General Data Protection Regulation (GDPR) and DPA 2018
At York Traditional Acupuncture, I – Tiziana Bertinotti L.Ac -. am committed to protecting and respecting your privacy. This Policy explains when and why I collect personal information, how I use it, the conditions under which I may disclose it to others and how I keep it secure. I comply with my legal obligations by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Any questions regarding this Policy and my privacy practices should be sent by email to firstname.lastname@example.org, or by telephoning me on 07788 633 292.
Who do I obtain information about?
I collect information about my:
Visitors to my website
What is personal data?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Examples of personal data I may hold about you include your contact and appointment details. Special category data includes data concerning your health which I may hold about you in your patient notes.
How do I collect information from or about you?
I obtain information about you when you first inquire about treatment, either by telephone, email, the online enquiry form on my website, or in person, when you attend my Clinic for treatment, when you return for treatment after a significant lapse of time, or if you are in contact with me in any other way or your details are forwarded to me by someone else. Some patients and prospective patients tell me about their medical conditions and medication by email or online enquiry forms. My laptop is password protected. I keep a register of patients (Intake forms) attending my clinic in paper formats which I keep in your patient files, locked in a storage cabinet. I keep a paper diary where I record all appointments in my clinic. I keep a record of when you were treated for tax purposes and to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to a regulatory body.
I use a third party service, 123-Reg, to host my website including publishing my blogs. This website is hosted at https://www.yorktraditionalacupuncture.co.uk. Nicole at Puur Graphic and Web design helps me design and keep my website updated. Nicole’s own website is: http://www.puurdesigner.com/. ZigZag marketing are my SEO (Search Engine Optimisation) people and their website is: https://zigzag.digital/
What type of information is collected from or about you?
The personal information I collect will include your name, address, email address, phone numbers (home, work and mobile), date of birth and your GP’s name and surgery. I collect personal data from patients at a first appointment with a paper Intake form, and also keep records of when you are treated for tax purposes. In some cases, personal data is used when referring patients to other health professionals, to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to a regulatory body.
I use your relevant medical and family history, and your presenting complaint and symptoms reported by you for the purposes of making a diagnosis, formulating a treatment strategy and treatment planning. I collect your presenting complaint, symptoms, medical and family history as your report them. I review these records to see how you are progressing. I also record any advice or information I have given to you. I use your GP’s name and address in the event that I need to contact your GP including in an emergency and because it is a mandatory requirement for certain practitioners.
In the event of an adverse incident occurring to any of my patients, I report the matter to the appropriate professional body and to my insurance company to enable the insurance company to deal with any potential claims. I keep accident records for any patients who are involved in accidents at my clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or a complaint.
When my patients begin treatment, they or their next of kin sign an Informed consent. This is stored to secure evidence in the event of a civil claim, criminal prosecution, insurance claim or complaint. When I receive a complaint from a person I make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. I will only use the personal information I collect to process the complaint and to check on the level of service I provide. I usually have to disclose the complainant’s identity to whoever the complaint is about. If a complainant doesn’t want information identifying him or her to be disclosed, I will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. I may need to provide personal information collected and processed in relation to complaints to professional bodies or to my insurance company. I will keep personal information contained in complaint files in line with my retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
How is your information used?
I may use your personal information to:
• book, confirm or amend your appointments with me
• administer my own accounts and records;
• carry out my obligations arising from any contracts entered into by you and me;
• respond to you if you have contacted me directly or through someone else;
• notify you of changes to my services.
When someone visits my website I use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. I do not make, and do not allow Google to make, any attempt to find out the identities of those visiting my website.
Who has access to your information?
I myself – Tiziana Bertinotti L.Ac.- , the sole owner and practitioner at York Traditional Acupuncture will have access to your information for the purposes stated above. Your personal data will be treated as strictly confidential and only shared:
· with named third parties with your explicit consent;
· with the relevant authority such as the police or a court, if necessary for compliance with a legal obligation to which I am subject e.g. a court order e.g. for the purpose of crime prevention, investigation, detection or prosecution
· with your doctor or the police if necessary to protect yours or another person’s life, e.g. if I believe you are a threat to yourself (suicidal or likely to self harm) or to others (in the public interest).
· with the police or a local authority for the purpose of safeguarding a children or vulnerable adults; or · with a regulatory body (ie the British Acupuncture Council) or insurance company in the event of a complaint or insurance; or
· a solicitor in the event of any investigation or legal proceedings being brought against me
For further details about the situations when information about you might be shared please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/personalinformation/sharing-my-info/ I will not sell or rent your information to third parties. I will not share your information with third parties for marketing purposes.
How long do we keep your personal data?
I keep patients’ records for a period of 7 years in accordance with the British Acupuncture Code of Professional Conduct. Children’s records are kept for 7 years following their 18th birthday, therefore until the age of 25. Paper notes will then be shredded if you have ceased visiting my clinic.
In the event of my death, a colleague of mine will take over my patients’ files and records and will safely store them. I have nominated such colleague in my Will.
Your rights and your personal data
Unless subject to an exemption under the General Data Protection Regulations, you have certain rights with respect to your personal data as set out below.
· The right to request a copy of your personal data which I hold about you.
· The right to request that I correct any personal data if it is found to be inaccurate or out of date.
· The right to request your personal data is erased where it is no longer necessary for me to retain such data.
· The right to withdraw your consent to the processing at any time. This right does not apply where I am processing information using a lawful purpose other than consent.
· The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
· The right to object to the processing of personal data, (where applicable) [This right only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics].
· The right to be informed if your data is lost. We shall also inform the Information Commissioner’s Office in accordance with the time limits in the GDPR.
· The right to lodge a complaint with the Information Commissioner’s Office.
For further details about these rights please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
How you can access and update your information
The accuracy of your information is important to me. If you change your contact details, or any of the other information we hold is inaccurate or out of date, please email me at email@example.com, or call me on 07788 633 292. You have the right to ask for a copy of the information I hold about you (this will usually be free but I will let you know if I need to charge a reasonable fee to cover my costs in providing you with details of the information I hold about you). At any time you may request that changes are made to your contact details, for example if they are inaccurate or incomplete.
Security precautions in place to protect the loss, misuse or alteration of your information
16 or Under
I am concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide me with personal information.
Transferring your information outside of Europe
As part of the services offered to you, the information which you provide to me may be transferred to countries outside the European Union (“EU”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If I transfer your information outside of the EU in this way, I will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.
Concerns or Complaints
If you have a concern or complaint about how I handle your personal information, I’d like to try to resolve this with you. Please contact me by email: firstname.lastname@example.org or call me on 07788 633 292. If I do not resolve your concern or complaint to your satisfaction, or if you prefer to go direct to the Information Commissioner’s Office (ICO), you can contact the ICO on its helpline on 0303 123 1113 or via its website: https://ico.org.uk/concerns/handling/ Review of this Policy I keep this Policy under regular review. This Policy was last updated on 24th May 2018.