Data Protection Policy
Contents
Introduction
Legal Framework
ICO Registration
Key Terms
Core Principles of Data Protection
Data Flow and Audits
Transparency and Privacy Notices
Assessing Data Risks (DPIAs)
Working with Third-Party Processors
Individual Rights Under Data Protection Law
Internal Procedures for Compliance
Documentation and Accountability
1. Introduction
At Zoe Davison Podiatry, safeguarding personal data is a cornerstone of our practice. This policy reflects our commitment to compliance with UK data protection laws, including the UK GDPR and the Data Protection Act 2018. We act as the data controller for all personal data processed, ensuring transparency, security, and trust for our clients and partners.
2. Legal Framework
Our data handling practices adhere to:
The UK General Data Protection Regulation (UK GDPR).
The Data Protection Act 2018 (DPA), including provisions for law enforcement (Part 3).
The Privacy and Electronic Communications Regulations 2003 (PECR) for electronic communications.
3. ICO Registration
Under the Data Protection (Charges and Information) Regulations 2018, Zoe Davison Podiatry is registered with the Information Commissioner’s Office (ICO). Our registration number is 00310156087, and we renew our fee annually to maintain compliance.
4. Key Terms
Personal Data: Information identifying a living individual (e.g., name, contact details, medical records).
Data Subject: The individual to whom the data relates.
Data Controller: Our clinic, which determines how and why data is processed.
Data Processor: External parties processing data on our behalf (e.g., IT providers).
Processing: Any action involving personal data (collection, storage, deletion, etc.).
5. Core Principles of Data Protection
We ensure all personal data is:
a) Processed lawfully, fairly, and transparently.
b) Collected only for specified, legitimate purposes.
c) Limited to what is necessary (data minimisation).
d) Accurate and kept up to date.
e) Retained no longer than required (storage limitation).
f) Secured against unauthorised access or loss (integrity and confidentiality).
Transfers outside the UK require adequacy decisions or safeguards under UK GDPR.
6. Data Flow and Audits
We conduct annual data protection audits to map how personal data moves through our practice. These audits identify risks, improve processes, and ensure ongoing compliance. Findings are reviewed yearly, or as operational changes occur.
7. Transparency and Privacy Notices
We provide clear, accessible privacy notices to clients, detailing:
Why we collect their data.
How it is used and shared.
Retention periods.
Their rights.
Notices are available on our website and in print upon request. Specific notices accompany new data collection methods or purposes.
8. Assessing Data Risks (DPIAs)
For high-risk processing (e.g., new technologies or large-scale data use), we conduct Data Protection Impact Assessments (DPIAs). If risks cannot be mitigated, we consult the ICO before proceeding.
9. Working with Third-Party Processors
All data processors must:
Operate under a written contract with strict UK GDPR obligations.
Provide guarantees for data security.
Act only on our documented instructions.
Processors face penalties for breaches and share direct liability under UK GDPR.
10. Individual Rights Under Data Protection Law
Data subjects (including children) have the right to:
Access their data (Subject Access Requests).
Request correction or erasure ("right to be forgotten").
Restrict processing or object to direct marketing.
Data portability (where applicable).
Lodge complaints with the ICO or seek legal redress.
11. Internal Procedures for Compliance
Our documented procedures cover:
Data breach response and reporting.
Data Protection by Design (embedding privacy into systems).
Handling data subject requests.
Staff training and leaver protocols.
12. Documentation and Accountability
To demonstrate compliance, we maintain records of:
Audit reports and risk assessments.
Data subject requests and disclosures.
Meeting minutes discussing data protection.
Review Cycle: This policy is reviewed annually or following significant legal/operational changes.