Privacy Notice
This notice is to explain why I (Charlotte Conwy) collect your personal data, and what I do with it, and to ensure I am working in accordance with the EU General Protection Data Regulation (GDPR); terms from the regulation are highlighted in bold.
When you supply your personal details to me, when I communicate by email, or take notes in the clinic, this information is stored and processed for four reasons in line with the GDPR requirements.
- I need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes in law an (unwritten) contract.
- I have a legitimate interest in collecting that information, because without it I couldn’t practice acupuncture effectively and safely.
- I keep records of your contact information because I think it is important that I can contact you in order to arrange / confirm your appointment or update you on matters related to your medical care. This again constitutes a legitimate interest, but this time it is your legitimate interest.
- Provided I have your consent, (and this only needs to be verbal consent), I may occasionally send you individualised health information by email in the form of articles or advice. You may withdraw this consent at any time – just let me know by any convenient method. I will not send out generalised leaflets or advertisements, unless you have opted in to my mailing list. If you have opted in, you can unsubscribe at any time.
I have a professional obligation to retain your records for 8 years after your most recent appointment (or after you have reached age 25, if this is longer), but after this period you can ask me to delete your records if you wish. Otherwise, I will retain your records indefinitely in order that we can provide you with the best possible care should you wish to see me at some future date.
Your clinical records are stored in GDPR compliant cloud based system. All client data is encrypted in transit and at rest and is not stored on user devices. Sensitive data is encrypted at field level and uses an advanced identity and key management system that ensures secure and managed access to data.
Your emails are stored in an online file within my email programme which is password protected. I also keep a file on my password protected computer at home which stores the invoices which I send out to those people that request them. These invoices mostly record dates of acupuncture appointments and names of clients. These documents are not seen by accountants and are usually sent so that clients are able to claim fees on insurance.
I am the only person who has access to your records, invoice files and emails. I will never share your information with anyone who does not have legal right of access without your written consent.
In the event that something should happen to me which would render me unable to oversee your records, then, and only in this event, I will authorize my personal representative to transfer any data concerning you to another acupuncture practitioner whom you have decided to be treated by. In the event of my death, if you do not give written permission for the transfer of records to another acupuncturist of your choice within three months, my personal representative will securely destroy my records concerning you.
I want you to be absolutely confident that I am treating your personal data responsibly and that I will do everything I can to make sure that the only people who can access that data have a genuine need to do so. In the case of my practice this would most likely apply in the situation of me needing to make a referral to another health professional.
Of course, if you feel that I am mishandling your personal data in some way, you have the right to complain. Please first raise your concern with me, as I hope very much I will be able to deal with any concerns you might have. However, you can also raise a concern directly with the Information Commissioner’s Office by clicking here.