Privacy

GDPR PRIVACY NOTICE

Indigo Wellbeing (herein called the clinic) is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to protecting the privacy and security of your personal information. This privacy notice describes, in line with GDPR, how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

This notice applies to current and former patients.

By using this site you are signifying that you agree with this Privacy Notice. This policy applies to this site only. If you leave this website via a link or otherwise, you will be subject to the policy of that website provider.

Data protection principles

In relation to your personal data, we will comply with data protection law. This says that the personal information we hold about you must be:

• processed fairly, lawfully and in a clear, transparent way

• collected only for valid reasons that we find proper for the course of your time as a patient and not used in any way that is incompatible with those purposes

• only used in the way that we have told you about

• accurate and up to date

• kept only as long as is necessary for the purposes we outline

• process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed

• kept securely

Types of information we hold about you

Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed. We hold many types of data about you, including:

• your personal details including your name, address, date of birth, email address, phone numbers, gender, marital status.

• personal medical or health information, including past medical history

• information concerning examination and treatment at your first and subsequent visits

• letters of referral to or from the clinic regarding your treatment with us.

• Diagnostic Testing and the reports in relation to these.

How we collect and store your data

We collect data about you in a variety of ways and this will usually start when you make an enquiry to the clinic and continue when you attend your first and subsequent appointments.

We keep paper files and electronic records. Information we write down on paper may be transferred to our electronic system.

We may receive information about you from your GP or other health care provider regarding your referral or, with your permission, additional information that will help us to continue with your treatment.

We may also hold the results of tests that you have undertaken and that are relevant to your treatment with the clinic.

Your personal Information (name, phone numbers and email address) may be stored on mobile phone and computer devices for use in providing the services of Indigo Wellbeing. The data is protected with a password protection system.

All client files and paper notes are kept in a locked filing cabinet, held at Indigo Wellbeing’s registered address.

Our email correspondence is password protected and the email service provider ensures that the emails are secure and encrypted.

Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998.

If our sessions take place online they will be conducted using a secure TeleHealth platform services. The data transmitted during meetings, webinars and chat sessions are encrypted and secure. Any services are compliant with the GDPR. Any recording of these sessions will always be with strict permission from all parties involved in the meeting.

Unfortunately, the transmission of information via the internet and e-mail is not completely secure. Although every effort is made to protect your personal data, the security of your data cannot be absolutely guaranteed. Any transmission is at your own risk.

Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk.

Your personal information will never be sold, loaned, rented or transferred or disclosed to third parties.

Why we process your data (How we will use information about you)

The law on data protection allows us to process your data for certain reasons only, these are classified as legitimate interests. Most commonly, we will use your personal information in the following circumstances:

• in order for us to carry out our contract with you (your requesting treatment and our agreement to provide it constitutes a contract) which will include confirming appointments, informing you of changes to appointments or clinic arrangements, changes to facilities or services at the clinic, ordering supplements and ordering diagnostic testing.

• in order to provide you with the best possible treatment by recording health and treatment information which would be in your best interest.

• in order to carry out legally required duties

Your data will also be used to manage future communications between us including about our products and services. You can opt out from receiving such communications services at any time.

We may use your personal information in these rare situations:

• where we need to protect your or someone else’s interests

• where it is needed in the public interest or for official purposes

Sharing your data

• Your data will be shared with colleagues and team members within the Clinics where Emily Harris Naturopath operates from but only where it is necessary for them to undertake their duties or facilitate your treatment. This includes, for example, other practitioners and reception staff.

• Your personal data will be used to allow us to provide you with our services as your naturopath and nutritional therapist in quoting for, arranging and administering your diagnostic testing, and supplement orders.

• We may share your data with third parties in order to facilitate a referral to another healthcare practitioner, investigation or to keep your GP informed about your progress with treatment.

• If you wish to work with a member of my team, your informed consent will always be obtained before passing on any personal and sensitive information. It will always be shared only according to your specific wishes.

Situations in which we will use your personal information

We need all the categories of information to primarily allow us to perform our contract of treatment with you and to enable us to comply with legal obligations.

If you do not provide your data to us

One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of care with us. If you do not provide us with the data needed to do this, we will be unable to perform that care to ensure your best interests are being maintained. We may also be prevented from continuing with your treatment with us due to our legal obligations.

Change of purpose

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Transferring information outside the EU

We do not share your data with bodies outside of the European Economic Area.

How long we keep your data for

In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your being a patient with us and up to a maximum of ten years since your last appointment, as we are legally required to keep this data for a minimum of eight years after your time as a client has ended. To determine the appropriate retention period for personal data beyond eight years, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.

Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner that maintains data security.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your time as a patient with us.

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold on you.

• the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request. Find out how to do this by e-mailing Emily Harris at emily@indigowellbeing.co.uk.

• the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you can require us to correct it.

• the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice. We also must inform you of any changes to how we use your data.

• the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it. However, we are by law obliged to keep your personal data for at least 8 years after your last appointment with us.

• the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.

• the right to portability. You may request transfer of the data that we hold on you for your own purposes.

• If you want to access your data, review, verify or correct your data, request we erase your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Emily Harris in writing at emily@indigowellbeing.co.uk

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so.

To withdraw consent, contact Emily Harris at emily@indigowellbeing.co.uk

Making a complaint

If you have any questions about this Privacy Notice or how we handle your information, please contact Emily Harris on emily@indigowellbeing.co.uk.

You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO).