I am committed to protecting and respecting your privacy.
This Policy explains when and why I collect personal information, how it is used, the conditions under which it may be disclosed to others and how it is kept it secure.
I may change this Policy from time to time so please check this page occasionally to ensure that you are happy with any changes. Any significant changes will be notified to my clients directly.
Who am I?
My name is Neil Smith MFHT, and I operate my business – Neil Smith Body Therapies – working at Queen Street Consulting Rooms in Ulverston, Cumbria. I occasionally provide treatments away from Queen Street Consulting Rooms.
This policy has been drawn up to comply with the General Data Protection Regulation (GDPR).
What data do I hold?
Paper data:
Clients provide their name, address, phone number, date of birth, registered GP, and information about their current situation and medical history at the start of their first treatment. This information is confidential, and is recorded on paper only, and stored in a locked filing cabinet in my home that only I have access to. Client notes are carried to and from treatments in a locked bag.
Clients do not have to provide this information, but I am unable to offer any treatment without this information being provided, because it is necessary for me to know and understand a client’s current situation and medical history in order for me to provide treatment. I am required to record this information to ensure I give clients the best possible care, and for insurance and legal purposes. When a client begins a course of treatment, they must confirm their understanding that their information will be used in this way.
A client appointment diary is kept in a locked drawer in Reception at Queen Street Consulting Rooms detailing the name and contact telephone number for each client booked in. These contact details allow me and Reception staff at Queen Street Consulting Rooms to contact clients to manage their appointment(s). This contact information will only be used for such purposes unless the client separately consents for me to be able to contact them for marketing purposes.
I hold a duplicate copy of the client appointment sheet which is stored securely with the client notes (see above).
Electronic data
I receive emails, Facebook messages and Tweets from businesses and individuals, which as well as the sender’s addresses may contain other personal information or very rarely medial information. My laptop computer is protected with a strong password which is regularly changed, and I have two stage password protection on my Facebook and Twitter accounts, for which the passwords are also strong and regularly changed. The computer hard drive is encrypted.
My website is hosted by Furness Internet, and uses a WordPress-based Content Management System. WordPress uses cookies (small files placed by the website onto a visitor’s computer) to help track usage, but visitors to my website can choose to set their browser to refuse cookies before using the website. Certain features may not function properly if cookies are disabled.
WordPress, Facebook and Twitter have updated their Privacy Statements in line with the requirements of GDPR. It is not a requirement for you to use my website, Facebook or Twitter to contact me.
Callers’ numbers to my mobile phone are not stored into my contacts unless the sender becomes a client. The phone is protected with a long passcode and a fingerprint lock.
What is the lawful basis for processing data?
The lawful basis for me processing data to deliver treatments is the common law contract that clients enter into with me when they buy the treatment from me. By agreeing to a course of treatment, clients are asked to agree that I will process their medical and personal information to deliver the best care I can, and to allow me contact them about their treatment(s).
I require a separate consent to use a client’s contact details to make them aware of new services, special offers, etc. that I may have from time to time. Clients do not have to consent to this to be able to undertake a course of treatment.
Client medical information is classed as Special Category Data under GDPR because of its sensitivity. Condition (h) of Article 9 of the GDPR allows the processing of data for healthcare.
Who do I share data with?
My client notes are not shared with anyone unless either there is a benefit to the client from passing information to any other healthcare professional, and then only with the express written permission of the client.
The only other circumstance in which I would share information would be if I become aware of a safeguarding risk (i.e. a risk of death or serious harm to a client, myself or others) in which case relevant information would be disclosed only to the proper authorities, in line with the Federation of Holistic Therapists’ Code of Conduct.
As detailed above, a client’s name and phone number is recorded on the appointments diary which is kept in a locked drawer at Queen Street Consulting Rooms. This is shared with the Receptionists and other therapists who may take calls when reception is closed, only for the purpose of administering appointments.
I will not pass a client’s name and phone number on to any other third party, for any reason. All Receptionists and practitioners at Queen Street Consulting Rooms have made a similar undertaking.
No personal information will be passed to Her Majesty’s Revenue and Customs when I submit paperwork for tax return purposes.
I do not profile my clients or anyone else contacting my business.
Any client who is a child must, under the Federation of Holistic Therapists’ Code of Conduct, be accompanied by a parent/guardian during all treatments. The parent/guardian is required to give consent on behalf of the child for treatment to go ahead, and this permission includes the processing of information about that client as detailed above.
As part of the operation of my website, along with Facebook, Twitter and email, information provided electronically may be transferred to countries outside the European Union if the computer servers used to handle this data transfer are located outside the EU. By submitting personal data electronically, you agree to this possible transfer outside the EU. I only use services which are committed to the requirements of the GDPR.
How long do I keep data for?
All client notes are kept for 10 years after the date of the last appointment, in line with the requirements of my membership body, the Federation of Holistic Therapists (FHT), and my insurer Hiscox (which provides insurance for FHT Members). Records will be kept indefinitely if there has been an adverse reaction during or after a treatment. Records for clients who are children when they are treated will be kept for 10 years after they reach adulthood.
Pages in the client appointments diary held at Reception at Queen Street Consulting rooms are kept for 12 months after use, in line with the Queen Street Consulting Rooms Privacy Policy (see Appendix 1 below).
All old client records and appointments diary sheets that are ready for disposal will be shredded in such a way that preserves confidentiality.
What rights do you have regarding the information I hold?
All clients have the right to inspect the notes I hold about them, and to request changes. Any request should be made in writing to:
Neil Smith Body Therapies
Queen Street Consulting Rooms
7 Queen Street
ULVERSTON
LA12 7AF
Under GDPR I must respond to such a request within one month, and there will not be a charge for this service unless the request is “manifestly unfounded or excessive”.
If anyone is unhappy with my response to their request, or if they have any other concerns about how I handle their information, they have the right to raise their concerns with the Information Commissioner’s Office.
This policy was last updated on Sunday, 13 May 2018.
Appendix 1 – Queen Street Consulting Rooms Privacy Policy
At Queen Street Consulting Rooms we are committed to respecting your privacy and protecting the information we hold.
The data that we hold consists of your name, address and telephone number that you have given to us at the time of making an enquiry or booking an appointment. This is done either in person with one of our receptionists or practitioners or over the phone.
This information is hand written into our log of phone calls or enquiries and kept in reception. It is also written in an appointment diary. This is only accessible by reception or by practitioners working at Queen Street Consulting Rooms.
If a receptionist feels that they need advice as to best help you with your enquiry then, with your permission, they may share your information with a relevant practitioner. Everyone working at Queen Street Consulting Rooms is bound by our Code of Conduct to respect your confidentiality.
We work to ensure that the data we hold is accurate by asking for clarification on spelling of names and repeating back any phone numbers for confirmation that they are correct. When our receptionists are not working this information is stored in a locked cabinet.
This information is kept for a maximum of one year so that we are able to contact you should we need to cancel or rearrange an appointment, or to follow up on any outstanding queries from yourself. At the end of the period of storage the paper is shredded.
All of the information held at Queen Street Consulting Rooms is paper based. We have no electronic records, no online enquiries and we do not monitor any traffic to our website. Our website is purely for information only.
All practitioners working at Queen Street Consulting rooms work on a self-employed basis and are not employed by Queen Street Consulting Rooms. As such they are required by law to each have a privacy policy in place as to how they handle your personal data including any medical records.
If you believe that the information that we process on you is incorrect you can request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data you can contact us by phone or in writing to have the matter investigated.
If you are not satisfied by our response, or if you believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office.