The Data Processor and Controller is FIT4-PHYSIO Ltd[“we” or “The Company”] of 716 Ecclesall Road, Hallamshire Tennis and Squash Club, Sheffield, S11 8TA.
The client [“you” or “your”] being a customer or potential customer of The Company
A “User” meaning a director or contractor or employee of The Company
About this document
How we collect your Data
We may collect your personal data in the following ways
- Directly from you, when you make enquiries over the phone or via email, or when you interact with us during your time at the business, in various other ways (for example, enter a competition online or sign up for an offer)
- From someone else who has registered with us on your behalf (for example a family member or acquaintance, who has provided us with your contact details for that purpose)
The types of Data we collect
We may collect the following types of personal data about you:
- Contact and communications information, including your contactdetails. This will include e-mail address(es), telephone numbers and postal address(es), and records of communications and interactions we have had with you;
- Personal medial and physiotherapy records which will contain data of a sensitive nature
- Financial information, including Credit Card and Direct Debit details – these are kept only on a cloud-based system only which is managed by First Data. The cloud security of this data is the responsibility of First Data. Financial information is not stored alongside any other data we may hold for you. Fit4-Physio is compliant with financial payments check completed annually.
How we use personal data
Personal data provided to us will be used for the purposes set out at the time of collection and, where relevant, in accordance with any preferences you express.
More generally, we will use your personal data for the following purposes:
- For compliance with our legal obligations including but not limited to:
- Maintaining accurate and timely medical records in line with the standards set out by the Health Professions Council and the Chartered Society of Physiotherapy
- Administration of the The Company’s operations, including but not limited to:
- Organising and informing you about The Company’s services including classes, events, group sessions and facilities opening hours;
- Diary management – including management of this by a remote administration team (this team only have access to basic information such as your name and telephone numbers and any details you give to us over the phone or email when making bookings)
- Research and statistical analysis regarding the day to day use of the The Company’s operations;
- Communication with you informing you of offers, news (“marketing”) about The Company’s operations and services we think may be of interest to you;
- Storing your personal details and reasons for attendance on a database for The Company’s financial records. No personal financial information (credit or debit card details) are stored alongside this.
How we store and manage your personal data
- Medical records from 01/03/2022 onwards will be stored on a secure cloud-based medical records / clinic software system called Clinko. Access to your personal information will be strictly limited to relevant personnel (e.g., only therapists will have access to your medical information).
- Medical records pre 01/03/2022 are detailed on paper and stored securely in locked filing cabinets behind a locked door. Medical records are stored for 8 years after the last treatment date for adults and 8 years after a child’s 18th Records are then destroyed securely.
This meets our legal obligations in storage and retention of medical records according to the Chartered Society of Physiotherapy
- Some electronic files containing personal medical information and non-medical information(including but not limited to rehabilitation and exercise sheets, medical referral letters and reports) are stored on a password protected laptop and cloud based password protected shared storage system
- Non medical personal data may be stored on various formats (including but not limited to databases and online mail management software) indefinitely or until we receive your instruction to destroy your records or remove you from any database or mailing list we may hold.
Who has access to your personal data / Sharing your data with others
- The Company’s Users have full access to medical records. Access is strictly utilised on a need to know basis in line with the Chartered Society of Physiotherapy Standards. Users also have access to personal data (both medical and non-medical) stored on shared password protected cloud-based software.
- The directors of the company also have full access to limited financial details stored on the First Data cloud-based system used for taking or refunding payments and financial reporting.
- Third party companies including but not limited to: remote administration team and accounting services, will access personal data relevant to the tasks for which they are contracted by The Company. These third parties are bound by agreements of non-solicitation and will not use your data to contact you directly unless it is relevant to your interaction with The Company.
Your marketing preferences
We will always respect your wishes with respect to the type of communications you wish to receive from us and how you want to receive them (your “marketing preferences”). There are some communications, however, which we may need to send you regardless of your marketing preferences in order for us to fulfil our obligations to you as a customer of The Company
You are in control of how we communicate with you. You can update your marketing preferences and / or your contact details by contacting us at firstname.lastname@example.org any time.
Under certain circumstances, by law you have the right to:
- Request access to your personal medical records. GDPR regulations suggest such requests should be made in writing and addressed to the Directors of The Company. The timeframe within The Company will meet such a request is 25 days.
- Request access to your non-medical data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data which we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. You can also withdraw your consent, where this is the basis for our processing your data (without affecting the lawfulness of our previous processing based on consent).
- Request the transfer of your personal data to another party.
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply.
Contact and complaints Contact and complaints
If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner with whom The Company is registered. You can find out more about your rights under applicable data protection laws from the Information Commissioner’s Office website: www.ico.org.uk
Web Related Policy
What information we collect and how
The information we collect via the Website may include.
1. Any personal details you knowingly provide us with through forms and our email, such as name, address, telephone number etc.
2. Your preferences and use of email updates, recorded by emails we send you (if you select to receive email updates on products and offers).
3. Your IP Address, this is a string of numbers unique to your computer that is recorded by our web server when you request any page or component on the Website. This information is used to monitor your usage of the Website.
What we do with your information
Any personal information we collect from this website will be used in accordance with the Data Protection Act 1998 and other applicable laws. The details we collect will be used:
1. To process your order, to provide after sales service (we may pass your details to another organisation to supply/deliver products or services you have purchased and/or to provide after-sales service);
2. In certain cases we may use your email address to send you information on our other products and services. In such a case you will be offered the option to opt in/out before completing your purchase.
We may need to pass the information we collect to other companies for administrative purposes. We may use third parties to carry out certain activities, such as processing and sorting data, monitoring how customers use the Website and issuing our e-mails for us. Third parties will not be allowed to use your personal information for their own purposes.
You have the right to request a copy of any information that we currently hold about you. In order to receive such information please send your contact details including your address to the contact information found here.