The General Data Protection Regulations: Root & Branch Acupuncture’s Policy Statement
- The Legal Obligations of Data Controllers
The GDPR places legal obligations on businesses that hold personal data (Data Controllers). These obligations may be summarised as follows:
- Obtain and process the information fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
(See Data Protection Rules)
The following is a statement of how the GDPR obligations apply to personal data sought and held by Root and Branch Acupuncture.
- The purposes of obtaining information
When a client attends for their first consultation and treatment they will be asked to complete a form requesting certain items of information including their email, postal address and telephone number. These details will be held as paper records. Details of the patient’s main complaint and their email address are also held electronically. Electronic and/or postal address details are necessary to in order to contact the client in the following circumstances:
- To write an introductory email outlining the number and frequency of treatments that the client may need; where to find more information; and, state company cancellation policy.
- To offer the client information and advice specific to their main complaint which I may not have been able to provide during the consultation and treatment e.g. website links to relevant matters such as exercises, or supplements/herbs, or details of other useful therapies/therapists.
- To send the client quarterly newsletters containing articles about the use of acupuncture to treat various conditions.
By checking the relevant boxes on Root & Branch Acupuncture’s Intake Form the client gives consent for their details to be used for the above purposes. However, clients may subsequently unsubscribe from receipt of newsletters at any time.
General health and background information
Besides being asked about the main complaint for which you are seeking treatment, you will be asked to provide information which may not appear to be obviously related to your main complaint, and which may therefore seem unnecessary. The scope of information sought is wider because:
- For safety and risk management purposes it is necessary to know if clients have particular health problems that could arise suddenly in the clinic.
- Information regarding your general health, and family health, can sometimes be very relevant to making a full and accurate diagnosis of an apparently unrelated health problem.
- The effects of other treatments and therapies (both Western and Alternative) may have implications for your symptoms, and the extent to which Acupuncture can help you.
Failure to disclose such information could result in less than optimal diagnosis and treatment, or a lack of appropriate lifestyle advice.
Retention of Information
Having obtained your information, certain rules are applied to how it is held:
- No details of any kind are ever shared with third parties.
- Paper records are kept in a locked, fireproof filing cabinet, in a locked room, with a burglar alarm system in place. Records over seven years old are destroyed.
- Electronic records are kept safe with virus software, firewall and password protection.
- A client who requests their personal records will be given a paper copy within 40 days.