Physiotherapy, Acupuncture & Massage
Call Us: 0121 439 4730 | 07722 327546
Physiotherapy, Acupuncture & Massage
Call Us: 0121 439 4730 | 07722 327546

Privacy Policy

Who we are

Our website address is: https://welllife.co.uk.

What personal data we collect and why we collect it

Comments – Currently Deactivated | Last received March 2022

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

No media uploads are currently permitted on this site.

Contact forms

If you submit a query via our contact forms then your contact details are sent along with that query to our admin email account, in order that we may respond to your query. Your contact details are saved and used for this purpose only.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Online bookings are made via the 10to8.com service, and are subject to their privacy and cookie policies. 10to8 is listed on the NHS Data Security and Protection Toolkit under code 8KL47. More information can be found at https://10to8.com/security/

Analytics

Who we share your data with

We do not share your data from online queries with any other parties, for any reason.

How long we retain your data

We retain your email query details in our archives for 5 years. Destruction of records shall be made in accordance with national legislation.

What rights you have over your data

You can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments and Contact Form queries may be checked through an automated spam detection service.

Full Data Policy Relating to In-Clinic Practices

1.     Introduction

  • This Data Security Policy is Well Life Physio Therapy Ltd t/a Well Life Centre’s (hereafter referred to as “us”, “we”, or “our”) policy regarding the safeguarding and protection of sensitive personal information and confidential information as is required by law (including, but not limited to, the Data Protection Act 2018, Health & Social Care Act 2012, and the Common Law duty of confidentiality).

 

2.     Purpose

  • The purpose of this document is to outline how we prevent data security breaches and how we react to them when prevention is not possible. By data breach we mean a security incident in which the confidentiality, integrity or availability of data is compromised. A breach can either be purposeful or accidental.
  • This Data Security Policy covers:
    • Physical Access procedures;
    • Digital Access procedures;
    • Access Monitoring procedures;
    • Data Security Audit procedures;
    • Data Security Breach procedures.

 

3.     Scope

  • This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.
  • This policy applies to all staff, including temporary staff and contractors.

 

4.     Physical Access Procedures

  • Physical access to records shall only be granted on a strict ‘Need to Know’ basis.
  • During their induction each staff member who requires access to confidential information for their job role will be trained on the safe handling of all information and will be taught the procedures which govern how data is used, stored, shared and organised in our organisation.
  • Our staff must retain personal and confidential data securely in locked storage when not in use and keys should not be left in the barrels of filing cabinets and doors.
  • The file storage room, when left unoccupied, must be locked unless all personal and confidential information has first been cleared off cabinets and secured in locked storage / filing cabinets. The patient notes cabinet in reception must be kept locked at all times, with all personal and confidential information cleared off the reception desk as soon as it has been processed, and secured in the locked cabinet.
  • The Information Asset Register (IAR) will contain the location of all confidential and sensitive personal information.
  • We will risk assess each storage location to ensure that the data is properly secured. This risk assessment forms part of the IAR.
  • All permanent staff have access to the individual storage locations relevant to their job role.
  • An audit will be completed at least annually to ensure that information is secured properly and that access is restricted to those who have a legal requirement to use the information. The details of this audit are outlined in the Data Security Audit Procedures [7] below.

 

5.     Digital Access Procedures

  • Access shall be granted using the principle of ‘Least Privilege’. This means that every program and every user of the system should operate using the least set of privileges necessary to complete their job.
  • We will ensure that each user is identified by a unique user ID so that users can be linked to and made responsible for their actions.
  • The use of group IDs is only permitted where they are suitable for the work carried out, for example on medico-legal portals where the ID is issued to the organisation and not to an individual.
  • During their induction each staff member who requires access to digital systems for their job role will be trained on the use of the system, given their user login details, and they will be required to sign to indicate that they understand the conditions of access.
  • A record is kept of all users given access to the system. This record is located within the Human Resources folder on our OneDrive. Access is limited to those who have the relevant job role.
  • In the instance that there are changes to user access requirements, these can only be authorised by the Data Security and Protection Lead or Data Protection Officer.
  • The IAR will contain the location of all confidential and sensitive personal information which is digitally stored.
  • We will follow robust password management procedures and ensure that all staff are trained in password management.
  • As soon as an employee leaves, all their system logons are revoked.
  • As part of the employee termination process the Data Security and Protection Lead is responsible for the removal of access rights from the computer system.
  • The Data Security and Protection Lead will review all access rights on a regular basis, but in any event at least once a year. The review is designed to positively confirm all system users. Any lapsed or unwanted logons which are identified are disabled immediately and deleted unless positively reconfirmed.
  • When not in use all screens will be locked and a clear screen policy will be followed.

 

6.     Access Monitoring Procedures

  • The management of digital access rights is subject to regular compliance checks to ensure that these procedures are being followed and that staff are complying with their duty to use their access rights in an appropriate manner.
  • Areas considered in the compliance check include whether:
    • Allocation of administrator rights is restricted;
    • Access rights are regularly reviewed;
    • Whether there is any evidence of staff sharing their access rights;
    • Staff are appropriately logging out of the system;
    • Our password policy is being followed;
    • Staff understand how to report any security breaches.

 

7.     Data Security Audit Procedures

  • Confidentiality audits will focus on controls within electronic records management systems and paper record systems; the purpose being to discover whether confidentiality has been breached, or put at risk through deliberate misuse of systems, or as a result of insufficient controls. Audits of security and access arrangements within each area are to be conducted on an annual rolling programme.
  • Audits will be carried out as required by some or all of these methods:
    • Unannounced spot checks to random work areas;
    • A series of interviews with management and staff, where a department or area of the organisation have been identified for a confidentiality audit. These audits will be carried out by the Data Security and Protection Lead;
    • Based on electronic reports.
    • Based on electronic reports from care planning software or auditing of care plans.
  • The following checks will be made during data security audits:
    • The Information Asset Register has been reviewed, updated and signed off;
    • The Record of Processing Activities has been reviewed, updated and signed off;
    • Failed attempts to access confidential information;
    • Repeated attempts to access confidential information;
    • Access of confidential information by unauthorised persons;
    • Previous confidentiality incidents and actions, including disciplinary, taken;
    • Staff awareness of policies and guidelines concerning confidentiality and understanding of their responsibilities with regard to confidentiality;
    • Appropriate communications with service users;
    • Appropriate recording and/or use of consent forms;
    • Appropriate allocation of access rights to confidential information, both hardcopy and digital;
    • Appropriate staff access to physical areas;
    • Storage of and access to filed hardcopy service user notes and information;
    • Correct process used to securely transfer personal information by post or email;
    • Appropriate use and security of desktop computers and mobile devices in open areas;
    • Security applied to PCs, laptops and mobile electronic devices;
    • Evidence of secure waste disposal;
    • Appropriate transfer and data sharing arrangements are in place;
    • Security and arrangements for recording access to manual files both live and archive, g. storage in locked cabinets/locked rooms.
    • Appropriate staff use of computer systems, g. no excessive personal use, no attempting to download software without authorisation, use of social media, attempted connection of unauthorised devices etc.

 

8.     Data Security Breach Procedures

  • In order to mitigate the risks of a security breach we will:
    • Follow the Data Security Procedures;
    • Ensure our staff are trained to recognise a potential data breach whether it is a confidentiality, integrity or availability breach;
    • Ensure our staff understand the procedures to follow and how to escalate a security incident to the correct person in order to determine if a breach has taken place.
  • In the instance that it appears that a data security breach has taken place:
    • The staff member who notices the breach, or potential breach, will complete a Data Security Breach Incident Report Form without delay;
    • This form will be completed and handed to the Data Security and Protection Lead or Data Protection Officer;
    • The Data Security and Protection Lead will complete the rest of the Incident Report Form and conduct a thorough investigation into the breach;
    • In the instance that the breach is a personal data breach and it is likely that there will be a risk to the rights and freedoms of an individual then the Information Commissioner’s Office (ICO) will be informed as soon as possible, but at least within 72 hours of our discovery of the breach;
    • As part of our report we will provide the following details:
      • The nature of the personal data breach (i.e. confidentiality, integrity, availability);
      • The approximate number of individuals concerned and the category of individual (e.g. employees, mailing lists, service users);
      • The categories and approximate number of personal data records concerned;
      • The name and details of our Data Security and Protection Lead or Data Protection Officer;
      • The likely consequences of the breach;
      • A description of the measures taken, or which we will take, to mitigate any possible adverse effects.
    • The Data Security and Protection Lead will inform any individual that their personal data has been breached if it is likely that there is a high risk to their rights and freedoms. We will inform them directly and without any undue delay;
    • A data security breach must be marked on the IAR and will prompt an audit of all processes in order to correct any procedure which led to the breach;
    • A record of all personal data breaches will be kept including those breaches which the ICO were not required to be notified about.

 

9.     Responsibilities

  • Lotoya Neil is responsible for physical security;
  • Dawn Calder-Murphy is responsible for updating and auditing the IAR and ROPA;
  • Dawn Calder-Murphy is responsible for digital access;
  • Lotoya Neil is responsible for managing breaches;
  • Dawn Calder-Murphy is responsible for data security audits.

Last Reviewed: March 2023
Next Review: March 20234

© 2021 Well Life Physio Therapy Ltd. All Rights Reserved. | DawnM Created and maintains this website | Privacy Policy | Complaints Policy
error: Thank you but our content is protected.