Data Protection Policy

Contents

  1. Introduction

  2. Legal Framework

  3. ICO Registration

  4. Key Terms

  5. Core Principles of Data Protection

  6. Data Flow and Audits

  7. Transparency and Privacy Notices

  8. Assessing Data Risks (DPIAs)

  9. Working with Third-Party Processors

  10. Individual Rights Under Data Protection Law

  11. Internal Procedures for Compliance

  12. Documentation and Accountability

1. Introduction

At Zoe Davison Podiatry, safeguarding personal data is a cornerstone of our practice. This policy reflects our commitment to compliance with UK data protection laws, including the UK GDPR and the Data Protection Act 2018. We act as the data controller for all personal data processed, ensuring transparency, security, and trust for our clients and partners.

2. Legal Framework

Our data handling practices adhere to:

  • The UK General Data Protection Regulation (UK GDPR).

  • The Data Protection Act 2018 (DPA), including provisions for law enforcement (Part 3).

  • The Privacy and Electronic Communications Regulations 2003 (PECR) for electronic communications.

3. ICO Registration

Under the Data Protection (Charges and Information) Regulations 2018, Zoe Davison Podiatry is registered with the Information Commissioner’s Office (ICO). Our registration number is 00310156087, and we renew our fee annually to maintain compliance.

4. Key Terms

  • Personal Data: Information identifying a living individual (e.g., name, contact details, medical records).

  • Data Subject: The individual to whom the data relates.

  • Data Controller: Our clinic, which determines how and why data is processed.

  • Data Processor: External parties processing data on our behalf (e.g., IT providers).

  • Processing: Any action involving personal data (collection, storage, deletion, etc.).

5. Core Principles of Data Protection

We ensure all personal data is:
a) Processed lawfully, fairly, and transparently.
b) Collected only for specified, legitimate purposes.
c) Limited to what is necessary (data minimisation).
d) Accurate and kept up to date.
e) Retained no longer than required (storage limitation).
f) Secured against unauthorised access or loss (integrity and confidentiality).

Transfers outside the UK require adequacy decisions or safeguards under UK GDPR.

6. Data Flow and Audits

We conduct annual data protection audits to map how personal data moves through our practice. These audits identify risks, improve processes, and ensure ongoing compliance. Findings are reviewed yearly, or as operational changes occur.

7. Transparency and Privacy Notices

We provide clear, accessible privacy notices to clients, detailing:

  • Why we collect their data.

  • How it is used and shared.

  • Retention periods.

  • Their rights.

Notices are available on our website and in print upon request. Specific notices accompany new data collection methods or purposes.

8. Assessing Data Risks (DPIAs)

For high-risk processing (e.g., new technologies or large-scale data use), we conduct Data Protection Impact Assessments (DPIAs). If risks cannot be mitigated, we consult the ICO before proceeding.

9. Working with Third-Party Processors

All data processors must:

  • Operate under a written contract with strict UK GDPR obligations.

  • Provide guarantees for data security.

  • Act only on our documented instructions.
    Processors face penalties for breaches and share direct liability under UK GDPR.

10. Individual Rights Under Data Protection Law

Data subjects (including children) have the right to:

  • Access their data (Subject Access Requests).

  • Request correction or erasure ("right to be forgotten").

  • Restrict processing or object to direct marketing.

  • Data portability (where applicable).

  • Lodge complaints with the ICO or seek legal redress.

11. Internal Procedures for Compliance

Our documented procedures cover:

  • Data breach response and reporting.

  • Data Protection by Design (embedding privacy into systems).

  • Handling data subject requests.

  • Staff training and leaver protocols.

12. Documentation and Accountability

To demonstrate compliance, we maintain records of:

  • Audit reports and risk assessments.

  • Data subject requests and disclosures.

  • Meeting minutes discussing data protection.

Review Cycle: This policy is reviewed annually or following significant legal/operational changes.