General Data Protection Regulation (GDPR) Policy
Cheshire Foot Clinic part of Grove Surgical Services Limited
Information We Hold
We hold clinical information related to the care of patients undertaken by Cheshire Foot Clinic employees and employee information.
The patient data held consists of:
- Date of birth
- Telephone number
- GP name
- GP address
- GP telephone number
- Insurance company information
- Outpatient written notes
- Copies of Inpatient and operation notes
- Investigation reports
- Correspondence letters
- Invoicing information
Written and electronic clinical records related to adults are kept for 8 years after the date of last treatment. Written and electronic clinical records for minors are kept until the individual is 25 years of age or eight years after death, if sooner. These are the same retention periods as set out by the NHS. After the storage period has expired written records are shredded and appropriately disposed of. Electronic records are deleted.
Security of Information
Our laptops and computers are password protected and encrypted and we regularly backup data locally to encrypted hard drives.
Patients under the care of Cheshire Foot Clinic
Patients under the care of Cheshire Foot Clinic are seen at 21A Tatton Street Knutsford, WA16 6AE
Records fall in to three categories: Historical records, in written form, are kept in a locked filing cabinet, current patient records are stored electronically on Cliniko and Information relating to individual private health insurance claims which is held on Healthcode.
Since December 2017, all new patient records have been kept in electronic format. Any paper documents related to a patient are scanned and kept electronically. Any follow up patients seen after December 2017 with historical records in written form have their written records scanned and transferred in to an electronic form. All paper copies of scanned records are securely shredded.
Electronic Patient Records:
Grove Surgical Services Limited and Cheshire Foot Clinic have a data protection agreement in place with Cliniko which meets GDPR.
Patient consent to store their data electronically on Cliniko at initial appointment and can revoke their consent at any point when all information can be deleted. Patients can request to see the information held at any point and this can be exported and downloaded in an easy to read format.
Cliniko team has the minimal required level of access to customer information in order to maintain their systems and assist clients appropriately. Cliniko data is backed up daily. Redundant backups and records are deleted.
Reception staff follow confidentiality policy and have access to Cliniko to allow them to make appointments and produce invoices. Clinical information and medical histories are not visible to reception staff using Cliniko.
Cheshire Foot Clinic consents patients at initial appointment to use Cliniko to contact patients to remind them of upcoming appointments or information about their treatment. Patients choose to be contacted by SMS and or email and can opt out of this form of communication at any point.
Cheshire Foot Clinic signs patients up to receive marketing information by consent at appointment. Patients can request to be removed from the marketing list at any point.
Health Insurance Claims:
For private health insurance claims accounting data, including solicitor/insurance company invoicing is recorded on Healthcode and is accessed using the above computers via a password protected portal. Data held by Healthcode is subject to Healthcodes own data protection policies. Healthcode are expanding their secure messaging service so healthcare professionals and insurers can share information in encrypted form, without compromising patient privacy.
Healthcode data is stored within a private dedicated infrastructure which is physically located in a secure UK data centre. Healthcode’s information security systems comply with the latest international specification for information security management systems (ISO/IEC 27001:2013).
Credit card payments:
In addition to providing patient care Cheshire Foot Clinic process credit card payments. PCI DSS assessment compliance has been completed and certificated. Patient information and card numbers are not written down, recorded or communicated. See Company Information Security Policy dated 26012018 for further information.
How do staff members communicate about patients?
Employees generally communicate about patients and company issues via email. We use proton business mail, this allows encrypted transfer of personal information.
Communication with Outside Organisations
Currently, communications are via email or letter. Patient data is only shared if required as part of the on going care of the patient. This is usually to other clinical organisations. Organisations with whom Cheshire Foot Clinic regularly communicate include:
The Wilmslow Hospital, Wilmslow
Patient’s general practitioners
If other third parties request information related to the care of a specific patient then permission is sought from the patient before this data is shared. Cheshire Foot Clinic does not share any patient related information with any other third party organisations unless requested by the patient.
If information passed on to other organisations by Cheshire Foot Clinic is inaccurate then Cheshire Foot Clinic will inform the other organisation and the patient as soon as the error is identified.
Keeping Our Patients Informed
This data protection policy outlines what data we store, how it is stored, how long it is stored for and how to complain if the individual feels that their data has been managed incorrectly. We have copies of our data protection policy and procedures available online and on request.
Whenever written correspondence is produced related to clinical care of a patient, the patient is copied in to the communication. For children (Under 18 years of age), all correspondence will be sent to their parents. If the child wishes to have a copy of the correspondence themselves then this will be forwarded to them separately.
Patients are also entitled to access their records at any time. If there is an error in their records or they object to the content of their records they are entitled to request that the records are modified or corrected. They are also entitled to ask that their records are erased. They may also limit the way that communications are made, for example, if the patient does not wish a letter to be sent to their GP. All such requests will be respected without charge to the patient. Requests will be dealt with promptly and within a maximum of 1 month.
We keep patient data for the purposes of informing their treatment. We only share their medical information with other health care professionals involved in their care. Only key information for contacting and identifying patients is shared with the hospital and clinic sites we use.
Data Breach Procedure
If there is a data breach then the affected patients will be informed. The breach will be investigated and discussed with the data storage or the email server company and the breach will be rectified as soon as possible. The ICO will be informed of any data breach if it results in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Responsibility for Data Protection
Cheshire Foot Clinic is part of Grove Surgical Services Limited.
According to the ICO, due to the size and function of our organisation it isn’t necessary for Grove Surgical Services Limited to have a nominated data protection officer. However, each member of our team is fully briefed on our data protection policy and procedures and takes responsibility for protecting the data they handle.
If you have any queries about our data protection policy please contact us via email
Cheshire Foot Clinic, part of Grove Surgical Services Limited, PO Box 411, Wilmslow, SK9 0EJ
We will endeavour to respond to your request promptly.