ANNA WINSTANLEY PHYSIOTHERAPY
How, When and Why I collect your information.
When you request to join a class, or a waiting list for a class, I add your name to an email group. Please see below for how I manage mailing lists. When you start a new class, I ask clients to complete a registration form, which asks for Name, contact details, GP contact details, Emergency (next of kin) contact details. This ensures that I am able to contact you, and it also fulfils my professional standards according to Chartered Society of Physiotherapy’s Quality Assurance Standards for Physiotherapy service delivery. I also gather information about your lifestyle, your goals and your medical background. This data constitutes Special category data under GDPR Article 9 (2). This enables me to screen your suitability for the class, and to highlight any particular problems you have, that will require me to make suitable adaptations to the exercises given in class. It’s to help keep you moving safely. Information about your lifestyle and work, also helps me to foster a holistic view of you as a whole person, so that I can be sensitive to any external stresses on your body or mind.
How I store it and keep it secure.
Paper records are kept safe in an A4 binder that stays with me during the class. At my home the file is stored in a locked filing cabinet. When you leave the class, your records are transferred to an archive section of the same filing cabinet, and remain there for the legal duration that I am bound to keep them.
In the past I have used Google Forms to gather information about my clients which they will have been asked to complete at the time of onboarding with me. From September 2021, I will be using a more complete Client management system called Cliniko which enables me to take bookings, deliver telehealth and keep electronic notes in one place. Cliniko is based in Australia, but upholds UK GDPR law for its many UK customers and has its own UK and EU Data Protection Officers. Cliniko acts as the processor of my clients data, but I remain the controller of your data. Should I ever change client management systems or close my business, I am able to export all of the client data I hold, so it will not be lost.
For more information on the security of Cliniko visit https://www.cliniko.com/security/
How long do I keep your data?
The Chartered Society of Physiotherapy advises that this duration should be eight years from the date of last treatment for adult records, and for children eight years after their 18 birthday or until 25 years of age.
How do I dispose of your data?
Once the 8 years retention period is over, I dispose of paper records by shredding and either burning or composting. Electronic records will be manually permanently deleted from Cliniko, Google Suite, Mailchimp or any other application.
I may also hold your name and telephone number on my mobile phone, so that I am able to contact you quickly and easily to arrange, change or cancel classes or appointments. I may access a variety of apps including Google Suite and Cliniko using my iPhone or iPad. These devices are password protected as are the apps which I use therein.
Visitors to the Website
When you visit www.basepilates.co.uk I use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. I do not make, and do not allow Google to make, any attempt to find out the identities of those visiting my website.
My business is still relatively small so I also maintain my email lists manually and may still on occasion send emails directly from a Google for business account (G Suite). Google has made amendments to its privacy and security protections in order to be GDPR compliant, and I have updated my account to accept their Data Processing Amendment. Google regularly updates users with any changes, and these are reviewed and updated as appropriate. You can find out more information about Google and GDPR here: https://cloud.google.com/security/gdpr/
I usually send out group emails to let clients know about the class times and any changes to that schedule. When I send group emails, I enter the recipients under ‘bcc’ so that nobody else can see your email address. If you’d like to swap email addresses with another client you’ve befriended in class – I’ll leave that up to you! Sometimes I send group emails that are not bcc, and this would occur within a group of friends or colleagues who have commissioned me to teach a class at their workplace or other pre-arranged venue.
If you contact me to find out about classes, I will add your email to the waiting list email group with your consent. If you later tell me you no longer need to be on the waiting list, I’ll remove your details from my database.
Like many small businesses, I use Facebook and Twitter to help share information about my services, and connect with potential and existing clients. It’s fun! You should know that if you choose to interact with me via social media, you are agreeing to the terms and conditions of those platforms.
All the information you share with me is treated with respect and discretion. Personal data disclosed with the registration forms or physiotherapy assessment are confidential and treated as such.
During group classes I may openly advise you that certain exercises are not suitable, offer modifications relevant to your particular condition or indicate to you exercises which are likely to be particularly beneficial for you. I always do my best to remain discreet in these instances. I begin each class asking the group if there are any issues I need to be aware of.
The onus is on individual clients to approach me in confidence or via email prior to the class if they prefer to keep this information confidential.
I don’t routinely share personal information with any third parties. If you were to become unwell during a class, I may then share your information with any attending emergency services, or with your GP if that is more appropriate. If necessary I would also inform the emergency contact person that you have given me on your registration form. Similarly, if I had any concerns about you that you might harm yourself or others, I would be legally obliged to share that information with relevant health and social care providers.
Right to Access your Personal Data
Under the General Data Processing Regulations, 2018 people have the right to access information that we have stored about them.
If you want to view, amend or delete your personal data as is your right, please contact me at email@example.com. Legal exemptions may apply.
Changes to Privacy Notice
This policy was created on the 18th May 2018 and will be reviewed annually, or at any time that my data controlling methods or practices change before that date.
Updated 19th June 2019.
Updated 20th September 2021