Information Governance Policy
Author and creation date: Tom Jacobs July 2021
Version: V3 July 2023
Audience to whom document applies: All staff
Next planned review date: July 2024
Review history
Version 1 – Review Date July 2022 – Person responsible: Tom Jacobs – Details of changes: None
Version 2 – Review Date July 2023 – Person responsible: Tom Jacobs – Details of changes: None
Version 3 – Review Date July 2024 – Person responsible: Tom Jacobs – Details of changes: None
Contents
1 Introduction and Purpose
2 Responsibilities and Duties
3 Monitoring and Complaints
4 Process and Detail
5 References
1 Introduction and Purpose
1.1 The EU General Data Protection Regulation took effect from 25th May 2018. This policy demonstrates how PracticeLink Ltd conforms to the GDPR requirements
2 Responsibilities and Duties
2.1 PracticeLink Ltd collects names, addresses, emails,telephone numbers and medical information from patients. These are stored securely in the patient record system. Consent is gained to keep the information and to contact them. Medical records will be kept for the statutory time and then destroyed.
Electronic data is kept secure on devices that are password protected.
2.2 Data Controller
PracticeLink Ltd is the data controller and processor
2.3 Data Protection Officer
Tom Jacobs is the person designated to ensure the business complies with GDPR.
3 Monitoring and Compliance
3.1 Personal Privacy Rights
PracticeLink Ltd. upholds all individual’s personal privacy rights
● Right to subject access
● Right to have inaccuracies deleted
● Right to have information erased
● Right to object to direct marketing
● Right to restrict the processing of their information, including automated decision- making
● Right to data portability.
3.2 Legal Basis for Processing Data
PracticeLink Ltd collects and processes all personal data to enable physiotherapy treatment needs to be met.
3.3 Unauthorised access
Only PracticeLink Ltd and its associates have access to clients’ personal data and medical information.
3.4 Personal data is:
● Processed lawfully, fairly and in a transparent manner
● Collected for specified, explicit and legitimate purposes
● Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
● Accurate and kept up to date (inaccurate personal data is erased or rectified without delay)
● Kept in a form which permits identification of data subjects for no longer than is necessary
● Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
3.5 PracticeLink Ltd has separate business email accounts which are password protected
3.6 PracticeLink Ltd does not share personal data with third parties without gaining consent
3.7 PracticeLink Ltd gains consent for direct marketing
3.8 This policy will be monitored via audit of signature sheets and ensuring it is part of the induction process.
4 Process
4.1 Any breaches are reported to the Data Protection Commissioner (DPC) within 72 hours unless the data was anonymised or encrypted. Breaches that might bring harm to an individual (e.g. identity theft or breach of confidentiality) are also reported to the individual(s) concerned.
5 References
5.1 EU General Data Protection Regulation
5.2 ICO.org.uk
https://ico.org.uk/for-organisations/business/assessment-for-small-business-owners-and-sole-trader