Version 1.0 Valid from 15th May 2018
Pro Performance Clinics ltd is aware of it’s obligations under the General Data Protection Regulation (GDPR) and is committed to
protecting the privacy and security of your personal information. This privacy notice describes, in line with GDPR, how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This notice applies to current and former patients.
Data controller details
The Clinic is a data controller, meaning that it determines the processes to be used
when using your personal data. Our contact details are as follows: Robert Griffiths 02071682471
Data protection principles
In relation to your personal data, we will comply with data protection law. This says that
the personal information we hold about you must be:
• Processed fairly, lawfully and in a clear, transparent way
• Collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with those purposes
• Only used in the way that we have told you about
• Accurate and up to date
• Kept only as long as is necessary for the purposes we outline
• Process it in a way that ensures it will not be used for anything that you are not
aware of or have consented to (as appropriate), lost or destroyed
• Kept securely
Types of information we hold about you
Personal data or information means any information about an individual from which that
person can be identified. It does not include data where the identity has been removed.
We hold many types of data about you, including
• Your personal details including your name, address, date of birth, email address,
• Banking or financial information
• Marital status
• Next of kin and their contact numbers
• Personal medical or health information, including past medical history
• Radiological and lab results and images
• Information concerning examination and treatment at your first and subsequent
• Letters of referral to or from the clinic regarding your treatment with us.
• Images and videos where appropriate for the purpose of in house educational
referencing and for your assessment progressions.
Special categories of data
There are “special categories” of more sensitive personal data which require a higher
level of protection, such as information about a person’s health or sexual orientation.
• Sex life
• Sexual orientation
• Ethnic origin
• Genetic and biometric data
We will use your special category data:
• to ensure the care you receive at the clinic is appropriate to your condition
• to determine reasonable adjustments that should be made for access to the clinic
or to treatment
We must process special categories of data in accordance with more stringent
guidelines. We will process special categories of data when the following applies:
• you have given explicit consent to the processing (on our consent form) • we must process the data in order to carry out our legal obligations
• we must process data for reasons of substantial public interest
Less commonly, we may process this type of information where it is needed in relation
to legal claims or where it is needed to protect your interests (or someone else’s
interests) and you are not capable of giving your consent, or where you have already
made the information public.
As with all cases of seeking consent from you, you will have full control over your
decision to give or withhold consent and there will be no consequences where consent is
withheld. Consent, once given, may be withdrawn at any time. There will be no
consequences where consent is withdrawn.
How we collect your data
We collect data about you in a variety of ways and this will usually start when you make
an enquiry to the clinic and continue when you attend your first and subsequent
appointments. At this clinic, we keep paper and electronic records. Information we
write down on paper may be transferred to our electronic system. We may receive
information about you from your GP or other health care provider regarding your
referral or, with your permission, additional information that will help us continue with
your treatment. We may also hold the results of tests that you have undertaken and that
are relevant to your treatment with the clinic.
Personal data is kept in the clinic in a secured cabinet, and on a secured computer
system. We are compliant with the PCI security measures to ensure merchant card
payments are safe and secure. We operate a 24hr CCTV surveilance in appropriate
places around the clinic and Gym. The clinic is situated in a secure 24hr office building
with security guards and CCTV off premise to ensure the safety of theft along with a
secured office premise entry door.
Why we process your data (How we will use information about you)
The law on data protection allows us to process your data for certain reasons only, these
are classified as legitimate interests. Most commonly, we will use your personal
information in the following circumstances:
• in order for us to carry out our contract with you (your requesting treatment and
our agreement to provide it constitutes a contract) which will include confirming
appointments, informing you of changes to appointments or clinic arrangements,
changes to facilities or services at the clinic.
• in order to provide you with the best possible treatment by recording health and
treatment information which would be in your best interest.
• in order to carry out legally required duties such as those required by me by my
government appointed regulator
• where it is necessary for our legitimate interests and your interests and
fundamental rights do not override those interests
• to inform you of changes to our services, introducing new services provided,
alternate operating times and for updates to any clinic changes that may benefit
or hinder your health
• to remind you of your appointments at time of booking and at least 24hrs before
We may use your personal information in these rare situations:
• where we need to protect your or someone else’s interests
• where it is needed in the public interest or for official purposes
Situations in which we will use your personal information
We need all the categories of information to primarily allow us to perform our contract
of treatment with you and to enable us to comply with legal obligations.
If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line
with your contract of care with us. If you do not provide us with the data needed to do
this, we will be unable to perform that care to ensure your best interests are being
maintained. We may also be prevented from continuing with your treatment with us due
to our legal obligations.
Change of purpose
We will only use your personal information for the purposes for which we collected it
unless we reasonably consider that we need to use it for another reason and that reason
is compatible with the original purpose. If we need to use your personal information for
an unrelated purpose, we will notify you and we will explain the legal basis which allows
us to do so.
Please note that we may process your personal information without your knowledge or
consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision making
No decision will be made about you solely on the basis of automated decision making
(where a decision is taken about you using an electronic system without human
involvement) which has a significant impact on you.
Sharing your data
Your data will be shared with colleagues within the Clinic but only where it is necessary
for them to undertake their duties. This includes, for example, other chiropractors
working for, at or on behalf of the clinic, reception staff, on site personal trainers and
any other practitioner on site. Medical notes are only available to the healthcare
practitioners and reception staff.
We may share your data with third parties in order to facilitate a referral to another
healthcare practitioner, investigation or to keep your GP informed about your progress
with treatment. We may from time to time consult with your coach or personal trainer
in regards to your sporting activities to facilitate your care. On rare occasions we may
also require a third party locum or self employed practitioner to process your data.
We may also share your data with third parties as part of a Clinic sale or restructure, or
for other reasons to comply with a legal obligation upon us. We would always keep you
informed of these situations.
Transferring information outside the EU
We may share your data with bodies outside of the European Economic Area should the
need arise. It is likely that this situation would be to share information regarding your
treatment or ongoing care with healthcare practitioners in these countries in accordance
with your wishes. However, we would not transfer your data unless we were assured that
the country in question had data security and protection laws of equivalence to those of
the UK and the European Economic Area. We have put the following measures in place to
ensure that your data is transferred securely and that the bodies who receive the data
that process it in a way required by EU and UK data protection laws: We will consult on
legal advice from professional bodies, associated legal aid the regulatory bodies in
question as to the Data protection laws of the countries in question.
Data Security – Protecting your data
We have put in place measures to protect the security of your information against
accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We
have implemented processes to guard against such. In addition, we limit access to your
personal information to those employees, agents, contractors and other third parties
who have a business need to know. They will only process your personal information on
our instructions and they are subject to a duty of confidentiality. We impliment the
following measures to ensure the safe keeping of your data: data encryption, firewalls,
up to date security software, data backups, password security protocols, locked filing
cabinets for paper files, windows secured, 24hr CCTV surveillance, 24hr security guard
in the office block.
Where we share your data with third parties, we provide written instructions to them to
ensure that your data are held securely and in line with GDPR requirements. Third
parties must implement appropriate technical and organisational measures to ensure the
security of your data.
How long we keep your data for
In line with data protection principles, we only keep your data for as long as we need it
for, which will be at least for the duration of your being a patient with us and we are
legally required, by the Chiropractic regulator, to keep this data for eight years after
your time as a patient has ended. To determine that any appropriate retention period
for personal data beyond eight years we consider the amount, nature, and sensitivity of
the personal data, the potential risk of harm from unauthorised use or disclosure of your
personal data, the purposes for which we process your personal data and whether we
can achieve those purposes through other means and the applicable legal requirements.
Once we no longer have a lawful use for retaining your information, we will dispose of it
in a secure manner than maintains data security.
In some circumstances we may anonymise your personal information so that it can no
longer be associated with you, in which case we may use such information without
further notice to you.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current.
Please keep us informed if your personal information changes during your time as a
patient with us.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on
• the right of access. You have the right to access the data that we hold on you. To
do so, you should make a subject access request. Find out how to do this from
• the right for any inaccuracies to be corrected. If any data that we hold about you
is incomplete or inaccurate, you can require us to correct it.
• the right to be informed. This means that we must tell you how we use your data,
and this is the purpose of this privacy notice. We also must inform you of any
changes to how we use your data.
• the right to have information deleted. If you would like us to stop processing your
data, you have the right to ask us to delete it from our systems where you believe
there is no reason for us to continue processing it.
• the right to restrict the processing of the data. For example, if you believe the
data we hold is incorrect, we will stop processing the data (whilst still holding it)
until we have ensured that the data is correct.
• the right to portability. You may request transfer the data that we hold on you for
your own purposes.
If you want to access your data, review, verify or correct your data, request we erase
your personal information, object to the processing of your personal data, or request
that we transfer a copy of your personal information to another party, please contact
the relevant in house practitioner or clinic manager in writing for the attention of the
You will not have to pay a fee to access your personal information (or to exercise any of
the other rights). However, we may charge a reasonable fee for a second or subsequent
copy of information or if your request for access is clearly unfounded or excessive.
Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity
and ensure your right to access the information (or to exercise any of your other rights).
This is a security measure to ensure that personal information is not disclosed to any
person who has no right to receive it.
Right to withdraw consent
Where you have provided consent to the collection, processing and transfer of your
data, you have the right to withdraw that consent at any time. There will be no
consequences for withdrawing your consent. However, in some cases, we may continue
to use the data where so permitted by having a legitimate legal reason for doing so.
To withdraw consent, contact the clinic manager on duty or Sando Ayad the director.
Making a complaint
If you have any questions about this Privacy Notice or how we handle your information,
please contact the Clinic’s Data Protection manager Robert Griffiths. He can be contacted on
firstname.lastname@example.org or 02071682471.
You have the right to make a complaint at any time to the supervisory authority in the
UK for data protection matters, the Information Commissioner’s Office (ICO).