Last updated: December 11, 2018
We pride ourselves on the attention and care given as part of our clients' service and aim to do the same with patient data. Our number one data protection priority is that the confidential health information held internally is handled and protected with the greatest care and respect possible.
This document (dated 16th May 2018) aims to outline the practices, intentions and processes of Health Optimising (UK) Ltd with regards to data storage & processing in a fully transparent and coherent manner.
By producing this document, we are showing full compliance with the General Data Protection Regulation (GDPR) law which takes effect on 25th May 2018. This law aims to protect the personal data of consumers in an increasingly digital world and to help them better understand how personal data is used internally by companies.
If you have any questions, queries or concerns about anything mentioned in this document, or anything else relating to the storage of data at Health Optimising (UK) Ltd, then please don't hesitate to get in touch with us (http://www.healthoptimizing.com/contact.html) and we will put you in contact with our Data Protection Officer (DPO) to do our best to help you.
We may change this privacy notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We encourage you to check this privacy notice for changes whenever you visit our website – www.healthoptimizing.com.
Our policy document will go through:
As part of our daily process for our clinical services, we need to process personal information about our clients to support an efficient administration process and perform our Health Optimising (UK) Ltd services.
The usage of our products and services:
We’ll collect personal information from the following general sources:
We’re unable to provide you with our products or services if you do not provide certain information to us. In cases where providing some personal information is optional, we’ll make this clear.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with The GDPR. Every member of staff who works for a Health Optimising (UK) Ltd Clinic has a legal obligation to keep information about you confidential.
The primary reason behind processing personal details is for efficient administration to aid the process of onboarding a new client, engaging and managing with existing clients, as well as offboarding inactive or outgoing patients. Failure to have a full health picture may result in less effective assessment and treatment, which is why it is important that we process such information to support an accurate assessment and effective health protocol. Storing previous appointment notes, reports, prescriptions and other relevant information across a patient's lifetime at the clinic enables us to keep track of the progress of a patient over time also and provides context to future treatments.
We use your personal data, including any of the personal data listed in section 1 above, for the following purposes:
Data stored on paper is stored under lock and key in a highly secure place within the Health Optimising (UK) Ltd building.
Data stored digitally is currently stored in our highly secured IT systems
All patient data are stored in our systems for 5 years after the year ends or until a patient submits a takedown request of their data by contacting us or our Data Protection Officer.
The patient data can be kept for as long as we need them to perform our clinical services but will be reviewed every 5 years, and all unnecessary files will be deleted in a secure manner.
In the event that a patient dies, their data will be removed immediately upon receipt of notification of their death by a next of kin or another contact.
We're based in Norway and other countries all around the world. In case you are an EU client, your personal information may sometimes be transferred outside the European Economic Area. If we do so we'll make sure that suitable safeguards are in place, for example by using approved contractual agreements, unless certain exceptions apply.
Existing clients of Health Optimising (UK) Ltd who receive e-communications will be sent a GDPR notification email which lets them opt-out should they wish to do so. Existing patients of Health Optimising (UK) Ltd who have opted out of e-communications and/or EasyPractice, will have been asked to double check, and sign a new consent form in-clinic.
Visitors are notified upon a visit of our website that we are using cookies to track their data anonymously and therefore measure user behavior on Google Analytics. They are not required to opt-in for consent but are allowed to block our website from tracking such information by visiting their web browser's security settings.
The GDPR law sets the age when a child can give their own consent to this processing at 16. If a child is younger then we will need to get consent from a person holding 'parental responsibility.
If the client is not able to consent, then his or her guardian shall sign and the explicit consent from.
Where we’re relying upon your consent to process personal data, you can withdraw this at any time by contacting us.
We need to know your personal, sensitive and confidential data in order to provide you with the best Health Optimising (UK) Ltd services
Under the General Data Protection Regulation we will be lawfully using your information in accordance with:
We may share information with the following third parties for the purposes listed above:
Access to your personal information
Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:
All of the data which we store is wholly owned by the patient or user in question, who are therefore entitled to submit a change request. You should tell us so that we can update our records. This can be done either by email to us or our Data Protection Officer (see contact information at bottom of document). This change request should clearly outline the type of data which should be changed and the content of this data which is to be changed, along with basic details such as name and contact information. An example of this could be changing a name, an address or a telephone number.
These requests can be made free of charge unless they are deemed unfounded or excessive by the Data Protection Officer and executive team of Health Optimising (UK) Ltd We must comply with these requests within 30 days of acknowledgement of receipt of a request.
All of the data which we store is wholly owned by the patient or user in question, who are therefore entitled to submit a takedown request in order to remove their data from our paper and digital systems.
Please note that in doing so, a patient could potentially jeopardise any future involvement they have with Health Optimising (UK) Ltd or other clinics by losing valuable clinical and diagnostic information. The loss of this information is permanent and non-reversible.
This can only be done by submitting a clear and well-written email to us or our Data Protection Officer (see contact information at bottom of document) outlining your personal information, the extent of the takedown (i.e. what data) and if possible any reasoning behind requesting the takedown.
Confirmation of a successful takedown will then be sent to the client in question upon completion, along with an assurance that their email will no longer be stored in our internal system and that communication would cease moving forward.
These requests can be made free of charge unless they are deemed unfounded or excessive by the Data Protection Officer and executive team of Health Optimising (UK) Ltd .
We must comply with these requests within 30 days of acknowledgement of receipt of a request.
Please note that the likelihood of a data breach happening is extremely low, but not impossible. We are constantly developing our information security to maintain the protection of your personal data, and reduce any data breach risks to a minimal level.
Our policy on handling data breaches is fully compliant with the GDPR.
Any complaints with regards to our handling, storing and sharing of patient data within the clinic, whether this is on paper or digitally, are handled by our Data Protection Officer (DPO).
Please email our Patient Service Team (firstname.lastname@example.org) who will liaise with our DPO to do our best to help you.
They will review all complaints and decide on the best person to forward this onto if additional information or detail is required from our technological consultant and/or partners. Otherwise, they will provide a response in a timely manner, as per our hours of business.
If a complaint is passed on that requires managerial input, then it will be given to the relevant Clinic Manager to review and discuss with our executive team.
If you have any questions, queries or concerns about anything mentioned in this document, or anything else relating to the storage of data at Health Optimising (UK) Ltd, then please don't hesitate to get in touch with our Patient Service Team (email@example.com) who will liaise with our Data Protection Officer (DPO) to do our best to help you.