This privacy notice details how your personal data is processed: why do I process it, who has access to it, how is it stored, under what circumstances is it erased, how can you access it, what happens in the event of a data breach, how can you request your data be deleted or destroyed and how to file a complaint regarding the processing of your personal data. The following applies equally to the personal data disclosed by a prospective patient or anybody who contacts/enquires about acupuncture, any patient currently receiving acupuncture treatment or any past patient who has received acupuncture patient.
I want you to be absolutely confident that I am treating your personal data responsibly, and that I am doing everything I can to make sure that the only people who can access that data have a genuine need to do so. Of course, if you feel that I am mishandling your personal data in some way, you have the right to complain about the way your data has been processed – this should be directed towards the data controller (see below) or, if you wish to take the complaint further, to the Information Commissioner’s Office.
N.B. You also have the right to make a formal complaint in regards to your acupuncture treatment or professional conduct, again directed to us or, if you wish to take the complaint further, to the British Acupuncture Council.
What personal data do we process?
Your ‘personal data‘ is any information which may, either on its own or put together with other information, be used to identify you, the data subject. This includes, primarily, your name, date of birth, address, occupation, telephone number, email address. If you tell me that you moonlight as a semi-professional poet or that you won first prize at a beauty contest, this also constitutes personal data as it could lead to a reader identifying you, however this type of data is rarely recorded unless it is relevant to the purpose of carrying out acupuncture treatment.
‘Special category personal data‘ includes any details relating to your health, which is most of the data I record. Other examples include gender, race, sexual orientation, details of sex life, political views or religious views, etc. It is less likely that I would do so, but there are instances where it may be the case that I record these other examples of special category personal data. You have certain additional rights under GDPR as the subject of special category personal data.
Why do we process your personal data?
When you supply your personal details to me, they are stored and processed for four reasons (relevant terms used in the Data protection Act 2018 and the General Data Protection Regulation, GDPR, of lawful bases to process data are emboldened):
1. Collecting information about your health is necessary to provide acupuncture treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide treatment.
2. Some of your personal information is necessary to be collected for the operation of the clinic including your name, address, GP name & address (so far these are professional & insurance requirements from the British Acupuncture Council) contact telephone number (as it is necessary to be able to contact you regarding confirmation or cancellation of your appointments) and so I hold legitimate interest to collect this data. It is also important that I am able to contact you regarding your care. This again constitutes legitimate interest, but this time it is your legitimate interest.
3. Only with your specific, explicit and prior consent, your data may be used for direct marketing purposes, such as a newsletter or promotional offers by email, although I am not currently do so.
4. I am keep accident records for any patients, visitors or staff who are involved in accidents at the premises in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint, and so we hold legitimate interest to collect this data also.
Who has access to your personal data?
Your practitioner, Magdalena Denny, is the data controller for the personal data you disclose when you come for acupuncture treatment. Your data will not be shared with any other third parties for any reason, except with your prior explicit consent – it is considered best practice to keep your GP informed of your progress through treatment, but we will not do so without prior, explicit consent. I take confidentiality very seriously. In the event that it is suspected that you, or another individual you disclose, may be a risk to harming yourself/themselves or others, this will be reported to your GP or to the relevant authorities – this scenario provides legal obligation to override my professional requirement to confidentiality and constitutes lawful basis to disclose any relevant personal data to the authorities/to your GP, with or without your consent.
In the event of an adverse incident occurring to any of my patients or a formal complaint, I report the matter to the British Acupuncture Council and my insurance company to enable the insurance company to deal with any potential claims and to help the British Acupuncture Council to develop its safe practice guidelines, as well as providing research data and information for the BAcC’s insurers and other interested parties.
All data processors have, or will have, signed non-disclosure agreements prior to holding access to any of your personal data.
Receptionist at the CHAIM Center at Willesden Green will only have access to your name and contact information.
Your data protection rights
As the data subject, you have the following rights:
- To be informed of the collection and use of your data, and to be informed of any breaches in the security of your data
- To access a copy of your notes and all the data we hold
- To have inaccurate information rectified
- To erasure of your data*
- To restrict processing of your data
- To data portability (for your data to be held in a form that you, yourself, can easily copy and share to any third parties)
- To object to the processing of your data
- In relation to automated decision making and profiling (not applicable in this case – we do not use any automated decision making or profiling when processing your data)
*The right to erasure is not absolute and only applies in certain situations. Article 17(3)(e) of the GDPR provides exemption from the right to erasure, and it is a professional and insurance requirement of the British Acupuncture Council that we retain your notes for 7 years after your last appointment with us (or 7 years after turning 18 for any treatment carried out if/when the data subject was a minor) and so we are obligated to refuse requests for erasure of your personal data within this timeframe. Upon your request for the erasure of your data, measures will be put in place to ensure the destruction or deletion of all your data within 40 days after this 7 year period has elapsed from your last appointment, unless there is another valid reason why your data should be kept for longer than this time.
How your data is stored
All contact details and treatment notes are kept an within an individual-specific file and stored and kept locked in a metal, fire-safe filing cabinet which is secured and kept locked.