This policy covers the collection, processing and other use of personal data under the Data Protection Act 1998 (“DPA”) and the General Data Protection Regulations 2018 (“GDPR”). It relates to data collected via our Website and through all of our clinic services “Our Services”.
We “Back2Fitness Scotland Ltd” are committed to protecting and respecting your privacy.
We are registered with the Information Commissioner’s Office (Registration No: ZA063754).
Back2Fitness Scotland Ltd has implemented numerous technical and organisational measures to ensure the most complete protection of personal data processed by us in Our Services. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed.
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using Our Services, you’re agreeing to be bound by this Policy.
Types of Information We Collect
We may collect information from you, which can be used to identify you (“Personal Information”), such as your name, address, date of birth, email address, telephone number, medical insurance membership and authorisation numbers. We also hold GP and Consultant details, details of treatment provided, which may include sensitive, personal information such as medical information.
Information that will be collected:
– When you register at the clinic
– Throughout your treatment with us
– When your personal information changes or are updated (for example change of address)
– If you submit an enquiry to us via email or phone and you have consented to having your details stored.
We may also get information from a third party whom books an appointment on your behalf, such as family members, insurance companies, GP’s and Consultants, (e.g. referrals, medical reports, updates after appointments or procedures/surgery, consultant/GP appointments).
In some instances it may be necessary for us to contact third party providers to supplement the personal information you give us (e.g., validate your private medical insurance information with an insurance company, when processing invoices) to help us maintain the accuracy of your data and provide you with a better service.
Personal information we collect automatically
When you use the Website we automatically receive and record information on our server logs from your browser or mobile platform, including your location, IP address, cookie information, and the page you requested.
We treat this data as non-Personal Information, except where we are compelled to do otherwise by law or legal authority.
This data is only used in aggregate form to monitor how our customers, collectively, use the Website. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
Third Party links
You might find links to third party websites on our Website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
Collection and use of children’s personal information
We only collect personal and medical information required to effectively treat children, this information will be obtained from the parent or guardian chaperoning the child for their appointment, records will be stored in line with Data Protection laws and all the confidentiality guidelines issued by the professional bodies such as Chartered Society of Physiotherapy (CSP) and Health and Care Professions Council (HCPC). From the age of 16 patients can consent themselves.
What we do with your information
We hold personal details including medical information and we use this information to obtain details relevant to your treatment and for medical and internal record keeping; this information will only be kept as long as necessary to comply with UK law and professional bodies.
We do not sell your information to third parties. And only share your personal information with third parties (e.g. insurance companies, GP’s and Consultants when required and with your consent/knowledge.)
The confidentiality of your personal information is of the utmost importance to us and we comply with the Data Protection laws and all the confidentiality guidelines issued by professional bodies such as the Chartered Society of Physiotherapy (CSP) and Health and Care Professions Council (HCPC).
We may use your Personal Information, for the following purposes:
Clinic Registration/Appointments: We will use your name, address, date of birth, telephone number, and email address to register with Back2Fitness Scotland Ltd, for Our Services and to communicate important information to you. We may obtain additional personal information about you, such as address change and changes to your health information, correspondence from other healthcare professionals and insurance companies throughout your treatment and also if you return to the clinic in the future to keep our records current.
Invoicing & Insurance Companies: When processing insurance claims, on your behalf your name, address, date of birth and insurance policy details will need to be provided to your insurance company to enable them to progress the claim, this may be communicated via telephone or email.
Appointment Reminders & Clinic News: We may use your information to send confirmation & reminder emails for your appointments and for any correspondence regarding your treatment.
We may contact you from time to time, regarding clinic news and information about Our Services.
Response to Legal Requests: Requests from third parties (e.g. solicitors if there is a personal injury claim) we will only photocopy your physiotherapy records and provide electronic records on request providing we have written authorisation from you.
Accessing Your Personal Information: You have the right to access the personal data which we hold on you free of charge and we will provide this information within one month of receipt of request. If the request for data is complex or numerous we reserve the right to extend this period by a further two months.
We may employ third party companies and individuals to: facilitate Our Services, to provide Our Services on our behalf, to perform Service-related services or to assist us in analysing how Our Services are used. These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Updating Your Personal Information
In connection with your right to manage your personal information you provide to us, you may update, change or correct any of your information.
Controlling the use of your data
If you have given us consent to use your data for a particular purpose you can revoke or vary that consent at any time. If you do not want us to use your data or want to vary the consent that you have provided you can email us firstname.lastname@example.org at any time.
In accordance with and as permitted by applicable law and regulations, we will retain your information for as long as necessary to serve you, to maintain your account for as long as your account is needed to operate our business. We will retain and use your information as required by applicable regulation and information management policies to comply with our legal and reporting obligations, resolve disputes, enforce our agreements, and complete any outstanding transactions and for the detection and prevention of fraud.
Security of your information
We take security seriously. In order to protect your information from loss, misuse or unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. All staff has a legal duty to respect the confidential information we hold, and access to this information is restricted to those who have a reasonable need to access it.
We provide reasonable and appropriate security measures in connection with securing personal information we collect, for example:
– Constantly work to update our security practices to implement accepted best methods to protect your Personal Information and review our security procedures carefully.
– Comply with applicable laws and security standards.
– Securely transmit your sensitive Personal Information.
– Train our staff and require them to safeguard your data.
We will report any unlawful breach of data as required by the GDPR within 72 hours of the breach occurring, if it is considered that there is an actual, or possibility, that data within our control including the control of our data processors, has been compromised. If the breach is classified as ‘high risk’ we will notify all data subjects concerned using an appropriate means of communication. We will report any relevant breaches of date to the Information Commissioner’s Office (ICO).
How to Contact Us
Last updated: May 2018