Please use the below public key when sending us encrypted data. We also use this key below to sign all other PGP key in use by our company. This key was minted on 17th May 2019 - exactly when our company was incorporated. The key is issues to: "Physio Effect JB Ltd (NI661516) <privacy@fizjoterapia.uk>". You can also retreve it from:
Our Web Key Directory (via .well-known URL).
.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEXN6OXBYJKwYBBAHaRw8BAQdAbjA9tCNuDklDywAkrcgyQNzcOSTap0fPtxtb
Mk+LxLO0OVBoeXNpbyBFZmZlY3QgSkIgTHRkIChOSTY2MTUxNikgPHByaXZhY3lA
Zml6am90ZXJhcGlhLnVrPohkBBMWCAAWBQJc3o5cCRCfRc8Nd8C3bQIbAwIeAQAA
jK0BAN8DVfcAQrV26EEArmFcyx8XxB2JKaVPeWL0fKdtgPPAAQCb48VewY2RD8Vu
BDz9pL7p00FMvJLwATQdlCjCjr9iAbg4BFzejlwSCisGAQQBl1UBBQEBB0A/terX
k4bRSPA/0kBnpYfUOCiuuYBTCUErFP/jOL30KQMBCAmIYQQYFggAEwUCXN6OXAkQ
n0XPDXfAt20CGwwAAHO9AP4/5LumdGiO9BoxljV7LhCmm5ShxFYPZ5ydtih+ebr8
/wEArdfjYp5ta9Xb7rWgYd4ivvaU/MmJzckasdvNMYtlLgk=
=Om4S
-----END PGP PUBLIC KEY BLOCK-----
.
Our
Physio Effect JB Ltd (hereafter referred as Company, We) has strict data protection and privacy policies in line with the Data Protection Act (DPA) 1998 and General Data Protection Regulations (GDPR) 2018. Under the data protection law You, as a Patient of Physio Effect JB Ltd, have specific rights. It is our responsibility to communicate these rights to you clearly and concisely. This Privacy Policy is designed to clarify how we handle your data.
We tried to write a privacy policy that is clear, direct, concise, transparent, intelligible & easily accessible as well as easy to understand. We keep technical jargon and legal terminology to a minimum.
This document refers to personal data, which is defined as information that relates to an identified or identifiable individual (a natural person - You - who hereafter might also be called the Patient). Our data protection and privacy policy set out our commitment to protecting personal data (your data) and how we implement that commitment with regards to the collection and use of (your) personal data.
Physio Effect JB Ltd is required to process relevant personal data regarding Patients as part of its operation and shall take all reasonable steps to do so following this policy. Further to this, Physio Effect JB Ltd is required to process Patients' health data. The DPA 2018 defines ‘data concerning health’ as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.
Our mission is to provide you with the best physiotherapy treatment, to the best of our knowledge and skills. We are registered and regulated medical professionals. We are not in a business of processing personal data and we do not have any revenue or interests derived from processing personal data. If it was possible, we would not process personal data at all. We fully understand and acknowledge that the type of personal data we handle is actually "toxic assets" and that we will be liable for serious fines, regulatory actions and even criminal proceedings if we mishandle our Patients' personal/health data or allow for the security/data breach to happen.
We only process personal data which is necessary to provide You (our Patient) with physiotherapy treatment and only in alignment with governing law and professional standards set by our regulators. We process (obtain, record, store, update and share) personal data only - with no exceptions - in the context of providing physiotherapy treatment to our Patients. Our default position is not to collect personal data unless it is absolutely required and only if connected with the scope of the physiotherapy treatment.
All your data, that you trusted us with will be treated with utmost confidence. Those are really for our Physiotherapist eyes only (and sometimes for admin staff too, but only if nature of process requires it, e.g. you made an SAR request or your payment is being arranged by insurance company). We might also process your data through third party data processors, as outlined below.
The rest of this policy details what we do to minimize our exposure to the risks associated with processing personal data and at the same time maximize your data protection. If you think we could do better, please contact us. If you are unhappy with our policy, please raise a complaint. Finally, if you do not agree with our policies and refuse to provide your consent to process your health data, we unfortunately shall not provide you with the treatment.
We are Physio Effect JB Ltd, a limited liability company formed according to the provisions of "Companies Act 2006". We are registered in Northern Ireland. Our Company Number is NI661516. Our registered address is 10 Beech Heights, Belfast BT7 3LQ, United Kingdom. We do only one thing - provide physiotherapy treatment to our Patients. All treatments are provided by Mrs Joanna Kmieć, MSc, MCSP, who is a Chartered Physiotherapist and the Company Director. We do not employ anyone else. Essentially, Mrs Kmieć is a practitioner who works alone and decided to run her practice as a limited company. We operate in the private (independent) health sector and have no links to NHS or any publicly funded health providers.
A physiotherapist is a regulated profession (and also a protected professional title). The primary regulator for our Physiotherapist is the Health and Care Professions Council (HCPC). Also, Mrs Kmieć is a full, qualified member of the Chartered Society of Physiotherapy (CSP). Finally, as we process personal data, we have corporate registration with the Information Commissioner's Office (ICO). All those organizations set standards, requirements and policies that we adhere to in addition to following legal regulations. Our registrations:
HCPC (Health and Care Professions Council): registration number PH123593
CSP (Chartered Society of Physiotherapy): member number 110548
ICO (Information Commissioner's Office): ZA931885
We are responsible for using personal data and we have to follow strict rules called ‘data protection principles’. We adhere to this policy to make sure the information (personal data) is:
used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
This is a really interesting and challenging topic. We strongly believe that you should be in full control of any data you shared with us and be able to exercise all of the rights with regards to your data to the full extent. However, our compliance with law and regulations means that you are not always in full control of your data, and we might need to deny your requests, no matter where our philosophical beliefs lay.
For instance, if you pay for your treatment using a credit card, we inevitably collect (on behalf of card processing entities) some personal information. You cannot then ask for those data to be deleted promptly, as tax, fiscal, accounting and even "bazooka grade" anti-money laundering regulations require us (and/or entities involved in processing your payments) to store your data for few years. We are always taking actions to minimize the collection/storage of personal data on our side. In this instance, we opted to fully outsource card payments to our provider (i.e. iZettle / Paypal) and explicitly instructed our provider not to share any personal data acquired during payment processing with us. This means we can reconcile accounts just by knowing when credit card transaction took place, correlating it with our calendar and matching the amount. As we do not need to pull personal data from card processor, we can avoid extra and unnecessary scope what translates to better protect your privacy. We are taking simial approach everywhere where permitted by law.
Under data protection law, you have plenty of rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or you, in certain circumstances.
You are not required to pay any charge to exercise your rights. If you decide to make a request, we have one month to respond to you. Please contact us at privacy@fizjoterapia.uk if you wish to make a request.
You have the right to ask us for the copy of your personal information. We have made an effort to ensure that the only personal (and health) data we have are those directly related to the treatment provided. All that data is contained in our physiotherapy notes (those may include hyperlinks to scans or other non-textual documentation). As a principle we do not keep your data outside (digitalized or traditional paper and ink) physiotherapy notes.
We wrote a long, dedicated section of this policy dedicated to your right of access. An extra section was needed as there are multiple scenarios when we are providing access to your records. The most common type of requests is done by solicitors, following us providing treatment of your injuries where third party liability is probable (e.g. accidents at work). Please continue reading to understand how we handle your (or made in your name) requests to access your data.
You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Such a request will be handled by adding a comment to existing physiotherapy notes. We unfortunately are unable to edit our (digitalized) notes once those are locked. Our notes must be immutable. Once notes are taken and edited (usually on the same day when you had an appointment), notes are locked, digitally signed and are not possible to be altered. We can however accommodate your request by adding comments to the notes. Please note that even if notes contain erroneous data, those are medical record and might be used as evidence in a court. For that reason, we must protect them from being altered, even if they do not contain correct information. Adding your request as a comment to our notes would provide proper visibility to your request and proper "visibility/tracking of change made". The comment will be date stamped.
You have the right to ask us to erase your personal information in certain circumstances.
You have the right to object to the processing of your personal information in certain circumstances.
You have the right to ask that we transfer the personal information you gave us to another organisation, or you, in certain circumstances.
In today's world there is a complex network of professional entities (third parties, data processors) involved even in such small business like ours. This sections covers how we work with third parties and under which circumstances we can share your data.
We might share your personal and medical data with other medical professionals. For example:
You asked us for the information for your GP
We are referring you to another specialist or for a scan, X-ray, etc...
It would be reasonable for you to expect that referral letter, opinion, etc. (digital or not) would contain data related to You and your treatment or symptoms. We assume your implied consent for this.
We use Google Cloud to host some of our tools and processes related to scheduling appointments. Please expect that after registering with our practice, you might receive electronic Calendar invite. To create such event we use:
"Physio Session" or "Physiotherapy Appointment" meeting subject.
Your email address (sometimes you phone).
You are added as "invited guest"
Meeting details are not set and meeting is set as private.
Additionally our Address, phone number and Google Company Profile is shared to help you safely arrive for your appointment.
No medical or any other data are shared with online Calendar. The Calendar event is created to remind you about appointment and give you ability to verify your availability and cancel appointment if required.
We use Physitrack service to provide you with homework exercise application. We share with Physitrack the following information:
Your Name
Your email address
Your year of birth (used as security question)
Physitrack is GDPR compatible. For details please check their web-page here: https://support.physitrack.com/article/639-general-data-protection-regulation-gdpr
We always welcome unexpected letters from Solicitors demanding us to answer "extra urgent" (in big red rubber stamp, font size 20) SAR requests made in the name of their Clients and our Patients. We understand that we were in past treating Patients after accidents - sometimes very traumatic and life impacting - and we are here to help with your request. We understand that you need the copy of our notes as evidence in court. We will work with you as our Patient's professional representative and comply with your request, however please note:
At minimum it means:
You are running a bussiness (we will do the Internet and Companies House search).
You are member of bar or law society (we will do the Internet search).
You are ICO registered and we can find your Privacy Policy online.
You can demonstrate to us that Patient's Personal Data can be securely shared with you.
Your request looks and feel genuine and it is highly likely that you represent our Patient. If in doubt we will try to check with our Patient, if your request is genuine.
Please understand, by doing the above we are discharging our professional duties to protect our Patient's data. If we come to conclusion that you or your request do not meet above conditions, we will not fulfil your requests.
As a rule of thumb, we are not charging for sharing existing medical records - provided it is your first request to do so. If you make repeated request for the same data, please expect to be charged - please appreciate that our time is not free. We will share existing medical record electronically using strong cryptography for no fee. We expect that you can receive secure e-mail (e.g. using Pretty Good Privacy / GPG standards).
Otherwise, you must cover in advance our costs:
£50 for sharing existing medical records in print. This is reasonable cost to cover the burden of arranging the secure courier services and the costs of laser printing. We strongly discourage you from requesting printed copy of medical records. Laser printing is very bad for environment we we should all be protecting our planet and not produce unnecessary paper waste.
£120 for a medical report (or any newly created medical record, e.g. opinion). Please note that we will only put in writing our impartial opinion, based on our medical expertise and facts we gathered when treating patient. It is not possible to discuss with us the content, thesis and outcomes of our medical report.
We are micro-business and we prioritise our patient's care. All administrative tasks are the secondary burden for us. While we aim to comply with your request within 14 days from receiving a valid and a legally binding request, our service standards (and the governing law) require us to send you response within one month. We appreciate your understanding.
We request you to provide us with a public PGP encryption key for your email address to facilitate cryptographically strong encryption of the medical records to be send. As per Information Commissioner's Office guidance, we are using end to end email encryption to adequately protect sensitive personal information (i.e. medical data) in transit. Please acknowledge that we will not send you any medical records unless you demonstrate to us that you can receive end to end encrypted emails by providing us with a PGP public key. The governing privacy law does not allow emailing medical records unencrypted. Please do not try to convince us otherwise, we both have professional standards and are in regulated professions. We use free, no cost, open-source PGP / GPG software (which is de-facto standard for over 30 years) to facilitate cryptographically strong encryption that meets the requirement of "adequate protection". It enables both parties of communication to remain compliant with privacy law. Additionally, we do not charge "reasonable administrative fee" to provide medical records via PGP encrypted email.
This Privacy Policy/Notice has been created by Physio Effect JB Ltd. Any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with express written permission from Physio Effect JB Ltd, distribute or commercially exploit the content of this document. Nor may you use it on any other website or in a printed form.
If you have any concerns about our use of your personal information, you can make a complaint to us at privacy@fizjoterapia.uk. You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address is:
Information Commissioner’s OfficeWycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Thank you for reading our Privacy Policy in full. Please share any comments with us using our Social Media accounts or via email.