “unsubscribe” on a newsletter mailing, or contacting Helix House. Contact details are at the top-right of this page.
Requesting access to your data
If your personal data is processed by Helix House, you have the right to know:
- how to gain access to this data
- what data of yours Helix House stores and processes
- how to ensure it is accurate, to amend it and keep it up to date
- how to restrict processing or to request the data be erased (applicable only in certain circumstances)
- what Helix House does to comply with current data protection legislation
To request access to your data, please write to Helix House at the above address. We aim to respond to requests for access to personal data as soon as possible, but will ensure that access is provided within the 40 days from receiving the written request, as required by GDPR.
What happens if there is a data breach?
If there is a data breach that is likely to result in a risk to people’s rights and freedoms, it will be reported to the Information Commissioner’s Office, not later than seventy two hours after it has come to light. People whose data is affected will be notified in line with current legislation.
How to make a complaint about data processing at Helix House
If you have a concern about how your personal data has been handled at Helix House, please contact us in the first instance. We may request identification if necessary to progress the investigation. If we are unable to resolve the concerns satisfactorily, please then contact the Information Commissioner’s Office. https://ico.org.uk/global/contact-us/
Further information about Helix House privacy policies and protocols and the Code of Practice of the General Osteopathic Council (GOsC) are available by request.