At Tree of Health and Wellbeing we are committed to ensuring and protecting your privacy at any time you are on our website, Facebook page or communicate electronically with our personnel.
Our Privacy Policy is contained below and provides a detailed explanation as to how we may use your personal information provided to us or any we collect through legal means.
If you attend for an appointment, we will provide you with this and the Data protection policy and ask you to sign that you have read.
We will also ask you at the time of the first consultation to confirm how you are agreeable to being contacted in the future for example on treatment plans and further booking.
Updates of our Privacy Policy are completed frequently; thus, you should peruse this Policy habitually.
Tree of Health and Wellbeing website is currently in the process of being built but will be a “hosted Server” with “Desinian Website Solutions Ltd” which uses cookies.
YOUR PERSONAL INFORMATION – GENERAL DATA PROTECTION REGULATION (GDPR)
GDPR is bringing in new legal protection for personal information from May 2018. This tells you what personal information Tree of Health and Wellbeing hold and why, and what your rights are. Once you have read it please confirm that you have read and accept this document.
GDPR is bringing in new legal protection for personal information from May 2018. This tells you what personal information Tree of Health and Wellbeing gather via the website/Facebook and why, and what your rights are.
Tree of Health and Wellbeing
Calle Domingo Yanes Luis 20,
San Miguel de Abona,
38620
Santa Cruz De Tenerife
Telephone No: 00 34 618 187 223
00 34 822 710 473
Email address: treeofhealthandwellbeing@gmail.com
Data Controller Contact Details: Denise Harris
Data Protection Officer Denise Harris
- Information We Collect from You
Data can be collected and processed when our website is in operation by you.
The following are approved methods of collection:
1.1 If you register for information or complete a purchase, by filling out a form we can collect the information provided.
1.2 Traffic data, weblogs, location data, and any other communication can be collected. These details come from your visit to our site and any resource tools you use while on the site.
1.3 Any communication on our website or to personnel allows us to collect information.
The Purpose of processing Client Data
In order to give professional Complementary treatments, Tree of Health and Wellbeing needs to gather and retain potentially sensitive information about your health. This information will only be used for informing treatments and associated recommendations concerning aspects of health and wellbeing which will be offered to you. Tree of Health and Wellbeing only takes basic contact details and information via the website to allow contact and handle bookings.
Lawful Basis for holding and using Client Information
- Legitimate interest: Required to retain the information about clients in order to fulfil the role of a health care practitioner and to provide them with the best possible treatment options and advice.
- Special Category Data – Health Related: Process under special category data, therefore the additional condition under which Information is held and used in order to fulfil expectations as a healthcare practitioner, bound under the CNHC (Complementary National Health Council), UK Reiki Federation, FHT (Federation of Holistic Therapies) confidentiality as defined in their Codes of Practice and Ethics.
Tree of Health and Wellbeing requirement to hold your information for the following legal reasons:
- ‘Claims occurring’ insurance
- Law regarding children’s records
- CNHC requirements to retain information
- Your consent
What information Tree of Health and Wellbeing will hold and what we will do with it
In order to give professional Complementary treatments, there is a need to ask for and keep information about your health. This information will only be used for informing Complementary treatments and any advice given as a result of your treatment. This information will be undertaken at the first consultation.
The information to be held is:
- Your contact details
- Medical history and other health-related information (which will be taken from you at first consultation)
- Treatment details and related notes (which will be updated after each consultation)
Tree of Health and Wellbeing will NOT share your information with anyone else without explaining why it is necessary, and getting your explicit consent
How Long Your Information will be retained for:
Tree of Health and Wellbeing will keep information for the following periods.
- a) claims occurring insurance: Required to keep records for 7 years after the last treatment – (including following the client’s death)
- b) law regarding children’s records: Required to keep records until the child is 25, or if 17 when treated then until they are 26.
Your data will not be transferred outside the EU without your consent.
Protecting Your Personal Data
Tree of Health and Wellbeing is committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, in place are the appropriate technical, physical and managerial procedures to safeguard and secure the information that has been collected from you.
You will be contacted you using the contact preferences you have provided in relation to:
- Appointment times
- After care/treatments plans/information or information related to your health
- Special offers and promotions
You may unsubscribe from this at any time.
How we handle enquiries via email or text
If someone emails or texts with an enquiry, by this action it is understood that they are giving implied consent for Tree of Health and Wellbeing to hold and use their contact details.
On our web site Tree of Health and Wellbeing include the following statement:
“Please be aware that if you send any sensitive medical/health information, we will only hold and use this if we proceed to treatment, at which time we will require explicit consent from you to hold this data. If we do not proceed to treatment, we will erase this information.”
Your Rights
GDPR gives you the following rights:
- The right to be informed:
To know how your information will be held and used (this notice). - The right of access:
To see your therapist’s records of your personal information, so you know what is held about you and can verify it. - The right to rectification:
To tell your therapist to make changes to your personal information if it is incorrect or incomplete. - The right to erasure (also called “the right to be forgotten”):
For you to request your therapist to erase any information they hold about you - The right to restrict processing of personal data:
You have the right to request limits on how your therapist uses your personal information - The right to data portability: under certain circumstances you can request a copy of personal information held electronically so you can reuse it in other systems.
- The right to object:
To be able to tell your therapist you don’t want them to use certain parts of your information, or only to use it for certain purposes. - Rights in relation to automated decision-making and profiling.
Full details of your rights can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
Please note Registration is NOT required with the ICO (Information Controllers office) by Tree of Health and Wellbeing . As detailed in the ICO document V 1.0 dated 21 February 2018 page 12
“The name and address of the controller (for registered companies this should be the address of its registered office; for any other person carrying on a business, this should be that person’s principal place of business in the UK)”
Tree of Health and Wellbeing does NOT have any base in the United Kingdom and data is only processed in Tenerife.
THERAPIST’S RIGHTS
Please note:
- If you don’t agree to your therapist keeping records of information about you and your treatments, or if you don’t allow them to use the information in the way they need to for treatments, the therapist may not be able to treat you
- Your therapist has to keep your records of treatment for a certain period as described above, which may mean that even if you ask them to erase any details about you, they might have to keep these details until after that period has passed
- Your therapist can move their records between their computers and IT systems, as long as your details are protected from being seen by others without your permission.
Once you have met your therapist you will be asked to sign a declaration to confirm you have read the Privacy and Data Protection policy and that by signing this document you understand that Tree of Health and Wellbeing will hold and use your personal information, using it in order to provide the best possible treatment options and advice in line with the statements above.
GDPR: Data Protection Policy: Denise Harris
Tree of Health and Wellbeing
Documented Created: 31st May 2022
Date of Last Review: 21st April 2023
Date of Next Review: 20th April 2024
Tree of Health and Wellbeing
Calle Domingo Yanes Luis 20,
San Miguel de Abona, 38620
Santa Cruz De Tenerife
Telephone No: 00 34 618187223
00 34 822710473
Email address: treeofhealthandwellbeing@gmail.com
Policy Purpose
This policy outlines the required data protection policy, and thus demonstrates compliance with the GDPR.
GDPR Registration
Registration has not been undertaken with the ICO as Tree of Health and Wellbeing does not have a base in the United Kingdom.
Policy Content
1.The data that is processed and how it flows into, through and out of the business.
Data comes into the business in 5 ways:
- a) Via email messages to from potential clients (PC) and clients(C) that have the email number.
- b) Via text messages (as above)
- c) Via the website contact page (Hosted by “Desinian Website Solutions Ltd”)
- d) Via Facebook Messenger
- e) Via WhatsApp
It flows through the business via:
- Laptop/s – which remains at home unless taken for initial home visit
- Smart phone/s – Go everywhere
- IPad which remains at home
The information does not flow out of the business.
- The personal data held, where it comes from, who It may be shared with, and what happens to it.
Information Asset Register
- Personal information is held on clients that they have provided and given consent for this undertaking by signing the appropriate documentation.
- This includes name, address, contact details, and, where appropriate, age. In addition, health and wellbeing information is collected from them at their first consultation.
- Information about each treatment received is collected.
We do not share this information with anyone. (If a client asked for their records or part thereof, to be shared this would only be undertaken if they had signed requesting and providing consent in writing to share their information, specifically naming the party it is to be shared with.
Written confirmation is also required to be obtained from the party the client proposes to share the information with that they comply with the requirements of GDPR.
- Information is maintained following treatments in order to provide appropriate advice within the realms of the treatment, professional experience and qualifications.
All data is kept for:
- claims occurring insurance: Required to keep records for 7 years after the last treatment – (including following the client’s death)
- law regarding children’s records: Required to keep records until the child is 25, or if 17 when treated then until they are 26.
- The lawful bases to process personal data and special categories of data.
Personal data under:
- Legitimate interest: Required to retain the information about clients in order to provide them with the best possible treatment options and advice.
- Special Category Data – Health Related: Process under special category data, therefore the additional condition under which Information is held and used in order to fulfil expectations as a healthcare practitioner, bound under the CNHC (Complementary Natural Health Council), UK Reiki Federation, FHT (Federation of Holistic Therapists
- Privacy Notice
Individuals need to know that their data is collected, why it is processed and who it is shared with. This information is in included in the privacy notice on the website and within any forms or letters sent to individuals and is included at the first consultation with the client.
The privacy notice on the website and for clients, have ensured that the privacy notice includes all of the information included in the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table
If someone emails or texts with an enquiry, by this action it is understood that they are giving implied consent for Tree of Health and Wellbeing to hold and use their contact details.
On our web site Tree of Health and Wellbeing will include the following statement:
“Please be aware that if you send any sensitive medical/health information, we will only hold and use this if we proceed to treatment, at which time we will require explicit consent from you to hold this data. If we do not proceed to treatment, we will erase this information.”
- Processes to recognise and respond to individuals’ requests to access their personal data.
All individuals will need to submit a written request to access their personal data – either by email or by letter. The information will be provided without delay and at least within one calendar month of receipt. This period may be extended by a further two months for complex or numerous requests (in which case the individual will be informed and given an explanation).
-
- The client will be identified using reasonable means, which because of the special category under which data is processed will be photographic ID.
-
- Records of any requests to access personal data will be maintained.
- Processes to ensure that the personal data held remains accurate and up to date.
Client information is kept up to date during treatments and will be further updated as/when informed by the client of any changes. Once a year data will be reviewed.
- Schedule to dispose of various categories of data, and its secure disposal.
Once a year during the process of client information review, any dormant client’s information will be secured in a separate electronic file. This information will be assessed each month to ensure that data that is no longer required to be kept under GDPR is destroyed securely.
- Procedures to respond to an individual’s request to restrict the processing of their personal data.
Information data is only held in order to provide treatments. Although it is not envisaged that a situation would where a request would be received to restrict the processing of an individual’s personal data. However, if a request was received It would be responded to as quickly as possible, and within one calendar month, explaining clearly what currently is undertaken do with their data and that this data will continue to be held but they will be ensured that it is not processed.
- Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
Should clients wish their data to be copied or transferred, this work would be undertaken in collaboration with client to ensure that this is done in a way that was most appropriate for them – for example this could be an electronic summary of treatment received and progress made, copies of individual treatment records.
Transmission of data on the internet can never be ultimately secure. We do not and cannot guarantee security of information collected electronically or transmitted; however, we take all necessary steps to provide the best security available where we have control over the communications systems used. As a result of our inability to guarantee safety, you are submitting information to us at your own risk.
- Procedures to handle an individual’s objection to the processing of their personal data.
Clients will be informed of their right to object “at the point of first communication” and this is clearly detailed in the privacy notice.
Right to Erasure vs. the Requirement to retain Client Information for a ‘Designated Period’
The individual may request deletion or removal of personal data where there is no compelling reason for its continued processing. However, the requirement to retain client information for a designated period may provide a lawful basis to override this.
In fact, neither the ‘right to erasure’ nor the requirement to retain insurance records are deemed to be an absolute right.
Specific circumstances apply:
The ‘right to erasure holds when:
- the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. E.g.
- the therapist does not have ‘claims occurring’ insurance (so there is no insurance requirement to hold the data), or
- the data is more than 7 years old, and the therapist no longer requires it even though treatments continue, or
- the therapist is no longer treating the client and the data is older than the ‘designated period’ (see above)
- if the lawful basis chosen is ‘consent’ and the individual withdraws consent.
- the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- the data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- the personal data must be erased in order to comply with a legal obligation.
- the personal data is processed in relation to chat rooms and other online services specifically for children.
The right to erasure may be overturned if the therapist has a lawful basis for retaining the information. In this case the therapist can refuse the erasure request but must be able to explain what that lawful basis is, for example:
the therapist has (or had at the time of treatment) ‘claims occurring’ insurance which means that the client may make a claim within 7 years of receiving treatment, and the insurance which was in force then will still allow a claim, as long as the therapist has retained the relevant treatment and client data.
the therapist is CNHC registered and must abide by their information retention requirements (currently 8 years) which are defined by the Department of Health.
- Processing operations that constitute automated decision making.
There are no processing operations that constitute automated decision making and therefore, currently there is no requirement to have procedures in place to deal with the requirements. This right is, however, included in the privacy statement.
- Data Protection Policy
This document forms the data protection policy and shows how compliance with GDPR.
This is a live document and will be amended as and when any changes to the data processing takes place, at the very least it will be reviewed annually.
- Effective and structured information risks management
The risks associated with data storage and collection, and how that risk is managed is as follows:
Theft of electronic devices – all have password locks on all electronic devices which are changed regularly and are not shared with anyone outside of Tree of Health and Wellbeing.
Break into office – All information is stored electronically. When the property is unoccupied there is an alarm system and CCTV in operation. (Data protection rules do not apply if you install a camera on your own home to protect it from burglary).
- Named Data Protection Officer (DPO) and Management Responsibility
The DPO is Denise Harris and who will ensure compliance with GDPR is maintained.
- Security Policy
Electronic equipment is based on industry record as having the robust inbuilt protection. Additional safety measures have been implemented including security passwords.
- Data Breach Policy
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In the event of a breach the ICO will be notified of the breach where it is likely to result in a risk to the rights and freedoms of individuals.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned will be directly notified without undue delay.
In all cases records of personal data breaches will be maintained whether or not they were notifiable to the ICO.
Data Protection Policy created: 31h May 2022
This is a live document and will be updated as and when changes occur.
Date of Next Review: 20th April 2024
Tree of Health and Wellbeing
Denise Harris