PRIVACY POLICY
As a client of Crowstone Complementary Clinic, it is important to us that you know how we handle your data, in order to comply with the new General Data Protection Regulation (GDPR).
The new Data Protection Legislation, is an EU wide legislation which will be enacted into UK law, and will become the 2018 Date Protection Act. This Act is effective from 25th May 2018.
This legislation will affect every business that handles personal data for clients and staff. Personal data has been defined by the act as ‘any information relating to an identifiable person who can be directly or indirectly identified’, this will include such data as name and contact details, but may also be information such as IP addresses.
Detailed below is our new Privacy Policy, which complies with the new GDPR regulation. A hard copy of this policy is also availabe to view in our Clinic.
Fair Processing Notice for Crowstone Complementary Clinic
The personal data we collect about you will include data relating to your name, address, date of birth, wider contact details and data relating to ‘health’. We will process your personal data to allow us to provide you with our services as your Therapist.
Your data will also be used to manage future communications between us, including about our services. You can opt out of receiving such communication services at any time, by emailing info@crowstonecomplementaryclinic.co.uk or clicking on the ‘unsubscribe’ button within the e-mail. We will only use your data for the purpose for which it was collected. We will only grant access to, or share your data, with Therapists working at Crowstone Complementary Clinic.
The Purpose of this Notice
This Notice is designed to help you understand what kind of information we collect in connection to our services and how we will process and use this information. In the course of providing you with our services, we will collect and process information that is commonly known as personal data. This notice describes how we collect, use, share, retain and safeguard personal data.
What is Personal Data?
Personal Data is information relating to an identified or identifiable natural person. Examples include and individual’s name, age, address, date of birth, gender and contact details.
Personal Data may contain information which is known as special categories of personal data. This may be information relating to, and not limited to, an individual’s health.
Personal Data We Collect
In order for us to provide and administer treatment/therapy to you, we will collect and process personal data about you. We will also collect your personal data where you request information about our services, customer events, or promotions.
We may also need to collect personal data relating to others, in order to provide and administer treatment/therapy. In most circuumsances, you will provide us with this information. Where you disclose the personal data of others, you must ensure you are entitled to do so.
You may provide us with personal data when you contact us via the telephone, when writing to us directly or where we provide you with paper-based forms (consultation forms) for completion, or we complete a form in conjunction with you.
We will not collect any more data than is necessary. We will only collect data that we need to hold, in order to do the job for which we have collected the data.
We will ensure the data is accurate and ask clients to check periodically and confirm that the data that is held is still accurate.
Where we collect data directly from you, we are considered to be the controller of that data i.e. we are the Data Controller. We do not use a Data Processor.
A data ‘controller’ means the individual or organisation which, alone or jointly with others, determines the purposes and means of the possession of personal data.
A data ‘processor’ means the individual or organisation which processes personal data on behalf of the controller – we do not use one of these.
Detailed below is clarification of the categories of personal data that we, as service providers, collect:
- Individual’s full name
- Date of birth
- Address
- Telephone Number
- E-mail address
- Gender
- Medical information relevant to types of treatments required
The lawful basis for collecting and processing this data is:
This information is required as we are asking clients to complete a medical questionnaire and we need to ensure that it is relevant for the correct person. The medical information gathered is required to ensure that the treatments given are appropriate and safe for each individual.
Your telephone number will only be used to contact you relating to your appointment and only if necessary, or you have specifically asked us to contact you (i.e you have left an answerphone message).
We hold your name, telephone number, e-mail address and gender on our electronic diary system. This is for the purposes of knowing our appointments and sending you an appointment reminder, if applicable, as well as to ensure the personal safety and security of our clients and therapists.
If you object to the collection, sharing and use of your personal data, then we may be unable to provide you with our services.
Why Do We Need Your Personal Data?
We require your personal details as we require you to complete a ‘health’ questionnaire/consultation form and we need to be able to identify who the information belongs to. We also require your personal information to manage future communications between us, including about our services and your appointments.
Your Rights
Individuals are provided with legal rights governing the use of their personal data. This grants individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if it is inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
These rights are known as Individual Rights under the Data Protection Act 2018. The following list details these rights:
- the right to be informed about the personal data being processed
- the right of access to your personal data
- the right of rectification of your personal data
- the right to erasure of your personal data
- the right to restrict processing of your personal data
- the right to data portability (to receive an electronic copy of your personal data)
- the right to object to your persoanl data being processed
- the right not to be subject to automated decision-making, including profiling
Individuals can exercise their Individual Rights at any time. As mandated by law, we will not charge a fee to process these requests, however, if your request is considered repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee.
Data Retention
The retaining of data is necessary where required for contractual, legal or regulatory purposes, or for our legitimate business interests and marketing purposes. We will not keep data any longer than is required for the purpose in the task it was collected for.
Your records/consultation cards shall be kept for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept for at least 7 years after they reach the age of maturity (18). This we will also adhere to.
You can opt out of receiving marketing services by e-mailing info@crowstonecomplementaryclinic.co.uk or clicking ‘unsubsribe’ on the marketing e-mail. Please contact our Data Privacy Representative at info@crowstonecomplementaryclinic.co.uk if you object to the use of, or have any questions relating to the use or retention of, your personal data.
International Transfers of Personal Data
We will not transfer any personal data Internationally.
How We Hold Your Personal Data
All paper consultation cards are kept locked away at all times. Your details will be kept for 7 years to comply with our ‘Therapy Insurance’ policy guidelines.
We only record your name, contact telephone number, e-mail and gender on our electronic diary system.
We only send marketing/promotional material via e-mail. We will not send you any marketing material without your prior consent. Even if you have asked to receive marketing material, you have the right to ‘opt out’ at any time either by contacting us at info@crowstonecomlementaryclinic.co.uk or clicking ‘unsubscribe’ on the marketing e-mails. We will post offers/marketing on our facebook page. If you no longer wish to see these offers/marketing, you will need to remove yourself via your own personal Facebook page.
Request For Information Held By Us On You
You can apply to us in writing to Crowstone Complementary Clinic Ltd, Rear of 516 London Road, Westcliff On Sea, Essex, SS0 9LD. We will respond to you within one month from the date of receipt of your request. There will be no charge for this unless your request is considered to be repetitive, wholly unfounded and/or excessive, whereby we will charge £30.00 for administration purposes.
Protecting Your Data
We will take all appropriate technical and organisation steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data within our group of therapists.
We store your Consultation Record/Health Questionnaire on paper, which is locked away at all times and does not leave our premises. The only information we hold on our computer, which contains your personal data, is on our electronic diary system which contains your name, telephone number, e-mail address and gender. We have ensured our electronic records are held securely and with appropriate environmental controls and higher levels of security around special categories of personal data. Crowstone Complementary Clinic has a process to assign and manage user accounts to authorised individuals and to remove then when no longer appropriate.
Disposal of Data
We are required by law to keep some data for some time after you are no longer a client here. We have a review plan in place to ensure that any data is disposed of appropriately and securely.
Suspected Data Breech
If we suspect that data has been accessed unlawfully, we will inform the relevant parties immediately and report the breech to the Information Commissioner’s Office within 72 hours, if we believe the breach is likely to result in the rights and freedom of individuals being compromised – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. We will keep a record of any data breech.
Data Privacy Representative
To ensure data privacy and protection has appropriate focus within our organisation we have a Data Privacy Representative, Tracy Cocks, who can be contacted at: info@crowstonecomplementaryclinic.co.uk
We have registered with the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Complaints
If you are dissatisfied with any aspect of the way in which we process your persoanl data, please contact our Data Privacy Representative. You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website which is https.//ICO.org.uk/concerns/ or by calling their helpline on 0303 123 1113.
How To Contact Us
If you have any questions regarding this Notice, the use of your data and your Individual Rights, please contact our Data Privacy Representative at Crowstone Complementary Clinic Ltd, Rear of 516 London Road, Westcliff On Sea, Essex, SS0 9LD, or by telephoning 01702 826390.
Changes To This Policy
This policy may be changed or amended at our absolute discretion, so you should review it from time to time so you are aware of any changes that have taken place. Any changes will be posted here, on our website.
GDPR Version April 2018