MAILCHIMP SIGNUP FORM http://eepurl.com/znSV5
Personal data is data that relate to identifiable natural persons.
Special Category Personal Data
The GDPR affords special protection to specific categories of data that are particular sensitive. These are referred to as ‘Special Category’ personal data, and include information about a person’s physical or mental health. Clinical records contain these data. Health Professionals may also be processing special category personal data in emails or other communications, although processing of these data is prohibited unless certain requirements are met.
Data Controller – Podplus Limited
A Data Controller is an individual or organisation that determines the way in which personal data is processed. It is likely that controllers will be required to pay an annual fee to the Information Commissioner. Podplus deals directly with how the data is collected and how it is used.
Data Processor – Practice Pal
A Data Processor takes care of the processing of the data, under the instruction of the data controller. Podplus use Practicepal software to serve the role of the main data processor. In some cases Podplus may act as processor, but this is only ever done so ad-hoc, and on the instruction of Podplus the primary data controller.
The data subject is the individual who the data refers to – the patient
Personal Identifiable Information (PII)
This is the data about and belonging to the data subject (the patient) that can be used to identify them. GDPR increases the scope of PII to include a patients ID amongst other things.
Lawful Grounds for processing - The full details can be accessed at: https://ico.org.uk
AWARENESS AND COMMUNICATION – Podplus employee policy
Podplus provide staff training on the GDPR prior to 25th May 2018, and at every new member induction.
ANALYSIS OF PERSONAL DATA - Data mapping & data flows
As an independent practice our team will be processing the personal data of their patients, which includes special category personal data. This also includes how to manage personal data from enquirers who never become patients.
All patient and enquiry contact information is put directly onto our secure Practicepal software. The record on the software is only accessible by authorised staff at certain times of the day and week dependent upon their working hours, and are allocated specific security groups within Practicepal.
Practicepal software (The processor) is compliant with the GDPR.
LAWFUL BASIS FOR PROCESSING – Article 6 of the GDPR
Practitioners registered with the HCPC practicing at Podplus have a Legal obligation: the processing is necessary for you to comply with the law
All other data collected has Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
REVIEW PROCEEDURES – Data access protection
Podplus take the following steps for best practice:
- Review current policies and procedures and make sure that only necessary data is being collected and that it is only processed to the extent necessary.
- Make sure the data collected is being stored securely.
- Make sure access to the data is limited.
- If the data is no longer needed then it will be destroyed.
ACCESS RIGHTS – data access requests and data subject rights
All data access and changes are managed via Practice Pal software to comply with the GDPR
Practicepal software has a diary audit which records any changes to the diary, when they were made, along with who they were made by.
The GDPR rules introduce mandatory data breach notifications to the ICO within 72 hours and in some cases to the data subjects too.
CUSTOMER CONSENT – Consent to marketing and transparency
- Any information provided is input directly into our secure practice management system Practicepal software and complies with GDPR regulations.
- A data form on Practicepal software explains marketing options and records consent.
- All new patients consent to treatment at each appointment.
When data is captured/unsubscribed the Practicepal record is updated. This include details of each individual, what they consented to, when they gave consent and the information they were given at the time.