York Clinic for Integrated Healthcare
Privacy Policy – May 2018

Introduction
At the York Clinic for Integrated Healthcare we are committed to protecting and respecting your privacy.  This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure.  We comply with our legal obligations by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Any questions regarding this Policy and our privacy practices should be sent by email to email@yorkclinic.com, or by telephoning us on York 709688.

Who are we?
The York Clinic for Integrated Healthcare is a multi-disciplinary clinic situated on Tadcaster Road on the outskirts of York. Our highly qualified therapists offer a full range of both “hands-on” and “talking” therapies. For data protection, the York Clinic is the Data Controller, and we decide how your personal data is processed and for what purposes.

Who do we obtain information about?


We collect information about our:
Patients
Prospective patients
Former patients
Subscribers to our newsletters
Staff
Practitioners
Visitors to our website
Job applicants
Suppliers and services providers
Advisers, consultants and other professional experts
Complainants

What is personal data?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Examples of personal data we may hold about you include your contact and appointment details. Special category data includes data concerning your health which we may hold about you in your patient notes.

How do we collect information from or about you?
We obtain information about you when you first inquire about treatment, either by telephone, email or in person, when you attend the Clinic for treatment, when you return for treatment after a significant lapse of time, or if you are in contact with us in any other way or your details are forwarded to us by someone else. Some patients and prospective patients return pre-first appointment questionnaires or tell us about their medical conditions and medication by email or online enquiry forms. We keep a register of patients attending our clinic, to keep a record of when you were treated for tax purposes and to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to a regulatory body.
We use a third party service, WordPress.com, to host our website including publishing our blog. This website is hosted at www.yorkclinic.com and the blog at http://www.integratedhealthcareyork.com/, which is run by (name of company running website host). Visitors that want to post a comment need to enter a name and email address.

What type of information is collected from or about you?
The personal information we collect will include your name, address, email address, phone numbers (home, work and mobile), date of birth and your GP’s name and surgery. We collect personal data from patients at a first appointment, and also keep records of when you are treated for tax purposes. In some cases, personal data is used when referring patients to other health professionals, to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to a regulatory body. We use your relevant medical and family history, and your presenting complaint and symptoms reported by you for the purposes of making a diagnosis, formulating a treatment strategy and treatment planning. We use your GP’s name and address in the event that we need to contact your GP including in an emergency and because it is a mandatory requirement for certain practitioners.
In the event of an adverse incident occurring to any of our patients we report the matter to the appropriate professional body and the our insurance company to enable the insurance company to deal with any potential claims. We keep accident records for any patients, visitors or staff who are involved in accidents at our clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or a complaint. When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We usually have to disclose the complainant’s identity to whoever the complaint is about. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. We may need to provide personal information collected and processed in relation to complaints to professional bodies or to our insurance company. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

How is your information used?
We may use your personal information to:
• book, confirm or amend your appointments with our therapists;
• administer our own accounts and records;
• carry out our obligations arising from any contracts entered into by you and us;
• respond to you if you have contacted us directly or through someone else;
• notify you of changes to our services.

If you provide us with your consent, we will also use your information to send you e-newsletters that may be of interest to you. These may include information about events, products for sale in the Clinic, Clinic newsletters, or seeking your views or comments on the services we provide. For these marketing purposes, we maintain and use records of subscribers only with their consent.
We use a third party provider, MailChimp, to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For further information, please see MailChimp’s privacy notice.
When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
We use website cookies to improve user experience of our website by enabling our website to ‘remember’ users, either for the duration of their visit – using a ‘session cookie’ – or for repeat visits – using a ‘persistent cookie’. This process does not in any way identify anyone.
We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.

Who has access to your information?
The Clinic staff and the therapist(s) treating you will have access to your information for the purposes stated above.
Your personal data will be treated as strictly confidential and only shared:
· with named third parties with your explicit consent;
· with the relevant authority such as the police or a court, if necessary for compliance with a legal obligation to which we are subject e.g. a court order e.g. for the purpose of crime prevention, investigation, detection or prosecution
· with your doctor or the police if necessary to protect yours or another person’s life, e.g. if we believe you are a threat to yourself (suicidal or likely to self harm) or to others (in the public interest).
· with the police or a local authority for the purpose of safeguarding a children or vulnerable adults; or
· with a regulatory body or insurance company in the event of a complaint or insurance; or
· a solicitor in the event of any investigation or legal proceedings
For further details about the situations when information about you might be shared please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/personal-information/sharing-my-info/
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

Your choices
You have a choice about whether or not you wish to receive information from us. If you want to receive information from us as set out above, then you can opt in by ticking the relevant box situated on the Clinic Registration form.
You can change your preference at any time by contacting us by email: email@yorkclinic.com or telephoning the Clinic on York 709688.
How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary. Patient records are retained for an indefinite period, so records can be re-accessed if a patient returns for further treatment. We retain employee records for the period of their employment, and for an indefinite, for use in providing references. Data is routinely destroyed using a confidential document shredding service.

Your rights and your personal data
Unless subject to an exemption under the General Data Protection Regulations, you have certain rights with respect to your personal data as set out below.
· The right to request a copy of your personal data which we hold about you.
· The right to request that we correct any personal data if it is found to be inaccurate or out of date.
· The right to request your personal data is erased where it is no longer necessary for us to retain such data.
· The right to withdraw your consent to the processing at any time. This right does not apply where we are processing information using a lawful purpose other than consent.
· The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
· The right to object to the processing of personal data, (where applicable) [This right only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics].
· The right to be informed if your data is lost. We shall also inform the Information Commissioner’s Office in accordance with the time limits in the GDPR.
· The right to lodge a complaint with the Information Commissioner’s Office.

For further details about these rights please see the Information Commissioner’s website at https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

How you can access and update your information

The accuracy of your information is important to us. If you change your contact details, or any of the other information we hold is inaccurate or out of date, please email us at email@yorkclinic.com, or telephoning the Clinic on York 709688.

You have the right to ask for a copy of the information we hold about you (this will usually be free but we will let you know if we need to charge a reasonable fee to cover our costs in providing you with details of the information we hold about you).

At any time you may request that changes are made to your contact details, for example if they are inaccurate or incomplete.

Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. We are unable to send or receive encrypted emails so you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send us is within the bounds of the law.

Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.

Links to other websites
Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
16 or Under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.
Transferring your information outside of Europe
As part of the services offered to you, the information which you provide to us may be transferred to countries outside the European Union (“EU”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.

Concerns or Complaints
If you have a concern or complaint about how we handle your personal information, we’d like to try to resolve this with you. Please contact us by email: email@yorkclinic.com, or by telephoning the York Clinic on York 709688.

If we do not resolve your concern or complaint to your satisfaction, or if you prefer to go direct to the Information Commissioner’s Office (ICO), you can contact the ICO on its helpline on 0303 123 1113 or via its website: https://ico.org.uk/concerns/handling/

Review of this Policy
We keep this Policy under regular review. This Policy was last updated on 10th May 2018.