We take handling of any personal data seriously
The handling of personal data is controlled by the General Data Protection Regulation 2016/679 (the GDPR). This legislation supersedes previous data privacy law, giving more rights to you as an individual and more responsibilities to organizations storing your personal information.
In short, the information I maintain is to facilitate your treatment or booking purposes. I do not share your information with any other third parties unless legally obliged to do so, and do not use your information for marketing purposes without your direct consent. Please feel free to ask at any time for your data to be destroyed or handled however you wish.
Who does this apply to?
This privacy notice pertains to data we collect from:
- Prospective patients
- Former patients
- Individuals subscribing to any newsletter I produce
- Website visitors
What is personal data?
Personal data is any information about a living person who can be recognized from that information. It can come from the data alone or in combination with any further information from the data controller’s content, or that which may come into their possession. This may include information regarding your contact and appointment details.
Special category data is a subdivision of the personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely recognising a person, data concerning health or data concerning a person’s sex life or sexual orientation. This may include any treatment notes I store about you.
How do we process your personal data?
I adhere to the regulations under the GDPR by storing personal information up to date; by keeping it and destroying it securely; by not amassing excessive amounts of data; by guarding personal data effectively to prevent loss, misuse, unauthorised access and disclosure, by ensuring that suitable technical procedures are in place to guard personal data. I may use your personal information for the following purposes.
Sections 1 – 14 apply to my patients, prospective patients, former patients and visitors to the clinic.
- I use your name, address, telephone number, and email address to organize appointments and to follow up on treatments or referral requests. I am unable to send or receive encrypted emails so you should know that any email correspondence may not be protected in transit. I will also monitor any emails sent to me, including file attachments, for viruses or malicious software. Please be aware of your responsibilities when sending emails that they are inside the bounds of the law.
- I use your name, address, telephone number, and email address, to send you marketing information if you have given explicit consent. I am unable to send or receive encrypted emails so you should know that any email correspondence may not be protected in transit. I will also monitor any emails sent to me, including file attachments, for viruses or malicious software. Please be aware of your responsibilities when sending emails that they are inside the bounds of the law.
- I maintain an attendance register which records all appointments for patients coming to the clinic to keep a record of when you were treated for tax purposes, and to safeguard potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to my regulatory body, the British Acupuncture Council.
- I may use your date of birth to help distinguish patients with the same name to evade errors being made if referring a patient to another health practitioner, and for identification purposes if writing to a registered medical practitioner in order to correctly identify the patient.
- I use your presenting complaint and symptoms reported by you in order to make a full traditional diagnosis, devising a treatment strategy and plan for future treatments.
- I use any relevant medical and family history you have told me in order to make a full traditional diagnosis, devising a treatment strategy and plan for future treatments.
- As well as being a mandatory requirement of the British Acupuncture Council’s Code of Professional Conduct, I will use the name and address of your GP to contact them in an emergency.
- I use my clinical findings of your health and wellbeing for making a full traditional diagnosis, devising a treatment strategy and plan for future treatments.
- I will keep a record of any treatment given and information surrounding the treatment effects, including reviews of the diagnosis, treatment strategy, and planning for my own purposes as well as to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
- I document any information and advice that I have given, especially when referring patients to any other health professional, to help you to receive the most appropriate treatment and to preserve evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
- I record any judgments made in conjunction with you to help you to have the most suitable treatment and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
- I keep accident records for all patients, visitors and staff who are involved in accidents at the clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to obey with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
- If an adverse event occurs to any of my patients I report the matter to the British Acupuncture Council and our insurance company to allow the insurance company to process any potential claims and to help the British Acupuncture Council develop its safe practice guidelines, as well as providing research data and information for the BAcC’s insurers and other interested parties.
- Wherever possible I maintain records of the patients consent to treatment, or the consent of their next-of-kin, in order to prove that the patient (and/or parent/guardian/next of kin) has given informed consent to treatment to preserve evidence in the event of a civil claim, criminal prosecution, insurance claim or complaint.
Section 15 apply to those who complain about our services
- If I receive a complaint from a person, I make up a file containing the details of the complaint. This would contain the identity of the complainant and any other individuals involved in the complaint.
Personal information will only be used to process the complaint and check the level of service I provide. A disclosure of the complainants identity is often required to whoever the complaint is about, but If a complainant doesn’t want information identifying him or her to be disclosed, I will endeavour to respect that.
Occasionally I may need to provide personal information in relation to the complaint to the British Acupuncture Council or our insurance company when an anonymous complaint is not possible.
I will keep personal data contained in complaint files in line with my retention policy, meaning it will be retained for two years from closure in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Furthermore, I will only use information supplied to me to deal with the inquiry and subsequent issues and to check on the level of service I provide.
Sections 16 and 17 apply to subscribers to our newsletters
At present, I do not send any newsletters to patients.
Sections 18 – 21 apply to our website users
- When someone visits my website, I use a third-party service, XXXX, to obtain internet log information and details of visitor patterns. I do this to research elements such as the number of visitors to the various parts of the site. This data is processed in a way that does not identify anyone. I do not make and do not permit Google to make, any effort to find out the identities of those visiting my website. If I wanted to obtain any personal information through my website, I will be honest and up-front about this and make it clear what I intend to do with it.
- I use website cookies to enhance the user experience of my website by enabling my website to ‘remember’ users, either for the duration of their visit – using a ‘session cookie’ – or for repeat visits – using a ‘persistent cookie’.
- I operate a third-party service (XXXX) to help maintain the security and performance of my website, which processes the IP addresses of visitors to my website.
- I use a third-party service, XXXX to host my website. This site is hosted at www.cherrytreeacupuncture.co.uk or www.cherrytreeacupuncture.com, which is run by XXXX. I collect anonymous information about users’ activity on the site. This may include the number of users viewing pages on the site, which enables me to monitor and report the effectiveness of the site and help me improve it.
Sharing your personal data
Your personal information will be treated as strictly confidential, and will only be shared with the following:
- Named third parties with your explicit consent.
- Relevant authorities such as the police or a court, if necessary, for compliance with a legal obligation to which we are subject e.g. court order.
- Your doctor or the police if necessary, to protect yours or another person’s life.
- The police or a local authority for the purpose of safeguarding a child or vulnerable adult.
- My regulatory body, the British Acupuncture Council, or my insurance company in the event of a complaint or insurance claim being brought against me.
- My solicitor in the event of any inquiry or legal proceedings being brought against me.
If you require further information regarding the situations when information about you might be shared, please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/personal-information/sharing-my-info/
How long do I keep your personal data?
I keep your personal data for a period of 7 years in accordance with the British Acupuncture Council’s Code of Professional Conduct. https://www.acupuncture.org.uk/public-content/effective-practice/bacc-professional-codes.html
Treatment notes are stored for 7 years from the date of your last treatment in line with the British Acupuncture Council’s Code of Professional Conduct in case of any legal claims/complaints; for safeguarding purposes etc.
Notes will be stored in a lockable filing cabinet whilst you are a current client of the clinic and transferred to another lockable filing cabinet for storing once you cease treatments.
I will regularly review your details and update them in cases of changes such as an address, GP details or next of Kin.
After 7 years your data will be destroyed either via shredding or burning. I currently manage this on site and do not use a third party.
In the result of my death, your notes will be archived and stored until the 7 years from the end of your treatment as set out in the British Acupuncture Council’s Code of Professional Conduct.
Your rights and your personal data
Permitting certain exemptions under the GDPR, you have the following rights with respect to the storing of your data. These include the right to request:
- A copy of your personal data which I hold about you.
- That I correct any personal data if it is found to be inaccurate or out of date.
- Your personal data is deleted where it is no longer necessary for us to retain such data.
- To withdraw your consent to the processing at any time, which does not apply when we are processing information using a lawful purpose other than consent.
- To provide you with your personal data if requested, and where possible to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [This right only applies where the processing is based on consent or is necessary for the performance of a contract with you and in either case that we are processing the data by automated means].
- A restriction is placed on further processing when there is a dispute in relation to the accuracy or processing of your personal data.
- To object to the managing of personal data, (where applicable) [This right only applies where processing is based on valid interests (or the performance of a task in the public interest/exercise of official authority); marketing and processing for the purposes of scientific/historical research and statistics].
- To be informed if your data is lost. Furthermore, I will also inform the Information Commissioner’s Office in accordance with the time limits in the GDPR.
- To lodge a complaint with the Information Commissioner’s Office.
If you require further details about these rights, please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
If I need to use your personal data for a new purpose which is not covered by this Privacy Notice, then I will provide you with a new notice clarifying this new use prior to instigating the processing, which would set out the relevant purposes and processing conditions. Where and whenever necessary, I will seek your prior consent to the new processing.
If you need to discuss anything further regarding all relevant rights, queries or complaints please in the first instance contact me at firstname.lastname@example.org.