ISM Members Fund – physiotherapy service pilot data information
How your data will be used in the pilot
Your personal data
This page contains important information about your personal data and how it will be used by the Incorporated Society of Musicians (ISM) and the ISM Members Fund (Members Fund) in the course of this pilot service.
If you are interested in participating in this pilot, please read the following carefully.
If you would like to request a place in the pilot scheme, you will need to confirm that you have read and understood the Terms and Conditions applying to this pilot, set out below.
You will also need to give us your consent to processing your personal data (including sensitive information, such as health data (‘Special Category Data’)) during this pilot and afterwards for a limited time, so we can evaluate the effectiveness of the pilot.
Processing personal data (and Special Category Data) is necessary for us in order to administer and evaluate the pilot. If you do not wish to give your consent, you will be unable to participate in the trial.
You can withdraw your consent at any time by notifying us (email [email protected]), but you will no longer be able to participate in the trial.
You can give your agreement to the Terms and Conditions of the pilot, and also give your consent to process your data, on the Information and Consent Form which is available on our website or from our Project Administrator. Please email [email protected] to request the form. This form will also tell you a little more about the pilot scheme and how it works.
Our Fair Processing notice below gives you more detail on how we will use your data. It also contains information about your rights in relation to your personal data, and how you may exercise them, along with your right to make a complaint to the Information Commissioner’s Office.
Terms and conditions of the pilot
2. In order to participate in the Pilot, you must first complete the Information and Consent Form (‘Consent Form’) and confirm that you grant the consents required on the Consent Form. The Consent Form is available on our website or from our membership team ([email protected]).
3. If you do not grant consent for the use of your personal data during the Pilot we regret that we will not be able to include you in the Pilot.
4. The pilot has limited places. The Members Fund will manage requests to participate on a first-come, first-served basis. The Members Fund’s decision on accepting requests is final.
5. The treatment streams within the Pilot include a self-management programme, face-to-face sessions with a physiotherapy practice within a participant’s local area, and/or referral to the NHS if specialist treatment is required. PhysioMed will determine the appropriate course for you. The ISM is not responsible for the selection of treatment method or selection of physiotherapist.
6. If face-to-face sessions are approved for your treatment by PhysioMed, the Members Fund will pay for a maximum of three face-to-face sessions. If further sessions are required, you understand and agree that you will be responsible for funding any such additional sessions yourself.
7. You may be required to provide additional consent to PhysioMed for the processing of your personal data. PhysioMed is responsible for the security of any personal data (including Special Category data as defined in the General Data Protection Regulation) you may supply to them or their appointed representatives. PhysioMed is responsible for any decisions it makes in relation to participation in the Pilot if you do not give any requested consent to PhysioMed.
8. The ISM and ISM Members Fund shall not be liable for any loss, damage, injury or death howsoever caused arising from your participation in the Pilot.
Your personal data: Fair Processing notice
The ISM Members Fund is committed to offering this pilot in such a way so as to protect your privacy. So we have taken a number of steps to ensure we put your privacy first, which we set out in this Fair Processing notice.
Our approach to your data in this pilot
In practice, we believe that by pseudonymising participants in the pilot we will remove almost entirely the risk that you may be identified by someone else. But we may want to see how effective the pilot has been, for example, for an individual playing a particular instrument, living in a particular location with a particular physiotherapy need – was there a face-to-face opportunity within 30 minutes’ drive from your home? Could you access the service via the internet in a remote part of the UK? And so forth.
So to this extent, it will be necessary to link the report we receive from PhysioMed to your unique code.
Because there is a remote chance that you may be identifiable as result, even circumstantially, we believe we need to seek your consent to process your personal data, and because it is health data, we need an additional consent from you to satisfy data protection law.
We explain this in more detail below.
1. Purposes and lawful basis for processing your data: Participating in the pilot is voluntary: it is your choice. But under Article 6 of the General Data Protection Regulation (GDPR) we still need to identify the purposes for which we process your data, and a lawful basis for doing so.
Processing your data is necessary in order to administer your voluntary participation in this pilot scheme. To protect your data as far as possible we have taken steps to minimise the amount we collect, and to pseudonymise the information as far as possible.
Processing is your data is also necessary in order to evaluate the pilot, and this may give rise to the remote possibility that you could be identified circumstantially through the combination of professional area, geographical location and age. We consider the risk to be low but consider that we must rely on something stronger than a legitimate interest to process this information.
Therefore we are seeking your consent to process your data in this pilot (GDPR Article 6(1)(a)) as our lawful basis.
In addition, although we are not seeking any health information about you directly, we know that we will receive an initial assessment report and a discharge report from PhysioMed which will include such information. Health information is among the Special Categories of data within data protection legislation (GDPR Article 9), and we need to identify an additional condition to justify our processing of this sensitive information.
We are seeking your explicit consent to process your Special Category information in this pilot (GDPR Article 9(2)(a)) as our lawful basis.
You can withdraw your consent at any time – but you will no longer be able to participate in the pilot. Withdrawing of your consent does not affect the lawfulness of any processing we have done based on your consent prior to the point of your withdrawing.
2. Collecting your data: We are collecting your data in order to be able administer your participation in the pilot, and for the purposes of evaluating the effectiveness of the pilot by analysing the results from the discharge reports supplied by PhysioMed for everyone participating in the pilot. In doing so we are seeking to minimise the amount of data about you we collect, hold or share.
Pseudonymised data: We will only receive a discharge report from PhysioMed with the unique code on it: you will not be named in this report. Only our service evaluator, Project Administrator, Senior Charities Manager and the ISM’s Director of Business Development will be able to relate the unique code to you.
3. Storing your data: Your discharge report will securely stored in our systems. Access to the area of our systems where this data is held is restricted to our service evaluator, Project Administrator, Senior Charities Manager and the ISM’s Director of Business Development. All our systems require individual password access, and we also have two firewalls established around our network servers.
4. Sharing your data: We only pass on your name and the unique code we assign to you to PhysioMed. We will only share this information, plus the initial assessment report or discharge report we receive from PhysioMed, with a third party for the means of evaluating the service.
Please note that we hold contracts with network support experts to manage the efficient running of our servers. In practice, this means they will have access to all data stored on our systems including the pseudonymised report and to the unique code linked to your report. Our contracts with our network support experts require them to observe the provisions of the General Data Protection Regulation and Data Protection Act 2018, and in particular to act in accordance with Article 28 of GDPR (which sets out the obligations on data processors) and also in accordance with Article 32 to ensure the security, integrity and availability of your data.
5. Retaining your data: We intend to hold any special category data for a maximum period of 18 months from the point at which we receive the last discharge report from PhysioMed. We will use the data only to evaluate the pilot to determine what we do next. We will retain your Consent Form for six years from the point at which we receive it.
2. The right of access to your personal data, including confirmation that we are processing your data, and the right to view the data and a request a copy of it.
3. The right to rectification: you have the right to request that inaccurate personal data be rectified, or completed if it is incomplete.
4. The right to erasure: you have the right to request erasure of personal information. If we determine we cannot delete data, you still have the right to ask us to restrict processing of your personal data.
5. The right to restrict processing: you can request that we restrict processing of personal information. This means we will stop actively processing it, and it will just be stored. Stopping processing will mean that we will not add any additional information to your existing information.
6. The right to data portability: you have the right to request this if personal information is processed on a lawful basis of either a) consent or b) for the performance of a contract.
7. The right to object: you have the right to object if processing is based on legitimate interests, or if processing is being used for direct marketing.
8. Rights in relation to automated decision making and profiling: we do not make any kinds of automated decisions or perform any profiling with your personal information.
9. The right to lodge a complaint with a supervisory authority: If you are unhappy with the way in which we process your personal data, please contact us via email to [email protected].
You also have the right to lodge a complaint before the Information Commissioner’s Office (ICO), the UK’s data protection authority.
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: 0303 123 1113 (local rate) or 01625 545 745; or see their website.