1.1 We provide medical preventative, diagnostic and rehabilitative treatment for sports and orthopaedic injuries. We have clinics in London and across Italy. Our clinics share information about patients, including between the UK and Italy.
1.2 Isokinetic has a duty to protect your privacy and we take this extremely seriously. We are fully committed to dealing with your personal data (Data) in a professional and caring way. Protecting your rights is at the heart of our culture and built into all of our processes.
2.1 Because we are operating out of both the UK and Italy, we are subject to the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), including any amending legislation, which applies to all countries in the EEA, when we collect and process your Data.
2.2 This privacy notice (Notice), explains how we process your Data. Data is anything which identifies you, either directly or indirectly, and includes names, contact information, information about your location, your health, complaints, employee files and criminal offence information.
2.3 Included in this Notice are the lawful bases on which we process your Data, the different categories of Data we collect and the purposes for which we do that, your rights, who we share your Data with, the circumstances in which we transfer it to other jurisdictions, and what you can do if you’re unhappy with the way your Data or a complaint has been handled.
2.4 This Notice is relevant to you if you are thinking about using our services, are receiving or have received treatment, are applying to work for us or are in our employment, or if you give us any other sort of personal information.
3.1 If you have any questions, or if there is anything in this Notice which you don’t understand or would like us to explain further, you can contact us at dpo.london@isokinetic.com if you are based in the UK or receiving primary treatment from our UK clinic, or privacy@isokinetic.com if you are based in the EEA or receiving primary treatment from our Italian clinics.
3.2 Our London office is the controller of your Data if you are based in or receiving treatment in the UK. Our headquarters in Italy is the controller of your Data if you are based in or receiving treatment in Italy, or elsewhere in the EEA.
4.1 Below are the categories of Data we hold and process, and in each case the purpose for which we do that. Please note that references to ‘Employees’ includes temporary and permanent staff, contracted workers whether engaged directly or indirectly by us and consultants.
CATEGORY | PURPOSE |
CCTV footage
| To protect people and property
|
Complaints
| To deal with any complaints by a patient in respect of their care
|
Contact details for marketing purposes
| To provide patients or third-parties with information about products, services and upcoming events
|
Disability-related reasonable adjustments relevant to job applicants
| To provide job applicants with disability-related adjustments during recruitment
|
Employee bank details | To ensure recorded payments can be made in respect of staff salaries and remuneration and for tax, legal and regulatory compliance |
Employee criminal record checks | To ensure that staff are fit and proper to hold their roles |
Employee health and disability-related information | To provide employees with disability-related adjustments |
Employee performance, disciplinary and absence records, references and other employee information
| To oversee and administer the day-to-day employment of staff. This includes but is not limited contract terms, legislation, regulation, career progress, disciplinary action, performance, remuneration reviews and complaints, and sickness leave
|
Incoming telephone call recordings
| For training, quality monitoring, and to ensure complaints may be handled effectively
|
Job applicants’ CVs and passports | To assess the suitability of job applicants |
Monitoring and ensuring customer care levels in accordance with regulatory requirements | To comply with our legal governance duty to ensure that the levels of care we provide are adequate |
Monitoring and ensuring patient satisfaction with treatment and care. Inspections. | To comply with our legal governance duty to understand patient satisfaction around the care we provide |
Patient payment records
| To process payment for treatment. (We may also retain records for tax and statutory purposes)
|
Patient treatment and health information | To fulfil our contract and provide treatment |
Potential patient enquiry information (enquiry made on behalf of someone else) | To understand whether treatment would be appropriate, suitable and available |
Potential patient enquiry information (enquiry made on your own behalf)
| To understand whether treatment would be appropriate, suitable and available |
Research | For training and research purposes to ensure ongoing quality of our service and that it is aligned with our practice ethos, and to establish and share experiential information about novel practice or new information which has become apparent through practice |
CATEGORY | LAWFUL BASIS |
CCTV footage
| Lawful basis: Legitimate interest (protection of people and property)
Additional condition: Substantial public interest/preventing or detecting unlawful acts. |
Complaints
| Lawful basis: Compliance with legal obligations. (Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.
Additional condition: Providing health or social care. |
Contact details for marketing purposes
| Lawful basis: Consent
Additional condition: Consent
|
Disability-related reasonable adjustments relevant to job applicants
| Lawful basis: Contract of employment
Additional condition: Occupational medicine and assessing an employee’s capacity
|
Employee bank details | Lawful basis: Contract of employment |
Employee criminal record checks | Lawful basis: Contract with data subject
Additional condition: employment, social security and social protection law |
Employee health and disability-related information | Lawful basis: Contract with data subject
Additional condition: Occupational medicine and assessing an employee’s capacity |
Employee performance, disciplinary and absence records, references and other employee information
| Lawful basis: Contract of employment
|
Incoming telephone call recordings
| Lawful basis: Consent
Additional condition: Consent |
Job applicants’ CVs and passports | Lawful basis: Legitimate interest (meeting staffing needs) |
Monitoring and ensuring customer care levels in accordance with regulatory requirements | Lawful basis: Compliance with legal obligations. (Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.
Additional condition: Providing health or social care. |
Monitoring and ensuring patient satisfaction with treatment and care. Inspections. | Lawful basis: Compliance with legal obligations. (Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.
Additional condition: Providing health or social care. |
Patient payment records
| Lawful basis: Contract with data subject
Additional condition: Provision of health and social care |
Patient treatment and health information | Lawful basis: Contract with data subject
Additional condition: Provision of health and social care |
Potential patient enquiry information (enquiry made on behalf of someone else) | Lawful basis: Legitimate interest (standard practice in initial communications with certain groups of people, e.g. children).
Additional condition: Provision of health and social care |
Potential patient enquiry information (enquiry made on their own behalf)
| Lawful basis: Contract with data subject
Additional condition: Provision of health and social care |
Research | Lawful basis: Legitimate interest
Additional condition: Research purpose |
6.1 We process your Data electronically and manually, and store it digitally and physically.
6.2 For patients who started or start treatment after July 2022, we have a digital file, which only Employees who are directly involved in providing care or the administration of the contractual relationship have access to. Digital files are held on a database to which our London and Italian offices have access. Non-sensitive and sensitive Employee Data is kept in separate digital files on the database. For patients who began treatment before July 2022, we also maintain physical files (in the relevant local office), with access limited in both cases to Employees (which may include contractors) who require the Data to perform their functions.
7.1 We are required by law to keep certain sorts of Data for a designated length of time. Where there is no legal retention period, we hold Data until we have achieved the purpose for which we process it.
7.2 For the retention periods relevant to our UK practice, please contact dpo.london@isokinetic.com for a copy of our UK Data Retention Policy. For the retention periods relevant to our Italian practice, please contact privacy@isokinetic.com.
8.1 We may share Data relating to your treatment with our head office, including our teaching and research facility (and any processor contracted to manage our IT system).
8.2 At your request, and with your consent, we may share your Data with another medical practitioner involved in your treatment, with your insurers, with family members, and with your legal representative.
8.2 Certain Data about Employees’ may be shared with insurers.
8.3 We do not share information about job applicants.
8.4 In the case of a suspected offence, CCTV footage may be shared with the police.
9.1 We transfer patient Data from our UK to our Italian head office and teaching and research centre. Data is not transferred from any of our Italian offices to our London office.
9.2 With a patient’s consent, we may transfer Data relating to their treatment to a medical practitioner who is based in another jurisdiction. If this is within the EEA, or a country which the UK and the European Commission considers to provide adequate and equivalent levels of protection for Data, we request that the patient consents to our sharing their Data. If the transfer is to a country which the UK or the European Commission does not consider to provide adequate safeguards (as the case may be), we draw patients’ attention to the additional data protection risks when seeking their consent.
9.3 If your insurer or legal representative is outside of the country in which you are receiving treatment, we may ask for your consent to share your Data.
10.1 The UK GDPR and the EU GDPR provide a number of rights in respect of your Data. You can contact us to exercise any of these rights, and we will deal with your request as quickly as possible, but always within a month. We may ask you to confirm your identity. In most cases, complying with your request should be straightforward and free, and we will inform you once we have. Very occasionally, we may not be able to deal with your request in the way you have asked. Where that is the case we will tell you why we can’t comply with your request. You can exercise any of your rights by contacting us at dpo.london@isokinetic.com for the UK, and privacy@isokinetic.com for Italy.
10.2 The Right to see the Data We Hold About You
You have the right to ask us to provide you with copies of Data we hold about you. This is called a Data Subject Access Request (DSAR).
10.3 The Right to Request We Erase Your Data
The UK GDPR and the EU GDPR give you the right to request the erasure of your Data. However, there are some cases in which it will not be possible for us to erase your Data. These include Data relating to a medical diagnosis, and the provision of health and social care. This means that we may not be able to erase the Data we hold if you request us to do so.
10.4 The Right to Have Incorrect Data Corrected
If you believe that we hold any incomplete or inaccurate Data about you, you have the right to ask us to correct or complete the information. We will not process your Data whilst we consider your request.
10.5 The Right to Withdraw Your Consent
If you have provided us with consent to process any of your Data, you have the right to withdraw this consent at any time, in which case we will cease that processing. An example of this might be if you have given consent for us to forward details of your treatment to the doctor treating you in your home country, or for the purposes of providing you with marketing information. In the case of most other types of Data we hold about your treatment, we have a legal obligation to maintain it.
10.6 The Right to Object to Our Processing Your Data
When we rely on the lawful basis of legitimate interest to process your Data, you have the right to object to that processing. This is the case for the CCTV footage we collect in our offices, if you have applied to work for us, and in respect of Data which we use for research purposes. It is also the case for enquiries which someone else has made on your behalf: if you know or suspect that someone has made an enquiry on your behalf, or otherwise provided us with Data about you which you do not wish us to hold, you have the right to object to us processing that Data.
If you object to us processing your Data, we will cease to do so whilst we consider your request.
If you believe that the Data we hold about you is inaccurate, and ask us to rectify that Data, we will automatically cease to process your Data whilst we consider that request, so you do not have to formally object to the processing, though you are free to do so.
11.1 We do not use your Data to make automated decisions.
12.1 We may ask you if you would like to receive our monthly newsletter and other information about our services and events. We may ask you this if you are a patient, making an enquiry on behalf of a patient, a medical practitioner, or another interested third party. If you would like to receive marketing information, we will ask for your consent, which you can withdraw at any time by unsubscribing, or contacting us at privacy@isokinetic.com.
We use CCTV cameras in our London office, and our Turin office, in order to protect people and property. We rely on the lawful basis of legitimate interest, that legitimate interest being the need for our business to protect the Data we hold and the computers and storage facilities on which such Data is held, including who has access to Data, the need for our business to protect other types of property from theft, and the need for our business to protect the health and wellbeing of staff and visitors. For patients attending our office whose images are captured by CCTV, this footage will be special category Data, and so we are required to have an additional condition for processing this Data, which is that it is in the substantial public interest, specifically in order to prevent or detect unlawful acts.
When you contact one of our offices by telephone, we may record the call for training, quality monitoring, and to ensure that any complaint you may have can be handled effectively. Some of the information recorded will be special category Data, as it will refer to health (your own, or that of another person on whose behalf you are making an enquiry). We rely upon the lawful ground of consent to record incoming calls, and you will be asked to provide that consent before we speak to you. You can withdraw your consent at any time.
15.1 If you are unhappy with the way we process your Data, or with the way in which we have dealt with a request or enquiry relating to your rights in respect of your Data, you can complain to us by writing to us at dpo.london@isokinetic.com if your complaint relates to our London clinic, or privacy@isokinetic.com if your complaint relates to one of our clinics in Italy. You may also complain to the supervisory authority in the country in which you are based or where the action you wish to complain about took place within the EEA, or in the UK, with the ICO.
16.1 If you are making an enquiry on behalf of someone else, we ask you to show this Notice to the person on whose behalf you are making that enquiry, and confirm to us that they are happy for us to process their Data on the basis of its contents. We will also ask that the potential patient contacts us to confirm that they are happy for you to speak to us on their behalf. If we are unable to confirm this within two weeks of a first appointment being made, we will erase the potential patient’s Data.
16.2 If you contact us on behalf of a child under the age of 12, we do not require you to confirm that they are happy with the contents of this Notice. Nor do we ask the child to confirm that you can communicate with us on their behalf. If you are contacting us on behalf of a minor who is 13 or older, we will ask them to consent to you speaking to us on their behalf.
17.1 We use patient Data for training and research purposes, and for statistical analysis.
17.2 When we use Data for training purposes and statistical analysis, our objective is to ensure that all medical professionals working for our group clinics, wherever based, have a common approach, which reflects state-of-the-art practice, guarantees that knowhow and experiences are shared amongst our practitioners, that treatment approaches are consistent, that there is a common treatment ethos, and that treatment choices are evidence-based.
17.3 When we use Data for research purposes, that Data is anonymised or pseudonymised. We publish findings, case studies and information about novel treatments in our Isokinetic manual, as well as specialist medical publications.
17.4 Patient Data may also be shared at our conferences, with other medical professionals, in order to inform the state-of-the-art of medical practice generally, in the area of sports medicine.
17.5 Data held for research purposes is pseudonymised, which means that identifying information is removed. This pseudonymised data is held separately from other Data, and may be retained indefinitely.
17.6 We do not use children’s Data for research purposes.
18.1 We may change this Notice from time to time. Please take the time to check it regularly to ensure that you are still happy for us to deal with your Data in the way it describes.