Awareness of this policy constitutes consent.
This notice is to explain why we collect your personal data, what we do with it, and to ensure we are working in accordance with the new EU General Data Protection Regulation (GDPR).
When you supply your personal details to us, when we communicate by email or text, and when notes are taken in the clinic, this information is stored and processed for three reasons in line with the GDPR requirements:
- We need to collect personal information about your health in order to provide you with the best possible treatment. Your request for treatment and our agreement to provide that care constitutes an (unwritten) contract in law.
- We have a legitimate interest in collecting that information, because without it we couldn’t practice acupuncture effectively and safely.
- We keep records of your contact information because we think that it is important that we can contact you to confirm your appointments with us or cancel them. This again constitutes a legitimate interest, (yours).
We have a professional obligation to retain your records for 8 years after your most recent appointment (or after you have reached age 25, if this is longer), but after this period you can ask us to delete your records if you wish. Otherwise, we will retain your records in order that we can provide you with the best possible care should you wish to see us in the future.
Your clinical records are stored only on paper, in individual files, and in a secure cabinet in home clinic.
Your emails are stored securely on password protected ProtonMail servers in encrypted format. ProtonMail use end-to-end encryption and zero access encryption to secure emails. This means even ProtonMail cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties. Vaiva is the only person who has access to your records, and emails. Texts are stored on a password protected phone and deleted within 3 months. We will never share your information with anyone who does not have a legal right of access without your written consent.
You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. We are legally required to respond to any request from a client to see their personal data within a timescale of 30 days.
You can raise any concerns directly with the Information Commissioner’s Office on https://ico.org.uk/concerns/