YOUR PEACE OF MIND
Rest assured that I am not in the business of selling, renting or trading any personal information (including your email) with any other another person or business for marketing purposes. As is the case with all businesses, it’s important for me to be able to communicate with my clients. The following policy aims to provide a brief outline of how, when and why I may collect and store personal information, what it’s used for, and the limited conditions under which I may disclose this information to other parties.
The Dundee Herbal Clinic needs to gather and use certain information about individuals. These can include clients, suppliers, business contacts, employees and any other people that The Dundee Herbal Clinic has a relationship with, or may need to contact. My data protection policy is designed to:
- Comply with current data protection law and follow good practice
- Be completely open about how I store and processes an individual’s data
- Put in place measures to protect against the risk of data breach
- Protect the rights of any staff, clients, or partners
CURRENT DATA PROTECTION LAW
The Individuals Rights:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision making, including profiling
The Organisations Principles:
- Data is collected, used, and stored:
- In a fair and transparent manner
- Is collected for specific reasons, and only used for those specified reasons
- Is adequate, relevant, and limited to what is necessary
- Is accurate, and kept up-to-date
- Kept in an identifiable form for no longer than necessary
- Held securely to prevent inappropriate access, loss, or disclosure
This policy applies to The Dundee Herbal Clinic, clients, contractors, suppliers, and other people The Dundee Herbal Clinic has a relationship with. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Plus any other information relating to individuals
Wendy Dooner of The Dundee Herbal Clinic is ultimately responsible for ensuring that The Dundee Herbal Clinic meets its legal obligations.
WENDY IS RESPONSIBLE FOR:
- Reviewing all data protection procedures and related policies, in line with the GDPR.
- Handling data protection questions from clients and anyone else covered by this policy.
- Dealing with requests from individuals to see the data that The Dundee Herbal Clinic holds about them.
- Ensuring all systems services and equipment used for storing data meet acceptable security standards.
- Performing regular checks or scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company uses/plans to use to store data.
WHAT DATA DO I COLLECT?
They enable me to:
Estimate my audience size and usage pattern.
Store information about your preferences, thereby allowing me to customise my site according to your individual interests.
Speed up your searches.
Recognise you when you return to my site.
When someone visits The Dundee Herbal Clinic’s website, a third-party service, Google Analytics (GA), collects standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of my site. Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to me. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google does not share this information with me. I do not make any attempt to find out the identities of any individual visiting my website.
QUOTING | BILLING | INVOICING
If you are a past/current client of The Dundee Herbal Clinic and have been invoiced for any work undertaken by myself, then you will have a client profile on my accounting software. This includes your business name, contact name (of the person to correspond with) and email address. It may also include your physical address and telephone number. Absolutely none of this information is shared…EVER.
CONTACT FORMS & EMAILS
The Dundee Herbal Clinic uses contact forms on the website. This feature asks for your name and email address so that I can respond to your message. The information you provide on the contact form goes directly to my email account and is not stored on my website. Absolutely none of this information is shared…EVER.
I use a third-party provider, Mailerlite, as my email software.
PATIENT MEDICAL RECORDS
Clients visiting the clinic for the purposes of a health assessment and herbal / nutritional therapy will be asked to complete a medical intake form for the purposes of communication and ensuring safety in regards to any herbal prescriptions or nutritional advice which may be given. Updates on progress will be recorded on subsequent visits. This form and subsequent records will contain details such as medical prescriptions and personal information about your health (both physical and mental) which falls into the “special category data” section of current GDPR law.
Special category data is any data that includes information about race, ethnic origin, politics, religion, genetics, biometrics, health, sex life or sexual orientation. These records are private and seen only by myself and the patient for the purposes of treatment. In some circumstances (such as in the case of persons who have notifiable communicable diseases or a condition that must be recorded or shared in the interests of public health laws) these records must be shared with a third party who in most instances will be the client’s GP or specialist health care practitioner. If that is the case then the client will be expressly informed. I am duty bound by law to keep such records which must remain on file for a minimum period of 8 years.
At the time of making an initial appointment you will be asked to provide your consent for my keeping these records. Unfortunately, for insurance purposes and in order to fulfill my duty as a registered practitioner, I am unable to provide herbal treatment or nutritional advice to anyone who does not wish to give their consent to the keeping of such records.
ELECTRONIC STORAGE OF PATIENT MEDICAL RECORDS
All patient medical records are stored electronically on an encrypted medical database known as WriteUpp. This platform is fully compliant with current EU GDPR requirements, and is widely used by health professionals for the purpose of managing patient records. This practice management software is protected by bank-grade security and encryption, which means all records, notes and other information is protected to the same level used in banks. All information is stored in securely protected data centres with multiple backups in place. It has strict user access levels which means that records are password protected and can only be accessed by myself or the client (should they make a request to view them.) Writeupp employees do not have access to any patient identifying data but are able to see certain anonymised administrative data such as fees and amounts outstanding on invoices in order to assist practitioners with their queries.
Medical records are stored in a secure data centre located in the European Union in compliance with the GDPR.
Read about WriteUpps privacy policies here: https://www.writeupp.com/privacy-policy/
Although you have the right to both view and amend your medical records (both electronic and paper), you do not have the automatic right to erasure as is the case with other forms of stored data. By law, health care practitioners have a duty of care to keep accurate records of treatment, both for the purpose of the patient’s personal safety and to protect the practitioner. In compliance with my professional liability insurance I have the right to hold these records on file for a minimum of 8 years.
Medical records can be viewed by the client at any time and are stored both in the form of a hard copy (paper file) which is kept under lock and key, and electronically. Formal requests to have medical records kept as a paper version only can be made by sending an email to firstname.lastname@example.org or stating this requirement at the time of your initial appointment. If you are a current client who wishes to view or amend your medical file, you may also do so by sending a formal request to email@example.com I shall endeavour to provide you with access to your files within a time frame of 21 days. Please note that a set administration fee of £15 will be required for this service.
ACCESSING, AMENDING, OR DELETING YOUR PERSONAL INFORMATION
You are entitled to view, amend, or delete any personal information that The Dundee Herbal Clinic holds about you (except in the case of your medical records as outlined above.) To request this, please send an email to firstname.lastname@example.org
Provision of such information will be subject to the payment of a fee (currently fixed at £15.00) and the supply of appropriate evidence of your identity.
I may withhold such personal information to the extent permitted by law. You may instruct me not to process your personal information for marketing purposes by sending an email to me. In practice, you will usually either expressly agree in advance to my use of your personal information for marketing purposes, or I will provide you with an opportunity to opt-out of these marketing communications.
Security of your personal information
The Dundee Herbal Clinic will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. I will store all the personal information you provide on secure (password- and firewall- protected) servers. All electronic transactions you make to, or receive from me, will be encrypted using SSL technology.
Any data stored about you is currently stored in an identifiable fashion; a limitation of the content management system that this website is built on (WordPress). In the near future, I aim to change the storage of this data to a pseudonymous fashion meaning that the data would require additional processing using a separately stored ‘key’ before it could be used to identify an individual.
Pseudonymisation is a recent requirement of the GDPR which many web application developers are currently working to fully implement. I am committed to keeping it as a high priority and will implement it on this website as soon as I am able to.
Of course, data transmission over the internet is inherently insecure, and I cannot guarantee the security of data sent over the internet. If you are a client who wishes to access their electronic medical records you will be responsible for keeping your own password and user details confidential.
In addition, I may disclose your personal information:
To the extent that I am required to do so by law
In connection with any legal proceedings or prospective legal proceedings
In order to establish, exercise or defend my legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)
To the purchaser (or prospective purchaser) of any business or asset that I am (or may in the future) contemplate selling
To any person who I reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in my reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information
I will report any unlawful data breach of this website’s database or the database(s) of any of my third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.
THIRD PARTY WEBSITES
My website contains links to other websites. I am not responsible for the privacy policies or practices of third party websites.
INTERNATIONAL DATA TRANSFERS
In addition, personal information that you submit for publication on the website will be published on the internet and may be available, via the internet, around the world. I cannot prevent the use or misuse of such information by others. You expressly agree to such transfers of personal information.
MY PROMISE TO YOU
The Dundee Herbal Clinic stands by the principles outlined in the GDPR, and as such, ensures that any information held by the organisation is collected, used, and stored securely, and for specific reasons. No information I hold about you is shared, sold, or rented and is accessible by you upon request. If you would like access to your information, please contact me via email at wendy@dundeeherbalclinic. For current clients: In order to keep your information accurate and up-to-date, I may send you an email requesting that you check and update any information that I hold.
POLICY DOCUMENTATION UPDATES
This document was updated on the 29th August 2018. I’ve done my very best to explain clearly and in plain English what I do, what information I collect and why, so that you can feel completely comfortable that any information held or stored is being used exactly in the way you would expect in order to maintain your privacy. If there’s anything here that isn’t clear, or you discover any errors in this document, please reach out to me and I’ll fix it immediately.
This policy will next be reviewed on 29th August 2019 unless circumstances (or the law) changes in the interim time period. Please note that you will not be explicitly informed of any changes, but they will be made freely available on my website, so please check the page from time to time so you can be confident you’re completely happy and satisfied with my processes.
I sincerely hope this update helps you better understand this document, what you’re consenting to, and how I operate.