1. WHAT DATA DO WE COLLECT ABOUT YOU?
Personal data means any information capable of identifying an individual. It does not include anonymised data.
I may process certain types of personal data about you as follows:
- Identity Data – This may include your first name, maiden name, last name, username, marital status, title, date of birth and gender.
- Contact Data – This may include your billing address, delivery address, email address and telephone numbers.
- Transaction Data – This may include details about payments and other details of purchases ordered on your behalf by myself.
- Sensitive Data
As I offer a healthcare providing service, I need to collect the following sensitive data about you in order to deliver the services of a Natural Medicine Practitioner such as:
Name, address, information about your health, diet and lifestyle, supplement and medicine details, biochemical test results, clinic notes and health improvement plans.
I may obtain sensitive medical information in the form of test results from biochemical testing laboratories. This would only be done with your express consent and is a service you would need to order through me. I use this information in order to provide you with direct healthcare. This means that the legal basis of my holding your personal data is for legitimate interest.
Where I am required to collect personal data by law, or under the terms of the engagement between us and you do not provide me with that data when requested, I may not be able to perform the service (for example, to deliver goods or services to you). If you don’t provide me with the requested data, I may have to cancel a product or service you have ordered but if I do, I will notify you at the time.
Following completion of your healthcare with me, I will retain your personal data for the period defined by our professional association NNA and NIMH. This enables us to process any complaint you may make. In this case, the legal basis of our holding your personal data is for contract administration.
2. HOW I COLLECT YOUR PERSONAL DATA
You provide us with personal data in the following ways:
- By completing a medical history and functional medicine questionnaire
- By completing and signing a contact details/ terms of engagement form
- During a Natural Medicine consultation
- Through email, over the telephone or by post
People who email me
I use standard email software to send and receive emails. If you send personal information to use via email, this will be stored in my email system whilst I need access to it. I monitor any emails sent to me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
People who use our services
I offer one-to-one consultations in person at my clinic and via telephone.
I collect personal, medical and other information to enable me to provide my services. Data is collected using handwritten notes which are securely stored in lockable filing cabinets within the clinic room. The long-term storage of past clients notes are in a cabinet in a locked storage room.
Data such as private medical test results may also be stored on the hard-drive of computers used by me. These computers are password protected and access is only available to myself.
In accordance with my professional insurance policy, I hold patient records for 8 years from the date of the patient’s last visit with me, or where the patient is a child, until their 25th Birthday if that is longer. Once a record passes the relevant regulatory time limit, it will be securely destroyed within 1 year.
3. HOW I USE YOUR PERSONAL DATA
I act as a data controller for use of your personal data to provide direct healthcare. I also act as a controller and processor in regard to the processing of your data from third parties such as testing laboratories and other healthcare providers.
I undertake at all times to protect your personal data, including any health and contact details, in a manner which is consistent with our duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection. I will also take reasonable security measures to protect your personal data storage.
I may use your personal data where there is an overriding public interest in using the information e.g. in order to safeguard an individual or to prevent a serious crime or where there is a legal requirement such as a formal court order.
I do not use your data for sales promotions or newsletters, but may, on rare occasions, use your email to contact you about information pertaining to your particular health interests, or to inform you about any change in the regulation of Natural Medicines or my professional status that affects my ability to supply you with my normal service.
4. DO YOU SHARE MY INFORMATION WITH OTHER ORGANISATIONS?
I will keep information about you confidential. I will only disclose your information with other third parties with your express consent with the exception of the following categories of third parties:
- My professional associations, NNA and NIMH for the processing of a complaint made by you.
- Any legal or crime prevention agencies and/or to satisfy any regulatory if I have a duty to do so or if the law allows me to do so.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other relevant jurisdictions who require reporting of processing activities in certain circumstances.
I may share your identity and contact data with third-party biochemical testing laboratories in order for you to complete the testing, in the event that you would like to undergo private testing. This can only be done with your explicit consent. I will not include any sensitive information.
I will always seek your express consent before sharing your information with your GP or other healthcare providers. However, if I believe that your life is in danger then I may pass your information onto an appropriate authority (such as the police, social services in the case of a child or vulnerable adult, or GP in case of self-harm) using the legal basis of vital interests.
I may share your case history in an anonymised form with my peers for the purpose of professional development. This may be at clinical supervision meetings, conferences or through online forums.
5. WHAT ARE YOUR RIGHTS?
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data, where I am not required to retain it by law or in accordance with the NNA and NIMH professional insurance guidelines
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
To ask for any of these rights please email me on firstname.lastname@example.org
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, I may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, I may refuse to comply with your request in these circumstances.
I may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. I may also contact you to ask you for further information in relation to your request to speed up our response.
I try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, I will notify you and keep you updated.
6. WHAT SAFEGUARDS ARE IN PLACE TO ENSURE DATA THAT IDENTIFIES ME IS SECURE?
I only use the information that I have relating to you in accordance with GDPR. This requires me to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
Within the health sector, I also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. I will protect your information and allow you to decide if and how your information can be shared.
I also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops and computers.