GDPR (General Data Protection Regulation) Privacy Notice
Danielle Croft Trading as Banbury Acupuncture & Massage Clinic
Who has this notice been written by?
Myself, Danielle Croft, the Data Controller for my business Banbury Acupuncture & Massage Clinic.
Who does this apply to?
This GDPR document applies to current, prospective, and past patients/ clients.
What data is being collected, for what purpose, and how is it processed? (Processing can mean: collecting, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing, and destroying data)
1) Your name, date of birth, address, phone number, email address.
If you have received a treatment from me, this information will be kept in your patient file. This is a paper based file which is kept in my filing cabinet. Your name, date of birth, address, phone number, and email address will also be held electronically in my email contacts directory.
I keep your name and date of birth for identification purposes. I keep your contact details in case I need to contact you. Also it is a stipulation of my membership body the British Acupuncture Council (BAcC) to have a contacts directory separate from your patient file. I ask for your address initially so that I can send you a registration form in the post.
Your name and phone number will be stored in my mobile phone contacts. If you use email to contact me, your email address will also be stored in my mobile phone contacts. I keep this information on my phone so that I am able to make and rearrange appointments with you easily, and so that I can send you a courtesy appointment reminder text or email the day before your appointment if you are happy for me to do so.
My mobile phone and email account are password protected. I am the only person who has access to this information and to your paper patient file. Whilst I take all possible precautions to protect your personal data, I cannot guarantee its security 100%.
2) Messages via text, email or Facebook messenger
If you choose to contact me via text, email or Facebook Messenger these messages are held on my mobile phone device until they are no longer needed. Messages about your health or about booking initial appointments are normally deleted after you have been for your first treatment. In the case of general appointment booking messages, I keep these for longer, normally two months, as they are helpful to double check arrangements we have made. My Facebook messages are password protected.
Please note, texts, emails, and Facebook messages are not encrypted. They may not be protected in ‘transit’, which means that in theory they can be read at any of the servers they pass through; accessed by hacking; or ‘read’ by software.
3) Dates of your appointments in a diary
I keep a permanent attendance register of your appointment dates (paper diary) and an electronic web based version of the same as a back up. Dates of treatment are also recorded in your patient file.
I need to keep this information in case of civil litigation, to provide evidence in case of criminal prosecution, insurance claim, or complaint about myself. I also need the information for my own accounting purposes, however your name and details are not passed on to my accountant. Treatment dates are also kept to help with my treatment planning.
4) Information about you and your health and the treatment I’ve given to you
Depending on whether you visit for massage, or acupuncture, (or both) I may record in your patient file; your health complaints (your own words and my own findings); your medical history; other health complaints you tell me about; my own observations about your posture, range of movement, signs of dysfunction and imbalance, and traditional acupuncture diagnostics; family medical history; emotional health; your diet and fluid intake; other aspects of your health we talk about; what you tell me about your personality; information about your lifestyle and wellbeing; medication and supplements you take. I record treatment planning strategy and the treatment you’ve had at each visit, as well as decisions made about your treatment in conjunction with you and your consent to treatment (or guardian if under 18). I record any advice I have given you.
I use this information to: plan effective and appropriate treatments, to make sure my treatments are safe for you, to be able to assess changes in your health and complaints, to be able to make a traditional acupuncture diagnosis.
I also need to keep this information in case of civil litigation, to provide evidence in case of criminal prosecution, insurance claim, or complaint.
Your patient file is a paper-based file which is kept in my filing cabinet.
5) I hold your GP’s name and address in your patient file in the event that I need to contact them in an emergency or if I deem you to be at risk of serious harm to yourself or others. In this case I would also speak to the British Acupuncture Council and the relevant authorities and would be required to pass on confidential information to them.
6) The name and number of your emergency contact is recorded in your patient file in case I need to contact them in an emergency, for example if you become ill during a treatment.
7) Records of accidents, injuries, notifiable diseases and dangerous occurrences, and adverse incidents
I keep a record of accidents that happen at my clinic to comply with the law and UK health and safety legislation. I report and record accidents, injuries, notifiable diseases, and dangerous occurrences in accordance with RIDDOR (Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations 2013). Records of adverse incidents will be kept and reported to the British Acupuncture Council. I have to keep these records in case of civil litigation, to provide evidence in case of criminal prosecution, insurance claim, or complaint.
8) Complaint File
In the event of a complaint made about me I may need to provide personal information about you in relation to the complaint to the British Acupuncture Council and my insurance company. This would be in the form of a file containing details of the complaint and will be held for 2 years after closure.
9) Your name and email address on Mailchimp if you sign up to my newsletter
If you sign up to my newsletter via the mailchimp.com link, I am notified by Mailchimp. Your name and email address will be accessible to me in my Mailchimp contacts list as well as information about whether you have opened an email newsletter. For information on Mailchimp’s privacy and security see https://mailchimp.com/legal/privacy/.
How long is data held for?
I keep your patient file for 7 years after your last appointment, or if you were under 18, until you turn 25. This is the requirement of the British Acupuncture Council. It is also useful for continuation of care so I can see what treatments you have had with me previously. After this time your file is destroyed via confidential paper shredding.
Sharing your personal data
Your data (information about you, your patient file, and things you have told me in your treatment) will be treated as strictly private and confidential.
I do not share your data with others for the purposes of marketing.
I will only share your data with:
Named third parties with your explicit consent (for example another health practitioner you are having treatment with or your GP)
The relevant authorities if necessary to comply with legal obligation i.e. the police
Your doctor or the police if you are at risk of serious harm or are at risk of harming others
The police or local authority for the purpose of safeguarding children or vulnerable adults
My regulatory body, the British Acupuncture Council or my insurance company in the event of a complaint of insurance claim made against me.
My solicitor in the event of legal proceedings against me.
You have the right to request a copy of the personal data I hold about you.
You have the right to request I update any personal data that is inaccurate or out of date.
You have the right to request your personal data is erased where it is no longer necessary for me to retain such data.
You have the right to withdraw your consent to processing at any time, unless in the case of processing the data for a lawful purpose (for example I need to keep a record of your patient file).
You have the right to be informed if your data is lost. I will also inform the Information Commissioner’s Office in this event.
You have the right to lodge a complaint with the Information Commissioner’s Office (see www.ico.org.uk).
If you would like to contact me with any queries relating to GDPR please call or email me.