This notice is to explain why I
collect your personal data, and what I do with it, and to ensure I am working
in accordance with the new EU General Data Protection Regulation (GDPR); terms
from the regulation are indicated in bold. When you supply your personal details
to me, when we communicate by email, and when I take notes in the clinic, this
information is stored and processed for four reasons in line with the GDPR
1. I need to collect personal
information about your health in order to provide you with the best possible
treatment. Your requesting treatment and our agreement to provide that care
constitutes in law an (unwritten) contract.
2. I have a legitimate interest in collecting that information, because without
it I couldn’t practice acupuncture effectively and safely.
3. I keep records of your contact
information because I think that it is important that I can contact you in
order to confirm your appointments with me or to update you on matters related
to your medical care. This again constitutes a legitimate interest, but this time it is your legitimate interest.
4. Provided I have your consent (and this only needs to be
verbal consent), I may occasionally send you individualised health information
by email in the form of articles or advice. I will not send out generalised
leaflets or advertisements. You may withdraw this consent at any time – just
let me know by any convenient method.
I have a legal obligation to retain your records for 8 years after your most
recent appointment (or after you have reached age 25, if this is longer), but
after this period you can ask me to delete your records if you wish. Otherwise,
I will retain your records indefinitely in order that I can provide you with
the best possible care should you wish to see me at some future date.
Your clinical records are stored only
on paper, in individual paper files, and in a secure cabinet in my home. They
are not left overnight in the clinic. Your emails are stored in an online
file within my Hotmail email program
which is password protected. This program has a very good track record in terms
of security, and thus carries a low risk of being vulnerable to a security
breach. I am the only person who has access to
your records, invoice files and emails. I will never share your information
with anyone who does not have a legal right of access without your written consent.
You have the right to see what
personal data of yours I hold, and you can also ask me to correct any factual
errors. I am legally required to respond to any request from a client to see their
personal data within a timescale of 30 days. However, I would ensure that I
responded as soon as I possibly could to any reasonable request for access to
personal records. In the event that anything should
happen to me which would render me unable to oversee your records, then, and
only in this event, I have entrusted the handling of my clinical records to a colleague who is also an acupuncturist. I want you to be absolutely confident
that I am treating your personal data responsibly, and that I will do
everything I can to make sure that the only people who can access that data
have a genuine need to do so.
case of my practice this would most likely apply in the situation of me needing
to make a referral to another health professional. Of course, if you feel that I am
mishandling your personal data in some way, you have the right to complain. Please
first raise your concern with me, as I hope very much I will be able deal with
any concerns you might have. However, you can also raise a concern directly
with the Information Commissioner’s Office on https://ico.org.uk/concerns/
Bennett May 2018