What we store and why
When you supply your personal details to this clinic they are stored and processed for 4 reasons (the bits in bold are the relevant terms used in the Data protection Act 2018, which includes the General Data Protection Regulation – ie the law):
1. We need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide treatment.
2. We have a “Legitimate Interest” in collecting that information, because without it we couldn’t do our job effectively and safely.
3. We also think that it is important that we can contact you in order to confirm your appointments with us or to update you on matters related to your medical care. This again constitutes “Legitimate Interest”, but this time it is your legitimate interest.
4. Provided we have your consent, we may occasionally send you general health information in the form of articles, advice or newsletters. You may withdraw this consent at any time – just let us know by any convenient method.
How long we store your data
We keep your personal data for no longer than reasonably necessary.
We keep patient records for a period of 7 years (or until age 25, if this is longer) in accordance with the British Acupuncture Code of Professional Conduct https://www.acupuncture.org.uk/public-content/effective-practice/bacc-professional-codes.html
After this period you can ask us to delete your records if you wish. Otherwise, we will retain your records indefinitely in order that we can provide you with the best possible care should you need to see us at some future date.
At any time you may request that changes are made to your contact details.
How we store your data
Paper records are stored in locked filing cabinets, and the premises are always locked when I am not around.
Electronic records are stored on google. This provider has given us their assurances that they are fully compliant with the General Data Protection Regulations. Access to this data requires 2-step password authentication.
My computers (which has no medical records on it) is password-protected with a 60 second screen lock and is backed up regularly. My phone, which has access to my emails and bookings, is password protected and has a 30 second screen lock.
Sharing your personal data
Your personal data will be treated as strictly confidential, and will only be shared in specific circumstances:
- With named third parties with your explicit consent
- With research partners with your explicit consent. This data will be anonymised and thus unidentifiable.
- With the relevant authority such as the police or a court, if necessary for compliance with a legal obligation to which I am subject e.g. a court order
- With your doctor or the police if necessary to protect your or another person’s life
- With the police or a local authority for the purpose of safeguarding a child or vulnerable adult
- With my regulatory body, the British Acupuncture Council, or my insurance company in the event of a complaint or insurance claim being brought against me
- My solicitor in the event of any investigation or legal proceedings being brought against me.
I use Bookly for making online bookings and Mailchimp for my newsletter. These hold personal information. I use Google for storing personal and sensitive information. For their respective privacy policies please use the links below
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. Provided the legal minimum period has elapsed, you can also ask us to erase your records.
Of course, if you feel that we are mishandling your personal data in some way, you have the right to complain. Complaints need to be sent to the “Data Controller”. Here are the details you need for that:
Joe Jennings – [email protected]
If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/