1. General Information

This privacy notice tells you what to expect us to do with your personal information when you contact us or use one of our services

As part of the services we offer, we are required to process personal data about our patients (service users) and, in some instances, the friends or relatives of our service users.  “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

Zest AHP Limited may change its Privacy Policy from time to time and any amended version will be available to view on our website https://zestpodiatry.co.uk/terms-conditions-of-business/.

1.1 Contact details

Zest AHP Limited is the controller for the information we process, unless otherwise stated. 

Our Data Protection Officer is Victoria North and you can contact her at reception@zestpodiatry.co.uk or via our postal address. Please mark the envelope ‘Data Protection Officer’.

You can contact us at: Zest AHP Ltd, 272 Abingdon Road, Oxford, OX1 4TA

1.2 How do we get information?

Most of the personal information we process is provided to us directly by you for one of the following reasons:

• You are a private patient, where you have self referred to us for podiatry or physiotherapy treatment
• You are an NHS patient, where we provide podiatry services in partnership with the NHS.

We may monitor and record communications with you, such as telephone conversations and emails, for quality, training and compliance purposes.

We also receive personal information indirectly, in the following scenarios:

• You are an NHS patient that has been referred to our services by your GP practice.

We will only use your personal information for the purpose(s) for which we have obtained it.  We may process your information without your knowledge or consent where this is required by law.

1.3 Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.

We will not transfer any of your information to a separate organisation or individual outside of the EU.

In some circumstances we may be legally obliged to share information e.g. court order.

We use third parties to provide elements of services for us, such as orthotic labs. We have contracts in place with these third parties. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

1.4 Your information protection rights

Under information protection law, you have rights we need to make you aware of. The rights available to you depend on the reason for processing your information.

• Right to be informed: organisations must tell individuals what information is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
• Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
• Right of rectification: individuals have the right to correct information that is inaccurate or incomplete.
• Right to be forgotten: in certain circumstances, individuals can ask for the information an organisation holds on them to be erased from their records.
• Right of portability: individuals can request that organisation transfer any information that it holds on them to another company.
• Right to restrict processing: individuals can request that an organisation limits the way it uses personal information.
• Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
• Right related to automated decision-making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.

You have the right to obtain information from us as to whether we are processing your personal information and if we are, to request a copy of the personal information we hold about you.  If you wish to request a copy of the information we hold, please do this via reception@zestpodiatry.co.uk.   We will do our best to respond to your request within 28 days.

Where you have provided consent for us to process your personal information, please note that you have the right to withdraw this consent at any time.

1.5 Complaints

We aim to meet the highest standards when collecting and using personal information, however if you have any complaints or concerns about any aspect of this privacy policy and the ways in which we obtain, store, manage or destroy personal information, then please contact us via reception@zestpodiatry.co.uk

Alternatively, you can raise an issue, if you feel we have in any way handled your personal information unfairly or inappropriately, with the Information Commissioner’s Office. Further details on GDPR and information protection laws can also be found at the ICO website, https://ico.org.uk/global/contact-us/.

1.6 Security

The protection of privacy and confidentiality are given the highest priority, with all personal information being collected, held and used in strict compliance with the Data Protection Act 2018 and the General Information Protection Regulations (GDPR) 2018.

Information is retained in secure electronic and paper records and access is restricted to those who need to know.  It is important that your information is kept safe and secure to protect your confidentiality.  There are a number of ways in which your privacy is shielded:

• By removing your identifying information.
• By using an independent review process.
• By adhering to strict contractual conditions.
• By ensuring strict sharing or processing agreements are in place.
• By managing who has access to what information (user access controls).

Our staff have a common law and contractual duty of confidentiality to protect your information.

2. What information do we hold?

2.1 You as a patient

As providers of health care services, we have a legal duty to collect and process information relating to the creation of medical records.

We only hold information that is relevant to your care and treatment. This may include:

• Basic details such as name, address and contact details.
• Details of contact we have had with you throughout your treatment with us.
• Financial details e.g.  details of how you pay for your care or your funding arrangements.
• Professional information e.g.job title, if relevant to your care and treatment.
• Details of the services you have accessed.
• Treatment notes and reports about your health and any treatment you have received.
• Your feedback and treatment outcome information.
• Information surrounding complaints and incidents which may have arisen.
• Recordings of calls, inbound and outbound.
• Any other personal information we collect in the course of providing our services or in the course of operating our business.

2.2 What do we do with your information?

We collect personal information about you which will be used to support the delivery of appropriate, high quality care and treatment and provide a medical diagnosis.  

In general, we use your information to provide our services to you, including:

• To help inform decisions that we make about your care.
• Ensure your treatment is safe and effective.
• Record keeping and administration purposes.
• To safeguard children and vulnerable adults.
• To plan our services to ensure we can meet future needs.
• To review care provided to ensure it is of the highest possible standard.
• To train health care professionals.
• For research and statistical analysis.
• Providing you an opportunity to complete a satisfaction survey.
• Process and respond to complaints, concerns or incidents.
• Comply with other legal, professional or regulatory obligations imposed on us.
• Audit our services.

We may use third parties to help provide you with care and treatment. For example, Physitrack which is a digital exercise and rehab tool.  

2.3 Lawful basis for processing

Although we will always seek your consent for the medical treatment itself, this is entirely separate from our data protection obligations. We rely on the following legal reasons for processing your personal information:

• Consent: We will tell you how your information will be used and seek your consent, where it can be freely given.
• Contractual necessity: We will process your personal information when it is necessary to perform a contract e.g. where we provide services to you that are funded by the NHS. 
• Legal obligation: We will process your personal information when it is necessary to comply with a legal or regulatory obligation
• Legitimate interests: We will process your personal information when we or a third party have a legitimate interest in processing it and is not overridden by your own interests or fundamental rights or freedoms.
• Perform a public task: For NHS patients the processing is necessary for the performance of a task carried out in the public interest.

Information pertaining to your health is classified as ‘special category information’.  We will process this information on the basis that it is necessary for medical diagnosis, the provision of health care services and historical research purposes or statistical purposes. More information at Health and Social Care Act 2012

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

·   You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses)

·   We have a legal requirement to collect, share and use the data

·   The public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).

2.4 Sharing your health record

We will not disclose any health information to third parties unless there are specific circumstances as outlined below:

• To provide the best possible care, it may be necessary to share your health information with others. For example, with your GP, a consultant or the hospital which treats you. We will discuss this with you and seek your consent.
• We will make it clear if we are providing a service as part of a multi-agency team or partnership where we may be required to share your health information with the lead organisation.
• We may need to share limited and more general information as part of the contractual arrangements with the NHS or your employer (if they are funding the treatment).
• In exceptional situations, we may need to share information without your consent if:

          – it is in the public interest – for example, there is a risk of death or serious harm.
          – there is a legal need to share it – for example, to protect a child under the Children Act 1989.
          – a court order tells us that we must share it.
– there is a legitimate enquiry from the police for information related to a serious crime.

• Business Transfers. If we sell or merge or business, we may disclose your information as part of that transaction, only to the extent permitted by law and with your knowledge 
• Compliance with laws. We may collect, use, retain and share your information if we are legally required to

ZestAHP Limited will always do its best to notify you of this sharing.

2.5 How long do we hold your health records 

As a Healthcare organisation we have a legal and regulatory obligation for health care records to be kept for a minimum period of time.  We will typically keep your information for a period of 8 years after the end of your care.

Where we have treated children, we retain their records until the young person reaches the age of 25 years.

Following the 8 year period, we will then dispose of the information held by us securely e.g.shredding paper records or wiping hard drives to legal standards of destruction.

For NHS patients only:

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

3. National Data Opt-Out

The national data opt-out gives everyone the ability to stop health and adult social care organisations (CQC registered providers) from sharing their confidential patient information for reasons other than providing their individual care and treatment. 

We review our data processing on an annual basis to assess if the national data opt-out applies. If any data that we process falls within scope of the National Data Opt-Out we will work with our NHS partner, Oxford Health. They will use MESH to check if any of our service users have opted out of their data being used for this purpose.

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

 4. Friends/Relatives

4.1 What data do we have?

As part of our work providing high-quality care and support, it might be necessary that we hold the following information about friends or relatives of the patients.

This may include:Your basic details and contact information e.g.name, address, contact details including telephone and email address

4.2 Why do we have this data?

By law, we need to have a lawful basis for processing your personal data.

We process this data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service.  

If we need to process your data, we will do so with your consent.

5. Our Website

Our site uses cookies, which are small text files that are placed on your machine, to help the site provide a better user experience. The purpose for implementing cookies is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. 

We also use analytics, to collect standard internet log information and details of visitor behaviour patterns.

Lawful basis for processing

We rely on the following legal reasons for processing your personal information:

• Consent: We require your consent for the optional cookies we use.
• Legitimate interests: We will process your personal information when we have a legitimate interest in processing it. For example, in order to maintain the integrity of our IT systems and the continuity of our business.

Appendix 1 – Access to Health Records

Each time you are seen by one of our clinicians, we record what you tell us and what we discuss so that our health care professionals can plan your future care. Clinic visits, operations, tests and investigations are documented in your health record, alongside copies of all correspondence relating to your care. We also hold your personal information such as your name, address, gender, next of kin and ethnic origin.

Confidentiality

Your health record is kept confidential at all times and is only shared with staff when it is necessary for them to carry out their job. All staff are required to work to strict professional and contractual codes of confidentiality and, where possible, we will anonymise information so that individual patients cannot be identified. The only time information will be shared to outside organisations is if they are directly involved in your care, for instance, your GP, social worker, community nurses or hospital.

Requesting access to your health records

If, for any reason, you would like access to your medical records held byZest AHP Limited, you can do so by contacting:

Victoria North

‘Data Protection Officer’.

Zest AHP Ltd, 272 Abingdon Road, Oxford, OX1 4TA

When Will the Information Be Released

The Organisation will deal with your request promptly, and in any event the records will be sent to you within 30 days of receipt of your accurately completed request. If we encounter any difficulties in locating your data we will keep you informed of our progress via the online portal.

Amending Information Within Your Record

Individuals do not have a right to have professional opinions or judgements deleted from the record, unless the entry is factually incorrect e.g. the notes on your record relate to a different patient. However, if you disagree with any content within your record, you can ask to have a statement added to reflect your opinions. You are entitled to a copy of what has been added.

Version: 2  Updated: 14/02/20225