A - General and transversal framework
I. On 25 May 2018 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as the RGDP or Regulation, entered into force.
We therefore intend to provide an overview of how Personal Data is collected and processed within ORDEM DOS FISIOTERAPEUTAS and to indicate the rights to which the data subject is entitled under the RGPD.
The Regulation establishes the rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The personal data being processed and how it will be used depends essentially on the scope and purpose of the request.
Thus, ORDER OF PHYSIOTHERAPISTS provides all relevant information under the terms of the Regulation, and all additional information that may be justified.
ORDER OF PHYSIOTHERAPISTS ensures the processing of Personal Data in the strictest respect for individual rights and legal regime.
The processing of Personal Data is carried out to the extent necessary to continue the core ORDEM DOS FISIOTERAPEUTAS, specifically the relationship of the data subject with it and the maintenance of a high standard of quality.
This high standard of quality in the treatment of Personal Data also depends on your better judgement in the treatment of your Personal Data, as well as in the treatment that you do of the data of others, of third parties.
For this purpose, and without dispense the detailed reading of the Regulation, "Personal Data" means data that identify, or are capable of identifying, the physiotherapist member of the ORDER of PHYSIOTHERAPISTS and a natural or legal person, contractually related to the ORDER OF PHYSIOTHERAPISTS, regardless of the nature and modality of the relation.
Therefore, we have a special and adequate duty to safeguard the Personal Data included in your personal file, or those that we collect and process in any other way in our activity.
This data, provided by you before and because of the contractual relationship between the Order and you, are also legally collected from third parties in the course of our work activities.
III. This data may include:
a) – Your application documents;
b) – The cover letter following an application;
c) - The other contractual details subsequently agreed;
d) - Professional correspondence exchanged with you or about your person;
e) - Remuneration and other information about compensations;
f) - Bank details.
These documents may contain, among other data:
– Information of about official or other address/residence you provided to us;
– Phone numbers;
– Professional contact information;
– Names of dependents;
– Information about the contact person in case of emergency;
– Date of birth;
- Curriculum Vitae (CV);
– Documentation on academic training;
– Residence status;
– Language skills that you may have disclosed to us;
– Performance assessments and disciplinary records.
The ORDER OF PHYSIOTHERAPISTS may record images of you, including CCTV video images, or photographic images for badges printing or security purposes.
ORDEM DOS FISIOTERAPEUTAS may receive medical certificates and/or justifications for absence during the course of your registration, employment contract or other employment relationship, and these may be processed by ORDEM DOS FISIOTERAPEUTAS for the purposes of processing payments for sickness under the contractual relationship or to comply with legal obligations, as well as for the management and monitoring of performance and absences. The aforementioned data can be stored electronically or on paper.
IV. The legal grounds for ORDEM DOS FISIOTERAPEUTAS to handle/handle your Personal Data include:
– The legal interest in establishing and managing the relationship with you, and also other purposes, including administrative and human resources management-related functions (among others), such as:
a. Registration files and subsequent processing, as well as other related administrative procedures;
b. Work processes, including record keeping required by law, management analysis, audits, forecasting, planning, transactions, business continuity, organisational risk management, insurance and risk prevention;
c. Safety at the workplace, property, employees and their personal data as well as those of customers, as described below; infra;
d. Training and development programmes and policies, work evaluation, awards, planning and organisation.
– Compliance with employment contracts and service provision, including human resource management and salaries and commissions processing;
– Compliance with applicable laws and regulations and the legal obligations of the ORDER OF PHYSIOTHERAPISTS, such as accounting and tax obligations, and those related to employee insurance and pensions;
– Compliance with legal obligations and the exercise of rights;
- The consent given, where applicable, which may subsequently be withdrawn at any time without affecting the legitimacy of the data processing based on the initial consent, simply by requesting the management of the Order.
V. Furthermore, and due to the legal nature of ORDEM DOS FISIOTERAPEUTAS, it is obliged to consult, where permitted under law, and confirm whether it is on any of the lists of sanctions or exclusions issued by the United Nations and its member countries, including the European Union and the other sanctions, exclusions, blacklists and prohibitions issued by the Governmental and Regulatory authorities of the jurisdiction.
ORDER OF PHYSIOTHERAPISTS may also need to search employees, to which it is applicable, in registers of professional bodies and licensing entities. These consultations are necessary to ensure that employees are able to work in the ORDER OF PHYSIOTHERAPISTS and to prove that they can provide services without exceptions.
Therefore, only the Personal Data necessary to pursue the aforementioned objectives shall be kept and ORDEM DOS FISIOTERAPEUTAS shall take the necessary measures to ensure that they are always updated and correct, without prejudice to the recurring request for their updating.
The personal data will be retained as long as they are relevant to the contractual relationship with the ORDER OF PHYSIOTHERAPISTS. In order to keep your Personal Data accurate and up to date, you must inform us if it changes, for example your name, address, marital status, contacts, qualifications and contact information of the person contact in case of emergency.
VI. Regarding the sharing of your Personal Data, this may be necessary, in particular, in the context of:
– Shared resource services with other institutions;
– External suppliers who manage benefits in our behalf;
- Clients, so they can assess your CV with a view to securing clinical projects;
– Public authorities and government authorities, whenever it is legally mandatory in tax, labour or social security matters;
– Providers of occupational risk prevention services;
– Contracting entities or potential contracting entities, if necessary, under transfer of responsibilities agreements;
– Future employers or financial institutions for the purpose of employment/credit references and other information, but only if you request them for such purposes;
– Third parties, whenever mandatory legally or by judicial proceedings, or whenever authorized by you.
VII. Thus, you have the right to request access, rectify or delete your Personal Data, as well as to limit your data processing and request data portability, within the limits of the applicable laws.
Requests must be submitted, in writing, to the Management of the Order, and the answer is guaranteed in accordance with the applicable data protection laws, and under these laws, ORDEM DOS FISIOTERAPEUTAS may, in certain situations, refuse, with good reason, to give such answers.
You may, at any time, contact the Data Protection Officer (DPO) about any further questions you may have concerning the processing of your Personal Data by using the email address mentioned below.
VIII. In order to protect its assets, employees and their Personal Data, the Personal Data of members and the Personal Data of clients, ORDEM DOS FISIOTERAPEUTAS carries out monitoring and recording activities in its facilities, including offices, workstations, workspaces and other equipment (jointly referred to as "computer facilities and systems").
All monitoring activities, carried out in accordance with the law, will be proportionate to the potential damage they may cause by misuse. If any technological equipment or computer system to which you have access is subject to monitoring, the nature and purpose of such monitoring shall be explained to you through internal communications and policies of the ORDER OF PHYSIOTHERAPISTS.
For this purpose, we explain what type of monitoring can be carried out:
- Monitoring of incoming and outgoing work email messages for checking:
a) whether they contain any code that could cause damage;
b) if they do not contain spam;
c) whether the size of the message is likely to cause interruptions in the use of our computer equipment and systems;
d) whether confidential information is sent in a secure manner and in accordance with ORDEM DOS FISIOTERAPEUTAS policies;
- In accordance with the applicable policies, upon notification of the employee concerned and with their consent, where required by law, which shall be obtained as soon as possible, to open and read work communications received by the employee in situations of unforeseen or prolonged absence, to ensure that the ORDEM DOS FISIOTERAPEUTAS core is not negatively affected by response delays;
– Analysing the use of equipment and computer systems belonging to ORDER OF PHYSIOTHERAPISTS (including, to the extent permitted by the law, records of working telephone calls, access to databases and systems, file storage, sent and received work emails, facilities access records, and websites visited on the internet) in order to ensure that computer equipment and systems are used for work purposes and that any personal use is limited to an acceptable level that does not cause damage to the computer equipment and systems of the ORDER, or even its operability;
– Controlling the use of computer equipment and systems of the ORDER OF PHYSIOTHERAPISTS, such as preventing access of a search engine to a website, or preventing the execution of unknown software, to ensure that no damage is caused to the computer equipment and systems or to its operation;
– Using security software to track or disable computer equipment and systems of the ORDER OF PHYSIOTHERAPISTS, or to eliminate and destroy data contained in those computer equipment and systems if they are misplaced or stolen, or become inactive, or to protect the information transported on the Internet or stored in the equipment and computer systems;
- Monitor and record work communications within ORDEM DOS FISIOTERAPEUTAS' premises, manage computer equipment and systems and assets, perform work file searches and undertake management enquiries where there is reason to believe that this is necessary to investigate possible legal infractions or breaches of ORDEM DOS FISIOTERAPEUTAS' policy;
– Preventing the use of personal devices on systems and platforms of the ORDER OF PHYSIOTHERAPISTS, except when it was previously approved by the board of the ORDER. If this is necessary, and attentive to the nature of the information, the employee should take into account that access to the network through personal mobile devices carries security and confidentiality risks, so that he must take the necessary security measures to protect the data to which he accesses, through his device, against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, as well as against any other form of unlawful treatment.
It must also, in any situation, keep the information confidential under secrecy and strict confidentiality, not allowing access to third parties.
Therefore, ORDEM DOS FISIOTERAPEUTAS uses appropriate physical, technical and organisational measures to protect against illegal or unauthorised access to and processing of your Personal Data, as well as against loss, destruction or incidental damage.
We ensure that your Personal Data is held in a legal and secure manner, including:
- Inform employees, who have access to Personal Data of other employees, of their obligations to protect it;
- Personal data in paper format are kept in files that are only accessible to ORDEM DOS FISIOTERAPEUTAS collaborators, with only the data effectively necessary for each collaborator being accessible;
- Personal data held in electronic format are only accessible to authorised employees;
– Printed materials where personal data is displayed are securely deleted, for example by means of shredding.
IX. Processing of Personal Data on behalf of ORDEM DOS FISIOTERAPEUTAS.
When processing Personal Data on behalf of the ORDER OF PHYSICAL THERAPISTS, you should only process data that is necessary, appropriate and relevant for legitimate purposes. You must ensure that Personal Data is only kept in an identifiable format for a person, for as long as is necessary for the purposes for which it was obtained
If you are a member or collaborator of ORDER OF PHYSIOTHERAPISTS to whom access to personal data will be defined, you may not disclose any Personal Data to other employees of the ORDER, or to third parties, except for the purposes of the core of the ORDER and for the proper performance of their functions.
Therefore, you must ensure that personal data is kept in a secure and confidential way and for as long as necessary, complying at all times with other policies relating to confidentiality and data security.
All employees who process Personal Data are bound by the provisions of this Charter and the other procedures prescribing local data security measures. All employees have a duty of strict confidentiality, written and/or oral, in relation to the disclosure of Personal Data.
Breaches of security and/or confidentiality rules shall be investigated and resolved, either by ORDEM DOS FISIOTERAPEUTAS, or by the competent authorities, in a timely manner, without prejudice to being subject to disciplinary action under the respective laws and procedures, and to criminal sanctions if and when they occur.
X. Reporting Personal Data Breaches
In the event of any failure or incident involving Personal Data, the Physiotherapists shall immediately notify the DPO, in accordance with the procedures established for this purpose.
To the extent they have information about the incident, they should make this information available when reporting. In particular, they should communicate the nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned.
B - Physiotherapists as Health Professionals
XI. Without prejudice to the general summary framework presented, particularly with regard to health professionals, these should adopt a set of procedures and precautions in the way they handle Personal Data, in order to ensure its confidentiality and, consequently, avoid security breaches and unauthorized access to it, highlighting the following:
XII. Access to Information Systems/Platforms
Physiotherapists must ensure reserved access to information systems and platforms on which patient Health Data are recorded.
Physiotherapists should also refrain from duplicating the databases under the responsibility ORDER OF PHYSIOTHERAPIST, for example by creating personal files with information from the database/application to which they have access.
XIII. Registration and Access to Clinical Information
Recording patient clinical information must be made directly by the Physiotherapist. Only the data strictly necessary to ensure the effective and most appropriate provision of health care should be collected and recorded.
Records shall be made in applications and systems certified in the context of healthcare provision, and therefore no data shall be recorded on personal devices or equipment owned by professionals and/or not certified.
The Physiotherapist should only access the patient clinical information in Patient Summary, or other electronic health record, to the extent necessary for the performance of his/her duties.
XIV. Sharing of Clinical Information
Patient clinical information should not be shared with third parties, except for the purpose of continuity of healthcare delivery. In this case, the health professional must ensure that it is carried out, in a secure and confidential way, to another professional subject to the obligation of confidentiality and secrecy.
XV. Transportation of Clinical Information
Physiotherapists must refrain from, in any way, transporting clinical information contained in the Single Clinical Summary or other, out of the service or organization where they provide care, except in cases authorized by the heads of the Institution and for the purposes of guaranteeing the continuity of clinical care.
Whenever this happens, special security measures should be adopted to ensure that the information is not improperly accessed by third parties (in particular, the information should be anonymised and/or encrypted).
XVI. Use of Personal Devices
The Physiotherapist should not use or connect personal devices to the systems and platforms of the ORDER OF PHYSIOTHERAPISTS, except when it was previously approved by the Board.
If this is necessary, and attentive to the nature of the information, the physiotherapist should take into account that access to the network through personal mobile devices carries security and confidentiality risks, so that he must take the necessary security measures to protect the data to which he accesses, through his device, against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, as well as against any other form of unlawful treatment.
It must also, in any situation, keep the information confidential under secrecy and strict confidentiality, not allowing access to third parties.
XVII. Use of Data for Own Purposes
The Physiotherapist may not use the data collected during the provision of health care for his own purposes. If you intend to use the data for academic or research purposes, you must get the approval from the responsible of ORDEM DOS FISIOTERAPEUTAS and collect the consent of the user, giving him the necessary information about the terms in which the data will be used.
In this situation, the Physiotherapist will be considered responsible for the processing of the data.
XVIII. Collection of Consent and Provision of Information
Physiotherapists shall observe, when collecting personal data, the principle of minimization, i.e., ensure that only the personal data that is strictly necessary for the act in question is collected.
Furthermore, as it is usually the professionals who contact patients directly, they should always inform the patients about the terms in which their personal data will be used.
The information to be provided shall include the following elements:
– The identity and the contact details of the controller and, where applicable, of the controller’s representative;
– The contact details of the DPO;
– Purposes of the processing for which the personal data are intended as well as the legal basis for the processing. If it is necessary to pursue legitimate interests, they must be referred to;
– The recipients or categories of recipients of the personal data, if any;
– Whether there will be international data transfer and information in this regard (if applicable);
– Data retention period;
– The existence of the right to withdraw consent at any time;
– Right to lodge a complaint with a supervisory authority (CNPD – Comissão Nacional de Proteção de Dados);
- Whether or not the data subject is obliged to provide the data and the consequences of failure to do so;
– The existence of automated decision-making (i.e. indication whether the data subject is subject to any decision taken solely on the basis of the automated processing of his data).
Consent must also be obtained for the processing of Personal Data, with the exception of the situations provided for in the GDPR (namely, for the protection of the patient’s vital interests). In the case of minors, consent must be given by the holders of the minor's parental responsibilities.
Ideally, written consent should be obtained and the documented evidence filed. If this is not possible, the professional should register in the patient clinical record that consent was asked and given and what information was provided, and the date on which he has done so.
C - Data Protection Officer (DPO)
I. To obtain further information within this scope, as well as to report any incident described above, you may/should contact DPO _Maria da Conceição Bettencourt (Data Protection Officer or EPD - Data Protection Officer).