This data protection policy is designed to ensure that the rights to privacy of individuals are protected. We are committed to the principles set out in the General Data Protection Regulation (GDPR) and aim to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected.
The policy describes how I manage your information when you use the services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Twitter). In respect of cookies the policy includes information about the types of cookies used and how you may disable these cookies.
I will use the information collected in accordance with all the laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws I (Dr Kirsty Kennedy) am the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processer, who they are, what they are doing with your data and why we need to provide them with the information.
If your questions are not fully answered by this policy, please contact me. If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner’s Office (ICO) via https://ico.org.uk. My ICO certification number is ZA111843.
Why do we need to collect your personal data?
We need to collect information about you so that we can:
Know who you are so that I can communicate with you in a personal way. The legal basis for this is a legitimate interest.
Deliver goods and services to you. The legal basis for this is the contract with you.
Process your payment for the goods and services. The legal basis for this is the contract with you.
Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest.
Optimise your experience on our website. The legal basis for this is a legitimate interest.
Provide you with a useful and relevant website. The legal basis for this is a legitimate interest.
2. What personal information do we collect and when do we collect it?
For me to provide you with a service, I need to collect the following information:
Your contact details including a postal address, telephone number(s) and electronic contact such as email address.
Your health insurance details
Your date of birth
Personal data in invoices and copy receipts, accounting records, tax and VAT returns and related information.
I will collect this information directly from you.
With your consent, I may also collect information about you from from third parties; from another health professional (e.g. GP) or health insurance company to provide a complete health assessment. This may include sensitive personal information.
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
To communicate with you so that I can inform you about your appointments with me, I will collect personally identifying information such as your name, your contact details such as your telephone number, email address or postal address
To deliver the correct service to you I use your name, your contact details and may use information from third parties, such as referral from GP or insurance companies
To create your invoice using our accounting package I use your name and email address and health insurance identifiers where appropriate.
To create invoices for health insurance companies I will pseudonymise data to send by email using your coded identifier provided by the company, or by online encrypted system where this is provided.
I may take payment by credit/debit card using a registered provider. I will not have access to your bank details.
To optimize my website so that users can find the information they need
4. Where do we keep the information?
I keep information in the stores described below. Please note that I do not store your payment card details in any system; these are passed through the payment provider (Sum up)
4.1 On the company computers
I do not store any documents that contain personally identifiable information on the computer hard drive.
I may use an app to map out our work together when we meet. This will be stored in a pseudonymised state on a password protected ipad. If I share these with you via email I will send them as a password protected PDF document.
With your written consent I may record our meeting (video [of myself only] or audio) for CPD purposes. These will be kept on password protected mobile device and shared with relevant persons via dropbox. They will be deleted as soon as practically possible.
4.2 On an electronic notekeeping system
I will take notes when I meet with you on paper or electronically. From May 2018 all my clinical notes and personally identifiable information are uploaded into an encrypted, cloud based package (WriteUpp) designed as a specialist system for confidential notes and holding full GDPR compliance. The company are classified as an additional data processor. Any process notes that have been made on paper are shredded following their upload to WriteUpp.
4.3 In our accounts package
We use a cloud based accounts package (Quickfile) that stores the information in the UK and has stated they are GDPR compliant. I have an accountant who is classified as an additional data processor and who has access to the online book-keeping accounts for accounting purposes. He keeps no physical storage of personally identifiable records and has stated his processes are GDPR compliant.
4.4 Physical Storage
Archived paper notes (from before electronic notekeeping was commenced) are kept in the locked filing cabinet.
5. How long do we keep the information?
The electronic accounts package keeps financial data/invoices indefinitely. We will manually delete the records after the period of 7 years required by HMRC.
I will keep your electronic health records for 7 years in line with legal and professional requirements.
6. Who do I send the information to?
I will only send information necessary to achieve business purposes.
I send invoices and reports to health insurance companies and other professionals as required professionally and abide by confidentiality as stated on my terms and conditions.
Invoices to health insurance companies are sent electronically and pseudonymised with company codes. Where this is not possible or practical all documents are password protected.
Cloud storage providers will have information shared with them in compliance with GDPR.
Information is shared to the degree necessary for accounting and tax purposes.
Special category data is encrypted before it is shared.
Routine emails between us are deleted as soon as possible. Any documentation that is relevant for clinical files is uploaded to Writeupp and deleted from email.
I am required to abide by professional terms and conditions which state exceptions to confidentiality as outlined in my terms and conditions (e.g. if your health is in jeopardy, with your agreement, I may share information with a mental health crisis team). In addition, if I become aware of your intent to cause harm to another person, the law may require me to inform the relevant authorities without seeking your prior permission.
7. How can I see all the information you have about me?
You can make a subject access request to me. This does not need to be in writing and may be made in person or by phone. I may require further additional verification that you are who you say you are to process this request. We may withhold personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.
8. What if my information is incorrect or I wish to be removed from your system?
Please contact me. I may require additional verification that you are who you say you are to process this request.
If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same formal as the subject access request in section 7.
9. How can I have my information removed?
If you want to have your data removed I will have to determine whether I need to keep the data, for example to comply with professional bodies or HMRC. If I decide that I should delete the data, I will do so without undue delay.
10. Will I send emails and text messages to you?
As part of providing a service to you I may communicate via email, keeping the information in the body of the text to a minimum. Any reports with personally identifying or sensitive information that I send to you will be password protected. All emails are deleted as soon as practically possible.
11. How do I opt out of receiving emails and/or text messages?
If you do not wish to receive information through these means, please let me know.
12. What happens in the event of a data breach?
The data protection lead is responsible for responding to personal data breaches. He or she notifies the ICO as necessary and also data subjects where the risk to them is high.
Breaches which carry any risk to data subjects must be reported to the ICO within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again.
All personal data breaches, however minor, and whether reportable or not are recorded.
13. Complaints or queries
If you are not satisfied with our response to complaints or queries you can raise a complaint with the Information Commissioner’s Office (ICO)
Contact information ICO:
Telephone: 0303 1231113
Appendix 1: Cookies
1 What is a cookie?
A cookie is a small amount of data stored on a computer that contains information about the internet pages that have been viewed from that computer. They are commonplace on the internet and are used by websites to improve the user’s online experience by storing information about how the user navigated around and interacted with it. This information is then read by the website on the next occasion that the user visits.
Cookies are sent automatically by websites as they are viewed, but in order to protect a user’s privacy, a computer will only permit a website to access the cookies it has sent, and not the cookies sent by other sites. Furthermore, users can adjust the settings on their computer to restrict the number of cookies that it accepts, or notify them each time a cookie is sent. This should improve privacy and security but will generally meant that certain personalized services cannot be provided, and it may therefore prevent the user from taking full advantage of a website’s features.
For further information about cookies please visit www.aboutcookies.org
2. What sort of cookies do we use on our website?
We use two types of cookies: session cookies and stored cookies.
Session cookies expire at the end of the user’s browser session and can also expire after the session has been inactive for a specified length or time, usually 20 minutes. Session cookies are stored in the computer’s memory and are automatically deleted from the user’s computer when the browser is closed.
Stored cookies are stored on the user’s computer and are not deleted when the browser is closed. Stored cookies can retain user preferences for a particular website, allowing those preferences to be used in future browsing sessions.
They gather information regarding the visitors to our website on our behalf using cookies, allowing us to understand the amount of traffic to the website and whether they are returning visitors. We do not pass any information to a third party.
4. Can I browse your website without receiving any cookies?
Yes, if you have set your computer to reject cookies, you can still browse the website. However, certain functions may not be available to you unless you enable cookies.
5. How can I find and control cookies?
You can usually adjust for yourself the number of cookies that your computer (or other device, such as a mobile phone) receives. How this is done, however, varies according to which device and what browser software you are using.
As a general rule, the more commonly used web browser software packages ten to have a drop-down menu entitled ‘Tools’. One of the options on this menu is usually ‘Options’ – and if this is selected, ‘Privacy’ is usually one of the settings that may be adjusted by the user. In the case of any device other than a PC (egg and mobile phone) you should always refer to the manufacturer’s instructions.
Alternatively, you may wish to opt-out from only the cookies used by third-party companies (acting on our behalf) to measure the traffic to our site. This has the advantage of leaving other cookies in place, thereby minimizing the loss of functionality associated with blocking all cookies.
You may find the following websites useful for information on how to change cookie settings in a range of commonly used browsers: