Privacy Notice
Our Commitment at Northwest Massage Clinic
Northwest Massage Clinic are committed to ensuring protection of all personal information that we hold, and to provide and to protect all such data. We recognise our obligations in updating and expanding this program to meet the requirements of UK GDPR and DPA 2018.
Northwest Massage Clinic are dedicated to safeguarding the personal information under our control and in maintaining a system that meets our obligations under the new regulations. Our practice is summarised below.
Introduction
The EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018.
The new Regulation aims to standardise data protection laws and processing across the EU, giving people greater rights to access and control their personal information.
Following 28th June 2021 UK approval of ‘adequacy’ levels of data protection deemed equivalent of that of the EU, the EU GDPR 2018 has been adopted into domestic law as the UK GDPR which sits alongside the DPA 2018. These are subject to change but apply to UK-based businesses or organisations processing personal data.
Compliance
General Data Protection Regulation 2018
UK General Data Protection Regulation & DPA 2018
Abbreviations
GRPR General Data Protection Regulation
DPO Data Protection Officer
DPA Data Protection Act
How We Prepared for UK GDPR
Northwest Massage Clinic have set out a consistent level of data protection and security by ensuring that UK GDPR has been implemented right from the start and will continue to update these measures to ensure compliancy.
Policies and Procedures — we have revised data protection policies and procedures to meet the requirements and standards of the UK GDPR and any relevant data protection laws, including:
Data Protection - our main policy and procedure document for data protection has been revised to meet the standards and requirements of the GDPR
Data Retention and Erasure - we have updated our retention policy and schedule to ensure that we meet the "data minimisation" and "storage limitation" principles and that personal information is stored, archived and deleted in accordance with our obligations. We have procedures in place to meet the new "Right to Erasure" obligation
Data Breaches - our procedures ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible
International Data Transfers and Third-Party Disclosures - where Northwest Massage Clinic holds or transfers personal information outside the EU, we have robust procedures in place to secure the integrity of the data
Privacy Notice/Policy - we have revised our Privacy Notice to comply with the UK GDPR & DPA 2018, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information
Obtaining Consent - We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing,(medical and contact information)
why (for safe and informed treatment within our clinic)
and how we use it (we retain personal data such as your contact details and medical history for the operational running of clinical practice i.e. legal obligation to keep treatment records, contacting you regarding upcoming appointments)
and giving clear, defined ways to consent to us processing their information (opt-in consent required during initial consultation, which can be revoked at any time).
N.B. consent in this context relates to consenting to our Clinic’s holding of personal data, not the consent for treatment, which is not within the scope of this document
Direct Marketing & Reminder Communications - Northwest Massage Clinic does not provide any direct marketing. We have revised the wording and processes for direct marketing and reminders, including clear opt-in mechanisms for marketing and reminder communication subscriptions and made sure that we can evidence an affirmative opt-in, a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials
Processor Agreements - where we use any third-party to process personal information on our behalf, i.e. Practice Management Software*, we have agreed compliant Processor Agreements and due diligence procedures for ensuring that they meet and understand their/our UK GDPR obligations.
Your personal data is not disclosed, nor sold to any other parties outside of Northwest Massage Clinic. It is required solely to provide our Massage Therapy services in a safe manner
Should you require your data for other medical disciplines/ referral/ passing-on of records to a GP, consultant etc. Northwest Massage Clinic can either replicate it and provide you with it directly or will require informed consent from you, the client to securely forward this to the appropriate recipient
Information Security and Technical and Organisational Measures
Northwest Massage Clinic takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction.
Storage & Security - Northwest Massage Clinic no longer generate hard-copies; there are no records stored overnight at the Clinic address nor at the owner’s home address. All records containing personal data are held within encrypted software and stored remotely. As such records will not be stored on a physical device such as a tablet or computer. Any allocated devices used to access personal data - passworded and using encrypted channels, and updated cybersecurity will not be left unattended and will be stored in a locked environment overnight. Authorisation will be required to access both devices and software. We will also take care when observing the information in hard copy or on-screen that such information is not viewed by anyone who is not legitimately privy to that information
Consent will be required from the data subject to generate a hard-copy of any personal data. Should Northwest Massage Clinic be provided with a hard-copy of personal data e.g. referral, list of medications etc. this will be electronically copied and added to client records, the hard-copy will then either be returned to the client or destroyed
Your Rights (Data Subject Rights)
We provide easy-to-access information at northwestmassage.co.uk/privacy-policy of an individual’s right to access any personal information that Northwest Massage Clinic processes about them and to request information about:
what personal data we hold about you
the purposes of the processing
the categories of personal data concerned
the recipients to whom the personal data has/will be disclosed
how long we intend to store your personal data for
if we did not collect the data directly from you, information about the source
the right to have incomplete or inaccurate data about you corrected or completed and the process for requesting this
the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
the right to lodge a complaint or seek judicial remedy and who to contact in such instances
What personal Information do we collect?
Email address
First and Last Name
Phone Number
Address
Date of Birth
The above details are collected so that we can identify you (the client) in correspondence regarding booking and payment for appointments, receiving booking confirmation, receiving reminders of upcoming appointments within the remit of clinic management.
Special Category Data
Health Details
The above details are collected under section (h) of Article 9 of UK GDPR and Schedule 1, Part 1 of the DPA 2018 in compliance of the principles and requirements, so that we can provide Health Care; to identify you (the client) keep accurate and relevant records to treat you as is appropriate within a clinical setting. All of this information is stored solely for the running of the clinic.
Do we send emails to users?
Yes, we send emails to confirm online bookings, and reminders of upcoming appointments. We do not currently send any marketing emails. Users can opt-in to receiving updates regarding clinic closures. Users may opt-in to reminder emails.
Do we send texts/SMS to users?
Yes, we send text/SMS reminders of upcoming appointments. We do not currently send any marketing texts/SMS. Users can opt-in to receiving updates regarding clinic closures. Users may opt-in to reminder texts/SMS.
Do we use tracking and/or analytics tools?
Yes, we use google analytics or other related tools to improve our service.
Please note: Clinic Contact Details can be found in the UK GDPR Roles section below
UK GDPR Roles
Northwest Massage Clinic is solely owned and administrated by Ana Maia MacLellan, the controller of business information. No other individuals have access to personal data held within the business. To make amendments and request more information on any of your ‘subject rights’ please contact Northwest Massage Clinic.
Contact Details
hello@northwestmassage.co.uk
northwestmassage.co.uk/contact
*Northwest Massage Clinic use the Australian practice management software Cliniko, to provide our service. Cliniko serve as the legal ‘processor’ of Northwest Massage Clinic’s data without being located in the UK. To identify any gap areas and implement new policies, procedures and measures to comply with UK GDPR, Cliniko have a joint EU/UK appointed Data Protection Officer (DPO).
For any questions relating to UK privacy regulations and compliance the DPO serves as advisor and contact person for data subject and supervisory authorities.
Cliniko UK/EU DPO
dpo@cliniko.com
Further links:
https://www.gov.uk/data-protection
Last reviewed Saturday 28th August 2021.