Cookie Policy

We use cookies on our website (these small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you have accepted them) that enables the sites or service providers systems to recognize your browser and capture and remember certain information.

These cookies to help save your preferences for future visits and compile aggregate data about site traffic and site interaction so that we can provide an excellent site experience and tools in the future.

Staff responsibilities

Staff members who process personal data about clients, staff,  job applicants, or any other individual must comply with the requirements of this policy.

Staff members must ensure that:

  • All personal data is kept securely;
  • No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
  • Personal data is kept in accordance with the clinic’s record keeping retention policy
  • Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer (Practice Manager)
  • Any data protection breaches are swiftly brought to the attention of the Owner and/or Data Protection Officer
  • Where there is uncertainty around a Data Protection matter, advice is sought from the Data Protection Officer
  • Staff that are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Owner and /or Data Protection Officer.

Where a third-party Data Processor is used ( ie Cliniko)

  • The Data Processor must provide sufficient guarantees about its security measures to protect the processing of personal data;
  • Reasonable steps must be taken that such security measures are in place;
  • A written contract establishing what personal data will be processed and for what purpose must be set out;
  • A data processing agreement must be signed by both parties.

Self-employed Contractors (Therapists)

The Clinic is responsible for the use made of personal data by anyone working on its behalf.  Such staff must be appropriately vetted for the data they will be processing. In addition the clinic must ensure that:

  • Any personal data collected or processed, in the course of work undertaken for the Clinic is kept securely and confidentially.
  • All personal data processed (eg notes) is held in the clinic, including any copies that may have been made.
  • The clinic receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the Clinic
  • Any personal data made available by the Clinic, or collected, in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from the Clinic
  • All practical and reasonable steps are taken to ensure that self- employed contractors (Therapists) do not have access to any personal data beyond what is essential for the work to be carried out properly.
  • Therapists must familiarise themselves with the principles of GDPR before they start ensuring that their personal data provided to the Clinic is accurate and up to date.

3. Subject Access Requests

The clinic is required to permit individuals to access their own personal data held by the clinic via a subject access request. Any individual wishing to exercise this right should do so in writing to the Data Protection Officer.

The clinic aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 14 days of receipt of the request .

4. Data Protection breaches

Where a Data Protection breach occurs, or is suspected, it should be reported immediately to the Data Protection Officer.

The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.

5. Contact

Queries regarding this policy or the Data Protection Act at large should be directed to the Owner/ Data Protection Officer.