Lawful basis for holding and using Personal Information
As a health care practitioner, I am required to retain information about my clients in order to give the best possible treatment, care, support and advice. I am a full member of the Association of Reflexologists; I abide by the AoR Code of Practice and Ethics. I am bound under the AoR Confidentiality as defined in the AoR Code of Practice and Ethics.
I am required to hold information for the following legal reasons:
- 'Claims occurring' insurance. Insurance provider is Alan Boswell: records to be kept for 7 years after last treatment
- Law regarding children’s records: records to be kept until the child is 25, or if 17 when treated, then 26.
- To fulfil my role as a Health Care Practitioner and member of the AoR.
I receive data from Email, Facebook, Instagram, my website, and Consultations. I ensure to keep the information I receive safe and secure. Procedures are in place to protect data from being lost, stolen, altered or misused. Data is processed through my laptop at home, mobile or paper records.
The holding of personal information
In order to give professional Reflexology, I am required to ask for and keep information about clients, including medical records, DOB, name, address, contact details and treatment details. The only time I will ever use this information is to give advice and support as a result of a treatment.
I will NOT share information with anyone else unless requested to do so by explicit consent from the client. Referrals may be made to the client, who should take it upon themselves to arrange.
Protecting personal data
I am fully committed to ensuring that clients personal data is safe and secure. In order to do this all-personal information will be kept on paper (kept in a non-identifiable method). The information I do receive via technology will be made sure to be kept safe and secure by password protection.
Privacy and Consent Notice – The right to be informed
Request for an individual to access their personal data – The right of access
Clients have the right to access personal information held about them, following a written request. Further identification may be necessary before releasing information. A record of any requests to access personal data will be kept.
Data accuracy - The right to rectification
I will ensure that client information is kept accurate and up to date following treatments. Regular reviews are undertaken to make sure Data held is in compliance with the regulations.
Secure disposal of data – The right to erasure
Yearly reviews of data will take place. Data will be disposed of after 7 years. This process will ensure that data no longer required to be kept under GDPR and insurance reasons can be destroyed securely. Clients can request that their files be destroyed but they would have to waive their right to any insurance claim in the future.
Restriction of personal data - The right to restrict processing of personal data
Clients can request that minimal information is held about them but this may compromise treatment. This may lead to insurance complications. I may reserve the right to refuse treatment on this basis.
Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability - The right to data portability
I do not hold any treatment information electronically (all paper recorded). If a client wishes to have a copy of their records, this will be sent to them in the most appropriate way for them.
Objection about information being held -The right to object
I will inform my clients of their right to object about information being held about them though this document and before their first treatment.
Complaints and data breaches- The right to lodge a complaint
You have the right to make a complaint if you feel your details are not correct, if they are not being used in a way that you have given consent for or they are being stored when they don't need to be. Your complaint should be directed in the first instance to email: email@example.com. The complaint will be investigated and an attempt to resolve any breach that might have occurred will take place in accordance with the General Data Protection Regulation.
The risks associated with my data, and how that risk is managed is as follows
- Theft of electronic devices - password locks on all devices
- Break in - all my paper files are stored in a safe and secure place.
- Loss or theft – I take minimal information with me on a mobile visit, and it remains with me at all times or in a locked car.
I kept all my records safe and secure and abide by the GDPR.
Data Breach Policy
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. I understand that I only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, I will notify those concerned directly and without undue delay. In all cases I will maintain records of personal data breaches, whether or not they were notifiable to the ICO.
Data Protection Policy
This document forms my data protection policy and shows how I comply with GDPR. This document will be reviewed annually and changed will be made where necessary and appropriate.
Acceptance and Consent
By booking a treatment with Sarah Elizabeth Bespoke Therapies you are consenting to a treatment.
If you require any more information, please do not hesitate to contact me. firstname.lastname@example.org