In accordance with the European Data Protection Act which came into force on 25th May 2018, I am stating below why and how I collect and store clients' personal information.
Lawful basis for my holding client information:
For the purpose of my work as a therapist it is necessary for me to obtain written consent to treatment from new clients.
In order to make appropriate treatment recommendations and monitor treatment progress, I require client consent to my gathering and recording information relating to their health and well-being.
As well as personal information relating to a client's health and well being, the record sheet includes the client's home address, date of birth, their GP practice and their signed consent to treatment.
How I hold the following personal client information:
1. Manual paper records of personal information relating to clients' health and well being, including their contact details, date of birth, GP practice and paper records of their treatment sessions. These records are stored securely in a locked filing cabinet.
It is a requirement of my professional insurance policy that I retain adult client records for 7 years, in the case of children the records require to be retained for 7 years after the client's 18th birthday. When 7 years have elapsed and there is no requirement on the part of the client or my insurers to retain the records, the papers are shredded.
I do not give out any information to any third party without the client's consent, unless in the unlikely instance of my being required to do so by law.
2. I hold a list of contact details (name, email address and telephone number) for current and past clients on my computer, which is password protected. Contact details (name and mobile number, sometimes an email address) for some clients are stored on my phone, if this is the way they contact me/ communicate with me. My phone is password protected. If clients have not attended for over a year, their contact details are deleted.
3. I store contact details for workshop participants on my computer – name, email address and telephone no and if necessary, a postal address. My computer is password protected. Unless participants give their agreement to be on my mailing list, their details are deleted after completion of the workshop.
4. I am required to retain contact details, course completion date and certification date for Kinesiology course participants after they have completed their course, for my teaching records. These are in paper form and are stored securely in a locked filing cabinet. Depending on the course studied, participants' contact details and certification dates are also held by the Optimum Health Kinesiology School in Norfolk (www kinesiologyohb.co.uk) or The International Kinesiology College based in Zurich, Switzerland.
5. I hold an online mailing list of clients/ workshop participants and others who have given written agreement to receiving information from me relating to courses and workshops. The list is stored on my password protected computer.
6. I email invoices/ receipts to clients wishing to pay for treatments by bank transfer. These include the client's name and address. The invoices/ receipts are stored on my password protected computer until completion of my annual tax return.
Under GDPR legislation clients have the following rights:
To be informed about what information I hold about them (see above).
To be able to access the above information (see below).
To ask for the information to be rectified if they feel it is factually incorrect.
To ask for processing of the information I hold to be restricted.
To ask for the information to be erased – this requires the agreement of my insurance company if the required retention time frame of 7 years has not expired.
The right not to be subject to automated decision making, including profiling (not applicable in my line of work).
Clients have the right to access the personal information I hold about them free of charge, other than the cost of photocopying and postage (see contact details below).
Clients can ask for their information to be updated or rectified if they consider there are factual inaccuracies in the records. Complete erasure of a client's records would require the agreement of my insurers, if the retention period of 7 years has not elapsed.
Should you have any concerns or questions about how I process your data my contact details are:
Email: email@example.com Mo: 07541120450
You also have the right to contact the Information Commissioners Office if you have a complaint about how I process your personal information.
www.ico.org.uk Mo: 0303 123 1113