top of page

KORU ACUPUNCTURE PRIVACY POLICY

 

Cookies

 

Cookies are used on this website to make the site easier to use and to track the traffic patterns of visitors.  An “implied consent” policy is in operation, which means that it is assumed you are happy with this usage.  If you are not happy with this, then you should adjust your web browser settings to disallow cookies.  More information about cookies can be found at www.allaboutcookies.org.

 

Privacy Notice

 

Who am I?

​Sarah Fitzgerald is the Data Controller on behalf of Koru Acupuncture and therefore decides how your personal data is processed and for what purpose.

 

Whose information does this privacy notice apply to? 

Clients

Prospective clients

Former clients

Newsletter subscribers

Website visitors

What is personal data?

Personal data relates to a living individual who can be identified from that data.  Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.  Special category data is a sub-category of personal data and includes, amongst other things, data relating to health.  Examples of special category data Koru Acupuncture may hold about you includes your patient notes.

 

 

Why I collect your personal data 

Personal information about your health is collected in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract.  A refusal to provide the information could compromise an effective and safe treatment and it would therefore mean a treatment not being provided.

It is important that you are contactable in order to confirm your appointments or to update you on matters relating to your medical care. This is in your legitimate interest.

In order to take payment for our services (this may include credit card information) and to collect comments and feedback from you as a patient on the services provided.

With your consent, you may occasionally be sent clinic updates. You may withdraw this consent at any time via email to: sarah@koruacupuncture.com

What type of data is collected?

I currently collect and process the following information: 

  • Personal identifiers, contacts and characteristics (e.g. name and contact details)

  • Online identifiers (such as IP address, and any cookie identifiers stored on your device)

  • Data concerning health (e.g. the information recorded in your patient notes during appointments).

  • Payments, which are taken either by Bank transfer or via use of the SumUp card reader.  SumUp operates in accordance with the highest card payment industry security standards, using PCI-DSS, SSL and TLS and PGP.  All data is encrypted and transferred to a secure payment server.  SumUp never stores any sensitive data on mobile devices, such as smartphone, tablet or card reader.  Please refer to SumUPs Security information at https://help.sumup.com/en-GB/articles/7vPhfTuQgaRgzUUppWoYT-security and its Privacy Policy at https://www.sumup.com/en-gb/privacy/.

How is your personal data processed?

I comply with obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Your personal data is used for the purposes set out below.

 

Sections 1 – 16 apply to patients, prospective patients, former patients and visitors to clinic 

  1. We use your name, address, telephone number and email address to make and rearrange appointments. We are unable to send or receive encrypted emails so you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send us is within the bounds of the law. 

  2. We use your name, address, telephone number and email address, only if we have your explicit consent, to send you marketing materials. We are unable to send or receive encrypted emails so you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send us is within the bounds of the law. 

  3. Some patients and prospective patients return pre- first appointment questionnaires or tell us about their medical conditions and medication by email or online enquiry forms. We are unable to send or receive encrypted emails so you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send us is within the bounds of the law. 

  4. We keep a permanent attendance register which records all appointments for patients attending our clinic to keep a record of when you were treated.  This information may be used for tax purposes and to secure potential evidence in the event of a criminal prosecution, civil litigation, insurance claim or complaint to my regulatory body, the British Acupuncture Council. 

  5. We may use your date of birth to help identify patients with the same name to avoid mistakes being made as to safe and appropriate treatment, for identification purposes if referring a patient to another health practitioner, and for identification purposes if writing to a registered medical practitioner so that they correctly identify the patient. 

  6. We use your presenting complaint and symptoms reported by you for the purposes of making a full traditional diagnosis, formulating treatment strategy and treatment planning. 

  7. We use any relevant medical and family history you have told us for making a full traditional diagnosis, formulating treatment strategy and treatment planning. 

  8. We use your GP’s name and address in the event that we need to contact your GP including in an emergency and because it is a mandatory requirement in the British Acupuncture Code of Professional Conduct. 

  9. We use our clinical findings about your health and wellbeing for making a full traditional diagnosis, and formulating treatment strategy and treatment planning. 

  10. We keep a record of and refer to that record of any treatment given and details of progress of your case, including reviews of treatment planning to enable us to: review the full traditional diagnosis, treatment strategy and planning; and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint. 

  11. We record and use any information and advice that we have given, especially when referring patients to any other health professional, to help you to receive the most appropriate treatment and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint. 

  12. We record any decisions made in conjunction with you to help you to receive the most appropriate treatment and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint. 

  13. We keep accident records for any patients, visitors or staff who are involved in accidents at our premises in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) to comply with the law and to secure evidence in the event of criminal proceedings, civil litigation, an insurance claim or complaint. 

  14. In the event of an adverse incident occurring to any of our patients we report the matter to the British Acupuncture Council and insurance company to enable the insurance company to deal with any potential claims and to help the British Acupuncture Council to develop its safe practice guidelines, as well as providing research data and information for the BAcC’s insurers and other interested parties. 

  15. Where relevant we maintain records of the patient’s consent to treatment, or the consent of their next-of-kin in order to be able to prove that the patient (and/or parent/guardian/next of kin) has given informed consent to treatment to secure evidence in the event of a civil claim, criminal prosecution, insurance claim or complaint. 

  16. Records are stored electronically utilising a GDPR-compliant online software service called Cliniko (cliniko.com).  All information and notes are encrypted.  Cliniko complies with the Data Processing Addendum (DPA), as this data is processed outside of the EU/EEA zone.  The DPA provides appropriate safeguards for the transfer of data outside of the EU/EEA, as mentioned in Article 46;2);c) of the GDPR legislation.

Section 17 applies to those who complain about our services:

 

17. Should I receive a complaint from a person, a file will be made up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.  The personal information collected will only be used to process the complaint and to check on the level of service provided. We usually have to disclose the complainant’s identity to whoever the complaint is about. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. We may need to provide personal information collected and processed in relation to complaints to the British Acupuncture Council or our insurance company.We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.Similarly, where enquiries are submitted to us, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service provided.

 

Sections 18 and 19 apply to newsletter subscribers:

18.  Records of newsletter subscribers are maintained and used, only with their consent, for marketing purposes.

19.  Any Newsletter delivered will be via a third-party provider (Mailchimp).  Further information on this system is available via Mailchimp’s own privacy notice.  I may gather statistics around email opening and clicks using industry standard technologies including clear gifs to help with the monitoring and improvement of my newsletter.

Sections 20 – 22 apply to our website users:  

20.  When someone visits our website, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. 

 

21.  Website cookies are used to improve user experience of our website by enabling the website to ‘remember’ users, either for the duration of their visit – using a ‘session cookie’ – or for repeat visits – using a ‘persistent cookie’. 

 

22.  Koru Acupuncture’s website search is powered by Wix, our website host. Search queries and results are logged anonymously to help us improve website and search functionality.  For more information about how Wix processes data and applies Cookies, please see https:/www.wix.com/about/privacy.

How long do I keep your personal data?

I am required to keep client records for a minimum of seven years after your most recent appointment. In the case of minors, records must be kept until the patient reaches the age of twenty-five (seven years after reaching eighteen).  This time period is in accordance with the British Acupuncture Code of Professional Conduct. After this, you can ask for your records to be deleted; otherwise, they will be held indefinitely in order to provide you with the best possible care, should you need to use Koru Acupuncture’s services at some future date. Data that could potentially change, such as name and address, will not be routinely monitored but will be checked periodically if you continue to use our services.  You may at any time request that changes are made to your contact details and these requests will be administered within a reasonable period of time upon receipt of a request.​

 

Storing your information

Your records are stored according to the following methods:

electronically (on ‘cloud’ servers) and using a specialist medical-records service called Cliniko. This provider assures its full compliance with GDPR.  This data is password-protected, and the passwords are changed regularly;

Koru Acupuncture’s computer, which is password-protected, backed up regularly and kept in a safe place. 

 

​Sharing your personal data

Your data is strictly confidential, and will only be shared:​

with named third parties with your consent

with the relevant authority such as the police or a court, if necessary for compliance with a legal obligation to which we are subject e.g. a court order

with your doctor or the police if necessary to protect yours or another person’s life

with the police or a local authority for the purpose of safeguarding a children or vulnerable adults

with my regulatory body, the British Acupuncture Council, or my insurance company in the event of a complaint or insurance claim being brought against me

with my solicitor in the event of any investigation or legal proceedings being brought against me.

 

For further details about the situations when information about you might be shared, please see the Information Commissioner’s website.​

 

Your rights

You have the right to see what personal data of yours is held by Koru Acupuncture.  You can ask for correction of any factual errors. Provided the legal minimum period has elapsed, you can ask for your records to be deleted.​

 

To exercise all relevant rights, queries or complaints, please in the first instance contact the Data Controller, Sarah Fitzgerald at sarah@koruacupuncture.com

 

You can contact the Information Commissioner’s Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s OfficeWycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

 

Privacy Policy updates

Koru Acupuncture reserves the right to modify this privacy policy at any time, so please review it frequently.  Changes and clarifications will take effect immediately upon their posting on the website.  If material changes are made, you will be notified here of updates, so that you are aware of what information of yours is being collected, how it is being used and under what circumstances, if any, it will be used and/or disclosed.  By continuing to access or use my services after those changes become effective, you agree to be bound by the revised privacy policy.

 

bottom of page