The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 to give greater control over how your personal data is used. The GDPR expands on the current regime established by the Data Protection Act 1998.
One of the rights is a right to be informed, which means I have to give you even more information than I do now about the way in which I use, share and store your personal information. This means that I have published a new privacy notice which includes information about the increased rights you have in relation to the information I hold on you and the legal basis on which I am using it.
Who controls your data in relation to this Privacy Notice?
Vicki Taylor is the data controller of Vicki Taylor Complementary & Beauty Therapist c/o treat-norwich Complementary Healthcare Clinic, Capitol House, 4-6 Heigham Street, Norwich, NR2 4TE.
Who controls your personal data at treat-norwich Complementary Healthcare Clinic?
Rebecca Geanty is the data controller of treat–norwich Complementary Healthcare Clinic, Capitol House, 4-6 Heigham Street, Norwich, NR2 4TE. [email protected]
treat–norwich Complementary Healthcare Clinic are GDPR compliant and maintain their own Privacy Notice and GDPR information.
Whose information does this privacy notice apply to?
This privacy notice applies to information I collect from:
- Prospective Clients
- Former Clients
- People who subscribe to marketing by signing the GDPR part of the Consultation Form and ticking the box
- Visitors to my website
What is personal data?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Examples of personal data I may hold about you include your contact and appointment details.
Special category data is a sub-category of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. An example of special category data I may hold about you would be your ‘client notes’.
How do I process your personal data?
I comply with my obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. I use your personal data for the purposes set out below.
Sections 1 – 10 apply to my clients, prospective clients, former clients, people who subscribe to marketing and visitors to my website:
- I use your name, address, telephone number and email address to make and rearrange appointments. I use googlemail and its associated security to send or receive emails. I will also monitor any emails sent to me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send to me is within the bounds of the law.
- I use your name, address, telephone number and email address, only if I have your explicit consent, to send you marketing materials. I use googlemail and its associated security to send or receive emails.
- Some clients and prospective clients tell me via email about their medical conditions and medication prior to their first appointment. I use googlemail and its associated security to send or receive emails. I will also monitor any emails sent to me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send to me is within the bounds of the law.
- I use your personal information about you and your health in order to provide you with the best possible treatment and formulating treatment strategy and treatment planning. I have a “Legitimate Interest” in collecting that information, because without it I couldn’t do my job effectively and safely.
- I use your GP’s name and address in the event that I need to contact your GP due to Medical contra indications. I will only do this once I have your permission or on the case of an emergency.
- I keep a record of any treatment given and details of progress, including reviews of treatment to enable me to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
- I record and use any information and advice that I have been given, to help you to receive the most appropriate treatment and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint. I will not pass your information on to a third party unless I have your permission prior to doing so or am required to do so by law.
- I record any decisions made in conjunction with you to help you to receive the most appropriate treatment and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
- Where relevant I maintain records of the clients consent to treatment, or the consent of their next-of-kin. This is to secure evidence in the event of a civil claim, criminal prosecution, insurance claim or complaint.
- All client personal information is kept confidential and secure on my pass-worded personal work computer or in a lockable filing cabinet in my office at home which is within the European Economic Area (EEA).
Credit/debit card personal information:
All debit/credit card details are kept secure by SumUp® (Company ID: 07836562) who are GDPR compliant.
All debit/credit card details are kept secure by Paypal (Company ID: 04056498) who are GDPR compliant.
How long do I keep your personal data for?
I keep your personal data for no longer than reasonably necessary.
I keep client records for a period of 7 years in accordance with the Complementary Therapists Association and Holistic Insurance Services professional code of Conduct. After which I will appropriately dispose of all data.
All data concerning children is kept for 7 years post them becoming 18 years old or from their last appointment (as per my insurance requirements and my legal business obligation), after which I will appropriately dispose of all data.
You have the right to see what personal data of yours I hold, and you can also ask us to correct any factual errors. Provided the legal minimum period has elapsed, you can also ask me to erase your records.
If you have a change of name or contact details please request that I update your details in order that I can locate the correct Consultation Form information and use the correct personal data.
Your rights and your personal data:
At any time you may request that changes are made to your contact details. Unless subject to an exemption under the GDPR, you have certain rights with respect to your personal data as set out below.
- The right to request a copy of your personal data which I hold about you.
- The right to request that I correct any personal data if it is found to be inaccurate or out of date.
- The right to request your personal data is erased where it is no longer necessary for me to retain such data.
- The right to withdraw your consent to the processing at any time. This right does not apply where I am processing information using a lawful purpose other than consent.
- The right to request that I provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [This right only applies where the processing is based on consent or is necessary for the performance of a contract with you and in either case the processing of the data by automated means].
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
- The right to object to the processing of personal data, (where applicable) [This right only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics].
To lodge a complaint, please contact Vicki Taylor [email protected] in the first instance, with the Information. To lodge a complaint, please contact the Commissioner’s Office. For further details about these rights please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
If I wish to use your personal data for a new purpose, not covered by this Privacy Notice, then I will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, I will seek your prior consent to the new processing.
To exercise all relevant rights, please in the first instance contact: [email protected]
You can contact the Information Commissioners Office on 0303 123 1113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Personal Information with my website users:
When someone visits my website I use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. I do this to find out usage of my website; for example, the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone.
I use website ‘cookies’ to improve user experience of my website by enabling my website to ‘remember’ users, either for the duration of their visit – using a ‘session cookie’ – or for repeat visits – using a ‘persistent cookie’. Cookies are small, harmless files placed on your computer’s hard drive or in your browser memory when you visit a website. They provide anonymous tracking data to third party applications like Google Analytics.
On the ‘Contact’ page I’ve got a handy tool for you to be able to find where my treatment rooms are. Google have a Cookie on the site to send data about how many people are using their online maps.
None of the cookies on my website capture any personally identifiable information. You have a number of options when it comes to receiving cookies. You can set your browser either to reject all cookies, to allow only ‘trusted’ sites to send them, or to accept only those cookies from websites you are currently using. If you switch off your cookies most of the site should still work, but your online experience may not be as good as I’d like for you.
I use a third party service, fasthosts.co.uk to host my website including publishing my blog. Their hosting is located at Discovery House, 154 Southgate Street, Gloucester, GL1 2EX, United Kingdom.
Personal Information with Social Media:
Cookies are created by Twitter; they let the website know if you’ve logged in to your Twitter account. They are present because the ‘share’ via Twitter button is being used on my website (in the footer of each page). It makes it easier for you to share my site with your friends.
Cookies are created by Facebook; they let the website know if you’ve logged in to your Facebook account. They are present because the ‘share’ via Facebook button is being used on my website (in the footer of each page). It makes it easier for you to share my site with your friends.