As a Complementary Therapist, providing therapies to help improve the well-being of clients, Rachel Troullis is required to note personal information about her clients. This information will be kept secure, and no personal data will be shared with 3rd party organisations. The only exception to data sharing is where there is a safeguarding concern relating to a child or vulnerable adult perceived to be at the risk of harm, in which case data may be shared with the necessary safeguarding agencies. You have the right to withdraw your details I have securely on file at any time, if you do not agree with my Data Protection Policy. Please see Data Protection Policy for full details of how your data is protected.
UPDATED MARCH 2021: PLEASE NOTE: Should it become necessary, I will be required to share contact details with the NHS/Government Track and Trace Service. Contact details will be kept to the minimum requirement and no other personal data will be shared.
GDPR: Data Protection Policy
GDPR is bringing in new legal protection for personal information from May 2018. This tells you what personal information I gather via my website, and why, and what your rights are.
Therapist Name: Rachel Troullis
Therapist’s Contact Details: 07961 906 503
Email address: Rachel.email@example.com
Data Controller Contact Details: As Above
This policy outlines my data protection policy, and thus how I comply with GDPR.
The Purpose of processing Client Data.
In order to give professional reflexology, massage treatments, Hopi Ear Candling and Baby Massage instruction, I will need to gather and retain potentially sensitive information about you or your baby’s health. I will only use this information for informing reflexology and massage treatments, baby massage instruction and associated recommendations concerning aspects of health and wellbeing which I will offer to you.
The lawful bases for me to process personal data and special categories of data.
I process the personal data for:
I am required to retain the information about my clients in order to provide them with the best possible treatment options and advice.
My requirement to hold your information for the following legal reasons.
Special Category Data: As I hold special category data (i.e. health related information), the Additional Condition under which I hold and use this information is: for me to fulfil my role as a health care practitioner bound under the CThA Confidentiality as defined in the CThA Code of Practice and Ethics.
What information I hold and what I do with it:
In order to give professional treatments, I will need to ask for and keep information about your health. I will only use this for informing treatments and any advice I give as a result of your treatment. The information to be held is:
Your contact details (name, address, contact number and email).
Medical history and other health-related information (which I will take from you at first consultation). I will only use this information for informing treatments and associated recommendations concerning aspects of health and wellbeing which I will offer to you.
Treatment details and related notes (which I will take after each consultation), in particular reflexology treatments.
I retain basic contact and address details, upon initial contact to book appointment and for appointment reminder message to be sent. This is before the initial consultation form has been completed. This is used for this purpose only. It is not given to any third party.
I retain basic contact details and address details for vouchers in case there is an issue with the voucher you have purchased.
I retain basic contact details and information via my website to allow me to contact you and handle bookings
I don’t share this information with anyone. However, please note, in line with Safeguarding protocols; in the event that there is an indication that a child or vulnerable adult may be at risk of harm, it is an obligation to report concerns to the necessary agencies.
For my own Health and Safety. As I am predominately a mobile therapist I retain your contact and address details on the Fresha App for my own health and safety of visiting clients in their homes.
I will NOT share your information with anyone else (other than within my own practice, or as required for legal process) without explaining why it is necessary, and getting your explicit consent.
How Long I Retain Your Information for:
I keep all data for:
claims occurring insurance: for which I am required to keep my records for 5 years after the last treatment.
law regarding children’s records: for which I am required to keep my records until the child is 25, or if 17 when treated then until they are 26.
registration with The Complementary Therapist Association (CThA) and Holistic Insurance: for which I am required to retain information for 5 years.
Your data will not be transferred outside the EU without your consent.
Protecting Your Personal Data:
I am committed to ensuring that your personal data is secure. In order to prevent unauthorised access or disclosure, I have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect from you.
I will contact you using the contact preferences you give me in relation to:
Reflexology, massage and baby massage information or information related to your health.
Follow up messages after treatments.
Special offers and promotions (you may unsubscribe from this at any time).
The data that I process and how it flows into, through and out of my business:
Data comes into my business in 4 ways:
Via email messages to me from potential clients and clients that have my email address.
Via text messages to my mobile phone.
Via my website [web provider: wix.com].
Via Facebook Messenger and other social networking platforms.
Via Google analytical. Analysis website
It flows through my business via:
Laptop - which I use at my work/home premises [password protected and has an up to date anti-virus software].
Fresha appointment app – my electronic online calendar I use to book appointments and to send appointment reminders [password protected with external access to app if my mobile is taken to ensure password can be changed].
Email account – used to communicate with clients to book appointments, send and received consultation forms [password protected].
Website – potential clients use the website contact me page. I do not IP addresses information [password protected].
The Cloud as a backup tool for my accounts, invoices, receipts, consultation forms, and other documents which may client details [password protected].
Google analytical – analysis website traffic. I do not IP addresses information [password protected].
Smart phone – has client contact details and access to Fresha App and email App [password protected].
Paper file – which is at my work/home premises [lockable file and house is alarmed].
The information does not flow out of my business.
GDPR gives you the following rights.
Processes to recognise and respond to individuals' requests to access their personal data. All individuals will need to submit a written request to access their personal data - either by email or by letter. I will provide that information without delay and at least within one calendar month of receipt. I can extend this period by a further two months for complex or numerous requests (in which case the individual will be informed and given an explanation). I will identify the client using reasonable means, which because of the special category under which I process data, will be photographic ID. I will keep a record of any requests to access personal data.
The right to be informed: To know how your information will be held and used (this notice).
The right of access: To see your therapist’s records of your personal information, so you know what is held about you and can verify it.
The right to rectification: To tell your therapist to make changes to your personal information if it is incorrect or incomplete.
The right to erasure (also called “the right to be forgotten”): For you to request your therapist to erase any information they hold about you.
The right to restrict processing of personal data: You have the right to request limits on how your therapist uses your personal information.
The right to data portability: under certain circumstances you can request a copy of personal information held electronically so you can reuse it in other systems.
The right to object: To be able to tell your therapist you don’t want them to use certain parts of your information, or only to use it for certain purposes.
Rights in relation to automated decision-making and profiling.
The right to lodge a complaint with the Information Commissioner’s Office: To be able to complain to the ICO if you feel your details are not correct, if they are not being used in a way that you have given permission for, or if they are being stored when they don’t have to be. Full details of your rights can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
If you wish to exercise any of these rights, please contact me on the details at the top of this page.
if you don’t agree to your therapist keeping records of information about you and your treatments, or if you don’t allow them to use the information in the way they need to for treatments, the therapist may not be able to treat you
Your therapist has to keep your records of treatment for a certain period as described above, which may mean that even if you ask them to erase any details about you, they might have to keep these details until after that period has passed
Your therapist can move their records between their computers and IT systems, as long as your details are protected from being seen by others without your permission.
Processes to ensure that the personal data I hold remains accurate and up to date:
I will ensure that client information is kept up to date during our treatments, and will update client information as I am informed of any changes.
Schedule to dispose of various categories of data, and its secure disposal:
Once a year I will review my client information and will place dormant clients in a separate file. This will be review in a timely manner to ensure that data that is no longer required to be kept under GDPR is destroyed securely.
Procedures to respond to an individual’s request to restrict the processing of their personal data:
As I only hold data in order to provide treatments, I cannot envisage a situation where I would receive a request to restrict their processing of an individual’s personal data. However, if I do receive a request I will respond as quickly as possible, and within one calendar month, explaining clearly what I currently do with their data and that I will continue to hold their data but will ensure that it is not processed.
Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability:
Should clients wish their data to be copied or transferred, I would work with the client to ensure that this is done in a way that was most appropriate for them - for example this could be an electronic summary of treatment received and progress made, copies of individual treatment records. I do not hold any treatment information electronically.
Processing operations that constitute automated decision making:
I do not have any processing operations that constitute automated decision making and therefore, do not currently require procedures in place to deal with the requirements.
Data Protection Policy:
This document forms my data protection policy and shows how I comply with GDPR. This is a live document and will be amended as and when any changes to my data processing takes place, at the very least it will be reviewed annually. As the only member of staff I believe that I have done an appropriate amount of research around the implications of the new GDPR, including taking heed of the advice and guidance provided by my professional membership organisation (CThA).
Effective and structured information risks management:
The risks associated with my data, and how that risk is managed is as follows:
Theft of electronic devices - both have password locks on all electronic devices which are changed regularly and are not shared with anyone.
Break in to home - all my paper files are stored in locked filing unit in my home. No one else has the key but me.
Theft of paper file while at home - my home is fitted with a burglar alarm.
Named Data Protection Officer (DPO) and Management Responsibility:
Although not required to have a named DPO, as the sole employee I am the DPO and will ensure that I remain compliant with GDPR.
Data Breach Policy:
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
I understand that I only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, I will notify those concerned directly and without undue delay.
In all cases I will maintain records of personal data breaches, whether or not they were notifiable to the ICO.