DATA PRIVACY POLICY
This data protection policy is designed to ensure that the rights to privacy of individuals are protected. I am committed to the principles set out in the General Data Protection Regulation (GDPR) and aim to be as clear as possible about how and why I use information about you so that you can be confident that your privacy is protected.
The policy describes how I manage your information when you contact me or when I contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website such as cookies. In respect of cookies the policy includes information about the types of cookies used and how you may disable these cookies.
I will use the information collected in accordance with all the laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws I (Alison Longridge) am the data controller; if another party has access to your data I will tell you if they are acting as a data controller or a data processer, who they are, what they are doing with your data and why we need to provide them with the information.
If your questions are not fully answered by this policy, please contact me. If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner’s Office (ICO) via https://ico.org.uk. My ICO certification number is ZB155436.
Why do I need to collect your personal data?
I need to collect information about you so that I can:
- Know who you are so that I can communicate with you in a personal way. The legal basis for this is a legitimate interest.
- Deliver services to you. The legal basis for this is the contract with you.
- Process your payment for services. The legal basis for this is the contract with you.
- Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest.
- Optimise your experience on my website. The legal basis for this is a legitimate interest.
- Provide you with a useful and relevant website. The legal basis for this is a legitimate interest.
2. What personal information do I collect and when do I collect it?
For me to provide you with a service, I need to collect the following information:
- Your name
- Your contact details including a postal address, telephone number(s) and electronic contact such as email address.
- Your health insurance details
- Your date of birth
- Personal data in invoices and copy receipts, accounting records, tax and VAT returns and related information.
I will collect this information directly from you.
With your consent, I may also collect information about you from from third parties; from another health professional (e.g. GP) or health insurance company to provide a complete health assessment. This may include sensitive personal information.
On my website, I use cookies to gather information about visitors in order to monitor the quantity of website traffic. I do not identify you or any other individuals from this information. More details are provided below in Appendix 1.
3. How do I use the information that I collect?
I use the data I collect from you in the following ways:
- To communicate with you so that I can inform you about your appointments with me, I will collect personally identifying information such as your name, your contact details such as your phone number, email address or postal address.
- To deliver the correct service to you I use your name and your contact details.
- To create your receipt I use your name and address, date of birth, and health insurance identifiers where appropriate.
- I may take payment by credit/debit card using a registered provider. I will not have access to your bank details.
4. Where do I keep the information?
I keep information in the stores described below. Please note that I do not store your payment card details in any system; these are passed through the payment provider (Sum up) and typically I do not take payment by card machine but via bank transfer.
4.1 On the company computers
Your name, date of birth, address, mobile number, e-mail, GP, reason for seeking acupuncture treatment and emergency contact will be held on a triple password protected database on my personal computer.
My smartphone is password protected and will hold your name and phone number, as this is how I will conduct a Covid-19 screening prior to each appointment, contact you about appointments, and keep you informed about any changes to dates or times.
4.2 Physical Storage
Your name, date of birth and information about other health providers will appear on your paper handheld notes and be kept in a locked filing cabinet in the clinic. To help ensure confidentiality and anonymity your address and contact details will not be on your handheld notes.
5. How long do we keep the information?
I will manually delete the records after the period of 7 years required by HMRC. Unless the patient is a child, when I will store notes for 7 years beyond their turning 18 years.
6. Who do I send the information to?
I will only send information necessary to achieve business purposes.
Invoices to health insurance companies are sent electronically and anonymised with company codes. Where this is not possible or practical all documents are password protected.
Cloud storage providers will have information shared with them in compliance with GDPR.
Information is shared to the degree necessary for accounting and tax purposes.
Special category data is encrypted before it is shared.
Routine emails between us are deleted as soon as possible.
I am required to abide by professional terms and conditions which state exceptions to confidentiality as outlined in my terms and conditions (e.g. if your health is in jeopardy, with your agreement, I may share information with a mental health crisis team). In addition, if I become aware of your intent to cause harm to another person, the law may require me to inform the relevant authorities without seeking your prior permission.
7. How can I see all the information you have about me?
You can make a subject access request to me. This does not need to be in writing and may be made in person or by phone. I may require further additional verification that you are who you say you are to process this request. We may withhold personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.
8. What if my information is incorrect or I wish to be removed from your system?
Please contact me. I may require additional verification that you are who you say you are to process this request.
If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same formal as the subject access request in section 7.
9. How can I have my information removed?
If you want to have your data removed I will have to determine whether I need to keep the data, for example to comply with professional bodies or HMRC. If I decide that I should delete the data, I will do so without undue delay.
10. Will I send emails and text messages to you?
As part of providing a service to you I may communicate via email, keeping the information in the body of the text to a minimum. Any reports with personally identifying or sensitive information that I send to you will be password protected. All emails are deleted as soon as practically possible. I will also send a text message prior to your appointment and will let you know via text message if my clinic is running late, for example.
11. How do I opt out of receiving emails and/or text messages?
If you do not wish to receive information through these means, please let me know.
12. What happens in the event of a data breach?
The data protection lead is responsible for responding to personal data breaches. He or she notifies the ICO as necessary and also data subjects where the risk to them is high.
Breaches which carry any risk to data subjects must be reported to the ICO within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again.
All personal data breaches, however minor, and whether reportable or not are recorded.
13. Complaints or queries
If you are not satisfied with my response to complaints or queries you can raise a complaint with the Information Commissioner’s Office (ICO)
Contact information ICO:
Website: https://ico.org.uk/concerns
Email: casework@ico.org.uk
Telephone: 0303 1231113
Appendix 1: Cookies
1 What is a cookie?
A cookie is a small amount of data stored on a computer that contains information about the internet pages that have been viewed from that computer. They are commonplace on the internet and are used by websites to improve the user’s online experience by storing information about how the user navigated around and interacted with it. This information is then read by the website on the next occasion that the user visits.
Cookies are sent automatically by websites as they are viewed, but in order to protect a user’s privacy, a computer will only permit a website to access the cookies it has sent, and not the cookies sent by other sites. Furthermore, users can adjust the settings on their computer to restrict the number of cookies that it accepts, or notify them each time a cookie is sent. This should improve privacy and security but will generally mean that certain personalised services cannot be provided, and it may therefore prevent the user from taking full advantage of a website’s features.
For further information about cookies please visit www.aboutcookies.org
2. What sort of cookies do we use on our website?
We use two types of cookies: session cookies and stored cookies.
Session cookies expire at the end of the user’s browser session and can also expire after the session has been inactive for a specified length or time, usually 20 minutes. Session cookies are stored in the computer’s memory and are automatically deleted from the user’s computer when the browser is closed.
Stored cookies are stored on the user’s computer and are not deleted when the browser is closed. Stored cookies can retain user preferences for a particular website, allowing those preferences to be used in future browsing sessions.
3. How do we use cookies?
They gather information regarding the visitors to our website on our behalf using cookies, allowing us to understand the amount of traffic to the website and whether they are returning visitors. We do not pass any information to a third party.
4. Can I browse your website without receiving any cookies?
Yes, if you have set your computer to reject cookies, you can still browse the website. However, certain functions may not be available to you unless you enable cookies.
5. How can I find and control cookies?
You can usually adjust for yourself the number of cookies that your computer (or other device, such as a mobile phone) receives. How this is done, however, varies according to which device and what browser software you are using.
As a general rule, the more commonly used web browser software packages ten to have a drop-down menu entitled ‘Tools’. One of the options on this menu is usually ‘Options’ – and if this is selected, ‘Privacy’ is usually one of the settings that may be adjusted by the user. In the case of any device other than a PC (egg and mobile phone) you should always refer to the manufacturer’s instructions.
Alternatively, you may wish to opt-out from only the cookies used by third-party companies (acting on our behalf) to measure the traffic to our site. This has the advantage of leaving other cookies in place, thereby minimising the loss of functionality associated with blocking all cookies.
You may find the following websites useful for information on how to change cookie settings in a range of commonly used browsers:
www.aboutcookies.org
Please note that I only use cookies for the purpose of enhancing your online experience and no personal data is collected from you through this process.