Holistic Health York and Ruth Tarr will hereafter be referred to as HHY.
I, my, me, your, you, the client refers to the client, and or client’s parent/guardian, if the client is aged 16 years or under, as well as any potential client who shares data or information with Holistic Health York (HHY).
The following information outlines the Privacy & Data Protection Policy for Holistic Health York (HHY). This policy exists to ensure that any client data and information communicated by the client to Ruth Tarr of HHY is used in an appropriate and secure way. All client data and information will be held and processed in accordance with the data protection principles set out in the Data Protection Act 2018 and the General Data Protection Regulation for the purposes of providing the services the client has requested from HHY.
Client data and information can be collected by many means of communication (verbal and written, including but not limited to in person, telephone, video call, SMS, offline emails, social media platforms and message boards etc.) at any point between a client and HHY.
How to Contact Me:
Address: Ruth Tarr, Holistic Health York, 7 Fairway, Rawcliffe, York, YO30 5QA
Personal Client Data & Information Held and Processed by HHY:
Client data and information held falls within the personal data (any information which can identify someone, such as name, address, date of birth) and special category data (personal data which pertains to someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, health or sexual life, or genetic data).
Client data and information may also include, but is not limited to, the client’s:
- Reasons for wanting to work with HHY.
- Past or present therapeutic and or mental health and or physical health issues
- Past or present personal, social, financial, and medical circumstances, background and family history.
HHY will retain information about any potential client when they have made initial enquiries, and or had a consultation, and or failed to undertake any therapy.
Client data and information may be retained in the following formats:
- Paper records.
- Electronic information and records such as, but not limited to:
- Offline emails.
- Third party platforms, including social media message boards.
How we get your personal data
We only have access to the data that you, or your parent/guardian, choose to supply directly to us, either;
- over the phone/video call.
- when you book an appointment using our online calendar facility.
- when you complete one of our forms; either in a document or via the online forms hosted on our website.
Use of Client Data & Information by HHY:
HHY relies on the following legal basis when processing client data and information:
- To fulfil a contract for services with the client, or to comply with a legal obligation.
- HHY’s legitimate interests to run an effective and successful business, or the legitimate interests of a third party, where not outweighed by client’s interests.
The data and information can be held by HHY to:
- Make an informed professional decision as to the most appropriate assessment and treatment methods for the client. Guide the assessment and treatment for the client’s presenting problem during the course of their therapy, and to ensure that there are no medical reasons why certain therapies cannot be used with the client.
- Notify the client about changes to the client’s appointments and any other changes to HHY’s services.
- Infrequently check in with the client after their therapy has ceased for any length of time.
- Request and gather feedback from the client on the client’s experience of therapy with HHY.
- Improve HHY’s service to ensure it is provided effectively for the client and for HHY.
- Administer HHY’s service, including, but not limited to, the arrangement of appointments, financial control, data analysis, research, statistical and survey purposes.
- Communicate with the client and those who ask HHY to, for the purposes of organisational, service and professional development.
Please note this data and information will not be used for marketing purposes.
Generally, all data and information gathered by HHY is confidential. However, there are several notable exceptions to this confidentiality:
- By any third party, in order to meet HHY’s legal and regulatory obligations including, statutory or regulatory reporting, or the detection or prevention of unlawful acts, or if the client is at risk.
- HHY’s advisors and auditors, for the purpose of seeking professional advice or to meet HHY’s audit responsibility.
- In the event that a client gives permission to share the client’s data and information by completing and signing a written consent form.
Duration of Retaining Client Data & Information:
It is a legal requirement that Holistic Health York retain:
- Client data and information for a period of 5 years from the last date of therapy (or date of initial enquiry, or consultation, even if the client failed to undertake any therapy).
- Financial records for a period of 7 years from the client’s last payment date.
What Happens to Client Data & Information when the period of 5 or 7 Year’s is up?
Once the period of 5 or 7 years is up:
- All paper copies of client data and information are destroyed by shredding and recycling.
- All electronic client data and information is deleted.
The Client’s Rights:
The client has the following rights:
- Right to Access – Should a client request the right to access the information that HHY holds about the client, HHY has one calendar month from the request to comply. However, should HHY need to confirm a client’s identity then, HHY has one calendar month from the time the client’s identity has been confirmed. The client’s information would then be passed onto the client either electronically or as hard copies.
- Right to Rectification – Should a client inform HHY that the personal data held about the client is inaccurate or incomplete, the client has the right to request this data be rectified, the personal data in question shall be rectified where possible, and the client informed of that rectification, within one calendar month of receipt of the request for rectification. However, should HHY need to confirm a client’s identity then, HHY has one calendar month from the time the client’s identity has been confirmed. In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data.
- Right to Erasure – Due to legal requirements, client data and information can only be deleted 5 years from the last date of therapy (or date of initial enquiry, or consultation, even if the client failed to undertake any therapy). Due to legal financial requirements, relevant client data and information can only be deleted 7 years from the client’s last payment date.
- Right to Restriction of Processing – The client can request that the client’s data and information is no longer to be processed. However, if the client’s data and information is restricted in this way, HHY can no longer work therapeutically with the client, as the client’s data and information is required, due to reasons detailed in The Use of Client Data & Information by HHY section of this policy. However, as per the Duration of Retaining Client Data & Information section of this policy, the client’s data and information will still be stored for the required length of time.
- Right to Data Portability – Please note the right to data portability only applies when the data processing is being carried out by automated means, it therefore excludes any paper files which pertain to initial enquiry notes, initial intake forms and notes, subsequent session notes, treatment notes, as well as any further paper-based communication or hand written forms. The client has the right to:
- Receive their client personal data, which the client has previously given (in a structured, commonly used and machine-readable format) to HHY.
- Request that HHY transmits this data directly to another data controller.
- Right to Object – The client has the right to object to the processing of the client’s data and information (i.e. asking for personal data to no longer be processed). However, if the client’s data and information is restricted in this way, HHY can no longer work therapeutically with the client, as the client’s data and information is required, due to reasons detailed in The Use of Client Data & Information by HHY section of this policy. However, as per the Duration of Retaining Client Data & Information section of this policy, the client’s data and information will still be stored for the required length of time.
If the client wishes to exercise any of the rights set out above, please contact Holistic Health York using the details provided in the How to Contact Me section of this policy.
The client also has the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which is the supervisory authority for data protection issues in the UK. HHY would, however, appreciate the chance to deal with any concerns before a client approaches the ICO, therefore please contact HHY in the first instance, using the details provided in the How to Contact Me section of this policy.
Client Data and Information – Security:
All client data and information provided to HHY is stored as securely as possible. Paper copies are kept in a locked cupboard on the premises of HHY, and taken out when being used by HHY. Electronic information and communication (excluding SMS, offline email, webserver and third-party platforms) are stored on an encrypted portable hard drive, which is in a locked cupboard on the premises of HHY, and taken out when being used by HHY.
The laptop used by HHY to access client data and information has anti-virus software installed.
Electronic communication by HHY via SMS, offline email, and third-party platforms, requires the relevant access via password-protected authentication, or by reputable service providers using secure internet ‘cloud’ technology.
HHY cannot guarantee the security of client data and information when it is transmitted to HHY by the client via SMS, offline email, and third-party platforms, therefore these transmissions are undertaken at the client’s own risk. Once HHY has received this information password security features are used to try to prevent unauthorised access.
Process if Data Protection Rules are Broken:
If a personal data breach occurs which is likely to result in a high risk to the rights and freedoms of the client (e.g. a significant financial loss, breach of confidentiality, discrimination, reputational damage, or other social or economic damage), HHY must ensure that:
- The ICO is informed of the breach without delay, and in any event, within 72 hours of becoming aware of it.
- All affected clients are informed of the breach directly and without undue delay.
Any breaches will be fully investigated by HHY and security measures will be assessed and reviewed in relation to the investigation.
Changes to the Privacy & Data Protection Policy:
This Privacy & Data Protection Policy is kept under review by HHY and will be updated to reflect any changes. Any updates made will be posted on HHY’s website (http://holistichealthyork.co.uk) for any potential client, or client to read.
Last updated: March 2022