General Data Protection Regulation 2016/679 (GDPR).
All of the information you share is stored in a paper format in your patient file, locked in a storage cabinet. The only electronic data is that which you send to me via a mobile phone or email. This is printed out or noted in your patient file and then deleted from my mobile phone or laptop. My mobile phones and laptops are password protected.
Whose information does this privacy notice apply to?
- prospective patients;
- former patients;
- visitors to our website;
What is personal data?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Examples of personal data we may hold about you include your contact and appointment details.
Special category data is a sub-category of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Examples of special category data we may hold about you include your patient notes.
For my patients, prospective patients & former patients
I use your name, telephone number and email address to make and rearrange appointments. I am unable to send or receive encrypted emails so you should be aware that any emails I send or receive might not be protected in transit. I will also monitor any emails sent to me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send me is within the bounds of the law.
I keep a paper diary, which records all appointments in my clinic, for tax purposes and to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to The British Acupuncture Council.
I may use your date of birth and address to help identify patients with the same name to avoid mistakes being made as to safe and appropriate treatment, for identification purposes if referring a patient to another health practitioner, and for identification purposes if writing to a registered medical practitioner (with your permission) so that they correctly identify the patient.
For the purposes of making a full traditional diagnosis, formulating a treatment strategy and treatment planning I collect your presenting complaint, symptoms, medical and family history as you report. I review these records to see how you are progressing. I record any advice or information I have given you
I record your GP’s name and address in the event that I may need to contact your GP in an emergency and because it is a mandatory requirement in the British Acupuncture Code of Professional Conduct
I keep accident records for any patients and any visitors who are involved in accidents at my clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint.
Any potential claims in the event of an adverse incident are reported to the British Acupuncture Council and my insurance company.
When my patient begins treatment they or their next of kin sign an informed consent. This is stored to secure evidence in the event of a civil claim, criminal prosecution, insurance claim or complaint.
When I receive a complaint from a person details are kept in paper format in the patient file. Information relating to a complaint will be retained for two years from closure. Some personal information maybe shared with the British Acupuncture Council and my insurance company if deemed necessary. The paper file is only accessed by the practitioner and is locked away in a cabinet.
When someone visits my website I do not collect personally identifiable information. No user-specific data is collected. I use a third party service to help maintain the security and performance of my website.
Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared:
- with named third parties with your explicit consent;
- with the relevant authority such as the police or a court, if necessary for compliance with a legal obligation to which we are subject e.g. a court order;
- with your doctor or the police if necessary to protect yours or another person’s life;
- with the police or a local authority for the purpose of safeguarding a children or vulnerable adults; or
- with my regulatory body, the British Acupuncture Council, or my insurance company in the event of a complaint or insurance claim being brought against me; or
- my solicitor in the event of any investigation or legal proceedings being brought against me.
I can give you a copy of your patient questionnaire, consent to treat & treatment notes if you put your request in writing. This request will be stored in your paper notes for a period of 7 years.
How long do I keep your personal data?
I keep patient records for a period of 7 years in accordance with the British Acupuncture Code of Professional Conduct. Paper notes will then be shredded if you have ceased visiting the clinic
If there are any changes to your personal data your patient questionnaire form will be up dated.
If I am ill I can give you a colleagues contact number to commence treatment with them if you so wish and can give them a treatment summary with your permission. If I die my colleague will safely store your file.
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of Sharon Hansford Acupuncture you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers or visitors, or if it is a group of people, the name of one member of the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit and arrival time and departure time
The venue as the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
I may require you to pre-book appointments for visits or to complete a form on arrival.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we as a venue are subject to. The legal obligation to which we’re subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.
By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.
You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).
You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.
You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).
If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.
I keep my privacy notice under regular review, and I will make new versions available on my privacy notice page on Sharon Hansford Acupuncture This privacy notice was last updated on 16 September 2020.
Please contact me in the first instance if you have a query about your personal data. Sharon Hansford 0798 8798 295
You can contact the Information Commissioners Office on 0303 123 1113 or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF. www.ico.org.uk.