Data Protection Policy for Severn Physiotherapy
Updated 27/3/18 – to comply with May 2018 GDPR
Statement of awareness:
- This document shows that we are aware.
- This document lists where we keep patient data and what data we hold. We have a consent form which every patient or power of attorney signs before assessment is started.
Patient data we keep:
Date of birth
Care home name and number
GP name and address
Consultant name and hospital
Social worker name and number
Any other relevant health / social care professional name and number involved
Medical notes that we make throughout assessment and treatment sessions including phone calls in between sometimes
How we keep patient data
This is all kept either in a locked cabinet in our homes on paper and anonymised. Alternatively we use the clinical notes package, WriteUpp. This software package act as our Data Processor. They have appropriate measures and protections in place to comply with their responsibilities in this role and provide a suite of tools to enable us to comply with responsibilities as a Data Controller.
We recommend that all physiotherapists working for Severn Physiotherapy use their electronic device with the software app downloaded to record patient data and progress notes. They should not remain logged into the app when it is not in use.
How to make data electronic
Any photos of patient information such as GP summaries, medical reports, prescriptions etc must be taken with the Physiotherapist’s phone and saved to the clinical note writing software; then deleted off the phone immediately. If this information has been emailed then it can be saved directly to the software.
Sharing patient data
We have a duty of care to share relevant information with involved health and social care practitioners in the case of safeguarding concerns, this is at our discretion and we will normally inform you first.
We also are required to sometimes share your information to make onward referrals, with your consent, or to liaise with other medical or social care staff for your benefit, you will also be informed before these discussions occur. This is only done when necessary with minimal information conveyed.
Information will only be shared for the purposes agreed at original time of disclosure. If later required for another purpose this must be agreed with the owner in person.
We will willingly provide patients their own data at their request in electronic or paper format with 28 days. We will need to verify the patient requesting the data is the correct person by asking for full name, date of birth and address.
Deleting patient data
After 10 years we delete all patient data electronically and do not keep any traceable form. In the case of paper notes these are shredded and untraceable.
Processing patient data
We will not process any data for any profiling or marketing purposes currently (to be reviewed in 2019).
- We will notify any clients involved within 72 hours of becoming aware of the breach. In the case of a significant breach we will inform the Information Commission Office.
Skye Ramell and Kelly Steed will audit this data protection process every 6 months to ensure passwords are being used on digital documents, that information being shared by email has been anonymised as described above, and that paper documentation is locked and secured.
Right to be forgotten
We have a legal duty to keep your notes for 10 years and no shorter time than this. In this case this means that this law does not allow you to ask us to be forgotten. If in the case of a court of law your notes are required within 10 years of us having contact with you we are obliged to provide them.
Information Security Policy
WriteUpp does not resell your data.
Emails with patient information on will be anonymised as far as possible. If this has not happened the information will be copied and pasted into the patient notes and then the email will be erased and ‘removed from trash’.
Records Management: Code of Practice for Health & Social Care 2016;
• NHS Information Governance: Guidance on Legal and Professional
Obligations September 2007;
• The Health and Social Care Acts 2008, 2012 and the Health & Social
Care (Safety and Quality) Act 2015 their regulations;
• Data Protection Act 1998 – and updated 2018 GDPR