DATA PROTECTION POLICY 2018
NATURE’S HEALTH & ACUPUNCTURE CLINIC
Content is subject to Copyright.
CATEGORIES OF PERSONAL DATA & DATA SUBJECTS
Data subjects about whom data is collected are potential or current clients who freely approach(ed) the clinic looking for help and or treatments for their conditions / pathologies / signs and/or symptoms.
ELEMENTS OF PERSONAL DATA
Elements of personal data included: Name, Address, Age, Date of Birth, Occupation, Email, Contact phone number(s) & information regarding the clients presenting condition(s) (what they want to be treated for) and about their related medical & health history and/or of those of their children or dependents if they are being treated. This may include information about: their personal life, emotional experiences such as traumas or loss they may have experienced if relevant to their condition, medical test results such as MRI reports, results of blood analysis, hormone tests, semen analysis, X-ray results and any other medical test results or information relating directly or indirectly to their presenting condition(s).
SOURCES OF PERSONAL DATA
Personal Data is collected directly from the individuals concerned themselves or in the case of children under 16 years of age, from their parents or guardians.
Each adult applying to receiving treatment at Nature’s Health & Acupuncture Clinic is asked to "OPT IN" by reading & then signing Nature’s Health & Acupuncture Clinic Personal Data Authorization Form, to show they have willingly opted in, thereby granting the clinic and its representative(s) the right to access, store & use their personal and medical data for the purpose for which it is intended & which was provided freely and willingly by them.
PURPOSE FOR WHICH PERSONAL DATA IS PROCESSED
Nature’s Health & Acupuncture Clinic processes personal data for the following purposes:
To obtain the relevant data to identify the client, his or her presenting conditions, signs and or symptoms & history where relevant, thereby allowing an informed decision as to the most adequate and effective choice(s) of therapy or combinations of therapy for the client to whom the data is related.
LEGAL BASIS FOR EACH PROCESSING PURPOSE
The legal basis for each processing purpose is that of CONSENT with regard to the data provided over the phone or in person: the client’s Name, Age, Date of Birth, Occupation, Address, Phone number(s), Medical and/or personal history and their relationship to any minors & the data given in relation to the minors about whom data is being collected. The legal basis is of CONTRACTUAL OBLIGATION with regard to scheduling appointments and their being carried out. The legal basis is of LEGITIMATE INTEREST with regard to explaining or offering clients seasonal offers, new therapies or loyalty or discount offers or amendments to clinic opening hours.
SPECIAL CATEGORY OF PERSONAL DATA
Given that the data of clients is of a medical and personal nature, it falls under the heading of a Special Category. In consequence, every effort is made to acquire ONLY the essential data and to ensure that it is safe-guarded through encryption of the hard drive with a secure encrypted back up retained in Dropbox Cloud Storage which meets the highest security standards of best practice. Files uploaded by users are stored on Dropbox’s Storage Servers as discrete file blocks. Each block is encrypted using 256-bit Advanced Encryption Standard (AES).
Nature’s Health & Acupuncture Clinic has developed and uploaded a PRIVACY NOTICE to its website, www.natureshealthclinic.ie so that anyone who is contemplating treatment with the clinic may be made aware that we care about their privacy and their rights under the new Data Protection regulations. This Privacy Statement is there to help them understand:
What data we will require from them and why.
Who will have access to their data
How their data will be handled
That they are at liberty to freely offer this data or not.
That they have a right to amend, erase and/or obtain access to their data.
Their rights under the GDPR.
(SARs) SUBJECT ACCESS REQUESTS
Subject Access Requests are detailed both in the Privacy Notice set up on the clinic’s website, www.natureshealthclinic.ie and also in the clinic’s Data Protection Authorization Form (DPAF) which is explained to, and signed by, each new client if they accept and are in agreement with the DPAF prior to the obtention of information in the initial clinic consultation.
Details of their data shall be given to them in the form of an electronic copy of their data and/or or in printed format sent by standard post.
Clients do NOT have the right to see the documentation that contains their personal data, only the personal
The data subject, i.e. the client, has the right to lodge a complaint with a supervisory authority. e.g with the Office of the Data Protection Commissioner. ODPC https://www.dataprotection.ie/ Efirstname.lastname@example.org
All requests for SARs will be duly recorded and responded to in one month or earlier if possible.
DELETION, RECTIFICATION and RESTRICTION
Once a request for Rectification or Deletion has been received, and the information being requested to be rectified or deleted has been checked to be free from Insurance, Legal, or Health requirements for the continuation of its existence, it will be duly rectified or deleted and prompt notification in the form of an email, text, or phone call, of the action taken will be given to the client who requested same.
Both deletion and rectification are electronic and therefore require only sufficient time to access the data and ratify that deletion or rectification is appropriate and possible. In the case that printed material exists relating to a client’s data, that printed data, should deletion be necessary, shall be shredded.
When a client, or potential client, has expressed their wish to halt the processing or restrict the processing of personal data on valid grounds such processing shall be suspended upon receipt of said signed or verbal instruction.
All requests for DELETION, RECTIFICATION & RESTRICTION will be duly recorded and responded to in one month or earlier if possible.
DELETION with respect to SPECIAL DATA
Nature’s Health & Acupuncture Clinic deals with personal and medical data. Therefore, the data it retains is subject to retention limitations or duration dates advised by: BALENS…its Insurance Company, The Acupuncture Council of Ireland as its Official Registering Body, and the General Data Protection Regulation 2018.
The requirements for retention will be prioritized by the legal advice given by Balens, which in the case of a minor is retention for seven years after the age of adulthood, which is designated as sixteen years in the GDPR 2018. Therefore, the data of a minor must be retained till the minor has reached the age of twenty-three. In the case of adults, data must be retained for seven years from the date of their last treatment. After these stipulated times, data will be deleted should it have been requested.
Under the GDPR it is mandatory to report a personal data breach to the Office of Data Protection Commission (ODPC) if it is likely to result in a risk to people’s rights and freedoms. In the case of a data breech, Nature's Health & Acupuncture Clinic will report such a breech to the ODPC within 72 hours of having become aware of said breech.
REMEDIES & SANCTIONS
The GDPR has been said to be a Regulation with teeth. It introduces a number of new sanctions and remedies.
The fines can be as high as 4% of annual global turnover or €20 million (whichever is higher) for serious data
breaches. Individuals rights are strengthened with the more stringent requirements surrounding consent.
Furthermore, the GDPR allows for individuals who have suffered material or non-material damage as a result of
an infringement of the GDPR to sue for the receipt of compensation from the controller or processor for the damage