A - General and cross-cutting framework
I. On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as the GDPR or the Regulation, entered into force.
Our aim is to give an overview of how personal data is collected and processed by the ORDEM DOS FISIOTERAPEUTAS and to indicate the rights of the data subject under the terms of the GDPR.
The Regulation establishes the rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The personal data being processed and how it will be used depends essentially on the scope and purpose of the request.
Thus, ORDER OF PHYSIOTHERAPISTS provides all relevant information under the terms of the Regulation, and all additional information that may be justified.
ORDER OF PHYSIOTHERAPISTS ensures the processing of Personal Data in the strictest respect for individual rights and legal regime.
The processing of Personal Data is carried out to the extent necessary to continue the core of the ORDEM DOS FISIOTERAPEUTAS, specifically the data subject's relationship with it and the maintenance of a high standard of quality.
This high standard of quality in the processing of Personal Data also depends on your better judgement in the processing of your Personal Data, as well as the processing you do with the data of others, third parties.
For this purpose, and without dispense the detailed reading of the Regulation, "Personal Data" means data that identify, or are capable of identifying, the physiotherapist member of the ORDER of PHYSIOTHERAPISTS and a natural or legal person, contractually related to the ORDER OF PHYSIOTHERAPISTS, regardless of the nature and modality of the relation.
II. In this sense, this Privacy Policy serves as a rule for all physiotherapists registered with the ORDEM DOS FISIOTERAPEUTAS, direct or indirect collaborators, that their Personal Data is processed in accordance with the RGPD, as well as to give guidance on the use of Personal Data of others by physiotherapists.
Therefore, the Personal Data included in your personal file, or that which we collect and process in any other way in the course of our business, are subject to a special and appropriate duty to safeguard.
This data, provided by you before and because of the contractual relationship between the Order and you, are also legally collected from third parties in the course of our work activities.
III. This data may include:
a) – Your application documents;
b) – The cover letter following an application;
c) - The other contractual details subsequently agreed;
d) - Professional correspondence exchanged with you or about your person;
e) - Remuneration and other information about compensations;
f) - Bank details.
These documents may contain, among other data:
– Information of about official or other address/residence you provided to us;
– Phone numbers;
– Professional contact information;
– Names of dependents;
– Information about the contact person in case of emergency;
– Date of birth;
- Curriculum Vitae (CV);
– Documentation on academic training;
– Residence status;
– Language skills that you may have disclosed to us;
– Performance assessments and disciplinary records.
The ORDER OF PHYSIOTHERAPISTS may record images of you, including CCTV video images, or photographic images for badges printing or security purposes.
Throughout your enrolment, employment contract or other relationship, the ORDEM DOS FISIOTERAPEUTAS may receive medical certificates and/or excuses for absence, which may be processed by the ORDEM DOS FISIOTERAPEUTAS for the purposes of processing payments for illness under the contractual relationship or to fulfil legal obligations, as well as for managing and monitoring performance and absences. The above data may be stored electronically or on paper.
IV. The legal grounds for the ORDEM DOS FISIOTERAPEUTAS to process/handle your Personal Data include:
– The legal interest in establishing and managing the relationship with you, and also other purposes, including administrative and human resources management-related functions (among others), such as:
a. Registration files and subsequent processing, as well as other related administrative procedures;
b. Work processes, including record-keeping required by law, management analysis, audits, forecasts, planning, transactions, business continuity, organisational risk management, insurance and risk prevention;
c. Safety at the workplace, property, employees and their personal data as well as those of customers, as described below; infra;
d. Training and development programmes and policies, work evaluation, awards, planning and organisation.
– Compliance with employment contracts and service provision, including human resource management and salaries and commissions processing;
– Compliance with applicable laws and regulations and the legal obligations of the ORDER OF PHYSIOTHERAPISTS, such as accounting and tax obligations, and those related to employee insurance and pensions;
– Compliance with legal obligations and the exercise of rights;
- The consent given, where applicable, may subsequently be withdrawn at any time without affecting the legitimacy of the data processing based on the initial consent, simply by requesting it from the management of the Order.
V. In addition, and due to the legal nature of the ORDEM DOS FISIOTERAPEUTAS, it is obliged to make an enquiry, where permitted under the law, and confirm whether it appears on any of the lists of sanctions or exclusions issued by the United Nations and its member countries, including the European Union, and the other sanctions, exclusions, blacklists and prohibitions issued by the Governmental and Regulatory authorities of the jurisdiction.
ORDER OF PHYSIOTHERAPISTS may also need to search employees, to which it is applicable, in registers of professional bodies and licensing entities. These consultations are necessary to ensure that employees are able to work in the ORDER OF PHYSIOTHERAPISTS and to prove that they can provide services without exceptions.
Therefore, only the Personal Data that is necessary to pursue the above-mentioned objectives will be kept, and the ORDEM DOS FISIOTERAPEUTAS will take the necessary measures to ensure that it is always up-to-date and correct, without prejudice to the recurring request for it to be updated.
The personal data will be retained as long as they are relevant to the contractual relationship with the ORDER OF PHYSIOTHERAPISTS. In order to keep your Personal Data accurate and up to date, you must inform us if it changes, for example your name, address, marital status, contacts, qualifications and contact information of the person contact in case of emergency.
VI. With regard to the sharing of your Personal Data, this may be necessary, in particular, in the context of:
– Shared resource services with other institutions;
– External suppliers who manage benefits in our behalf;
- Clients, so that they can assess your CV with a view to securing clinical projects;
– Public authorities and government authorities, whenever it is legally mandatory in tax, labour or social security matters;
– Providers of occupational risk prevention services;
– Contracting entities or potential contracting entities, if necessary, under transfer of responsibilities agreements;
– Future employers or financial institutions for the purpose of employment/credit references and other information, but only if you request them for such purposes;
– Third parties, whenever mandatory legally or by judicial proceedings, or whenever authorized by you.
VII. Therefore, you have the right to request access to, rectify or delete your Personal Data, as well as to limit its processing and request its portability, within the limits of the applicable laws.
Requests must be submitted in writing to the Board of the Order, and a response is guaranteed in accordance with the applicable data protection laws, under which the ORDEM DOS FISIOTERAPEUTAS may, in certain situations, justifiably refuse to provide such responses.
You can, at any time, contact the Data Protection Officer (DPO) with any other questions you may have regarding the processing of your Personal Data, using the e-mail address mentioned below.
VIII. In order to protect its assets, employees and their Personal Data, members' Personal Data and clients' Personal Data, the ORDEM DOS FISIOTERAPEUTAS carries out monitoring and recording activities on its premises, including offices, workstations, workspaces and other equipment (together referred to as "premises and IT systems").
All monitoring activities, carried out in accordance with the law, will be proportionate to the potential damage they may cause by misuse. If any technological equipment or computer system to which you have access is subject to monitoring, the nature and purpose of such monitoring shall be explained to you through internal communications and policies of the ORDER OF PHYSIOTHERAPISTS.
For this purpose, we explain what type of monitoring can be carried out:
- Monitoring of incoming and outgoing work emails to check:
a) whether they contain any code that could cause damage;
b) if they do not contain spam;
c) if the size of the message is likely to cause interruptions in the use of our equipment and computer systems;
d) that confidential information is sent securely and in accordance with the ORDER OF PHYSIOTHERAPISTS' policies;
- In accordance with the applicable policies, upon notification of the employee concerned and with their consent, whenever required by law, which will be obtained as soon as possible, open and read work communications received by the employee in situations of unforeseen or prolonged absence, to ensure that the core of the ORDEM DOS FISIOTERAPEUTAS is not negatively affected by delays in response;
– Analysing the use of equipment and computer systems belonging to ORDER OF PHYSIOTHERAPISTS (including, to the extent permitted by the law, records of working telephone calls, access to databases and systems, file storage, sent and received work emails, facilities access records, and websites visited on the internet) in order to ensure that computer equipment and systems are used for work purposes and that any personal use is limited to an acceptable level that does not cause damage to the computer equipment and systems of the ORDER, or even its operability;
– Controlling the use of computer equipment and systems of the ORDER OF PHYSIOTHERAPISTS, such as preventing access of a search engine to a website, or preventing the execution of unknown software, to ensure that no damage is caused to the computer equipment and systems or to its operation;
– Using security software to track or disable computer equipment and systems of the ORDER OF PHYSIOTHERAPISTS, or to eliminate and destroy data contained in those computer equipment and systems if they are misplaced or stolen, or become inactive, or to protect the information transported on the Internet or stored in the equipment and computer systems;
- Monitor and record work communications within the ORDEM DOS FISIOTERAPEUTAS premises, manage equipment and computer systems and assets, search work files and carry out management enquiries whenever there is reason to believe that this is necessary to investigate possible legal infractions or violations of ORDEM DOS FISIOTERAPEUTAS policy;
– Preventing the use of personal devices on systems and platforms of the ORDER OF PHYSIOTHERAPISTS, except when it was previously approved by the board of the ORDER. If this is necessary, and attentive to the nature of the information, the employee should take into account that access to the network through personal mobile devices carries security and confidentiality risks, so that he must take the necessary security measures to protect the data to which he accesses, through his device, against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, as well as against any other form of unlawful treatment.
It must also, in any situation, keep the information confidential under secrecy and strict confidentiality, not allowing access to third parties.
Therefore, ORDEM DOS FISIOTERAPEUTAS uses appropriate physical, technical and organisational measures to protect against illegal or unauthorised access to and processing of your Personal Data, as well as against loss, destruction or incidental damage.
We ensure that your Personal Data is kept legally and securely, namely:
- Inform employees who have access to other employees' Personal Data of their obligations to protect it;
- Personal data in paper format is kept in archives that are only accessible to employees of the ORDEM DOS FISIOTERAPEUTAS, with only the data actually required by each employee being accessible;
- Personal data held in electronic format is only accessible to authorised employees;
– Printed materials where personal data is displayed are securely deleted, for example by means of shredding.
IX. Processing of Personal Data on behalf of the ORDER OF PHYSIOTHERAPISTS.
When processing Personal Data on behalf of the ORDER OF PHYSICAL THERAPISTS, you should only process data that is necessary, appropriate and relevant for legitimate purposes. You must ensure that Personal Data is only kept in an identifiable format for a person, for as long as is necessary for the purposes for which it was obtained
If you are a member or collaborator of ORDER OF PHYSIOTHERAPISTS to whom access to personal data will be defined, you may not disclose any Personal Data to other employees of the ORDER, or to third parties, except for the purposes of the core of the ORDER and for the proper performance of their functions.
Therefore, you must ensure that personal data is kept in a secure and confidential way and for as long as necessary, complying at all times with other policies relating to confidentiality and data security.
All employees who process Personal Data are bound by the provisions of this Charter and the other procedures that prescribe local data security measures. All employees have a duty of strict confidentiality, written and/or oral, with regard to the disclosure of Personal Data.
Violations of security and/or confidentiality rules will be investigated and remedied either by the ORDEM DOS FISIOTERAPEUTAS or by the competent authorities in a prompt manner, without prejudice to disciplinary action under the respective procedures and laws, and criminal sanctions if and when they arise.
X. Reporting Personal Data Breaches
In the event of any failure or incident involving Personal Data, Physiotherapists must immediately notify the DPO in accordance with the procedures established for this purpose.
To the extent that they have information about the incident, they should make it available when reporting it. In particular, they should report the nature of the Personal Data breach including, if possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned.
B - Physiotherapists as Health Professionals
XI. Without prejudice to the general framework summarised above, particularly with regard to healthcare professionals, they must adopt a set of procedures and precautions in the way they handle Personal Data, in order to guarantee its confidentiality and, consequently, avoid security breaches and unauthorised access to it:
XII. Access to Information Systems/Platforms
Physiotherapists must ensure reserved access to information systems and platforms on which patient Health Data are recorded.
Physiotherapists should also refrain from duplicating the databases under the responsibility ORDER OF PHYSIOTHERAPIST, for example by creating personal files with information from the database/application to which they have access.
XIII. Registration and Access to Clinical Information
Recording patient clinical information must be made directly by the Physiotherapist. Only the data strictly necessary to ensure the effective and most appropriate provision of health care should be collected and recorded.
Records shall be made in applications and systems certified in the context of healthcare provision, and therefore no data shall be recorded on personal devices or equipment owned by professionals and/or not certified.
The Physiotherapist should only access the patient clinical information in Patient Summary, or other electronic health record, to the extent necessary for the performance of his/her duties.
XIV. Sharing Clinical Information
Patient clinical information should not be shared with third parties, except for the purpose of continuity of healthcare delivery. In this case, the health professional must ensure that it is carried out, in a secure and confidential way, to another professional subject to the obligation of confidentiality and secrecy.
XV. Transport of Clinical Information
Physiotherapists must refrain from transporting clinical information contained in the Single Clinical Summary or any other form outside the service or organisation where they provide care, except in cases authorised by the institution's managers and for the purposes of guaranteeing continuity in the provision of clinical care.
Whenever this happens, special security measures should be adopted to ensure that the information is not improperly accessed by third parties (in particular, the information should be anonymised and/or encrypted).
XVI. Use of Personal Devices
The Physiotherapist should not use or connect personal devices to the systems and platforms of the ORDER OF PHYSIOTHERAPISTS, except when it was previously approved by the Board.
If this is necessary, and attentive to the nature of the information, the physiotherapist should take into account that access to the network through personal mobile devices carries security and confidentiality risks, so that he must take the necessary security measures to protect the data to which he accesses, through his device, against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, as well as against any other form of unlawful treatment.
It must also, in any situation, keep the information confidential under secrecy and strict confidentiality, not allowing access to third parties.
XVII. Use of Data for Own Purposes
Physiotherapists may not process the data collected in the course of providing healthcare for their own purposes. If they intend to use the data for academic or research purposes, they must obtain the approval of those responsible at the ORDEM DOS FISIOTERAPEUTAS (Order of Physiotherapists) and collect the user's consent for this purpose, providing them with the necessary information about the terms under which the data will be used.
In this situation, the Physiotherapist will be considered responsible for the processing of the data.
XVIII. Collection of Consent and Provision of Information
When collecting personal data, physiotherapists must observe the principle of minimisation, i.e. they must ensure that only Personal Data that is strictly necessary for the act in question is collected.
Furthermore, as it is usually the professionals who contact patients directly, they should always inform the patients about the terms in which their personal data will be used.
The information to be provided shall include the following elements:
– The identity and the contact details of the controller and, where applicable, of the controller’s representative;
– The contact details of the DPO;
– Purposes of the processing for which the personal data are intended as well as the legal basis for the processing. If it is necessary to pursue legitimate interests, they must be referred to;
– The recipients or categories of recipients of the personal data, if any;
– Whether there will be international data transfer and information in this regard (if applicable);
– Data retention period;
– The existence of the right to withdraw consent at any time;
– Right to lodge a complaint with a supervisory authority (CNPD – Comissão Nacional de Proteção de Dados);
- Whether or not the data subject is obliged to provide the data and the consequences of not doing so;
– The existence of automated decision-making (i.e. indication whether the data subject is subject to any decision taken solely on the basis of the automated processing of his data).
Consent must also be obtained for the processing of Personal Data, with the exception of the situations provided for in the GDPR (namely, for the protection of the patient’s vital interests). In the case of minors, consent must be given by the holders of the minor's parental responsibilities.
Ideally, written consent should be obtained and the documented evidence filed. If this is not possible, the professional should register in the patient clinical record that consent was asked and given and what information was provided, and the date on which he has done so.
C - Data Protection Officer (DPO)
I. To obtain further information in this regard, as well as to report any incident described above, you may/should contact the DPO _Maria da Conceição Bettencourt (Data Protection Officer or DPO - Data Protection Officer).
Address: dpo@ordemdosfisioterapeutas.pt