It is our policy to collect, process and share your Data provided to us by you in order to carry out the services requested by you and any contact in relation to those services only. Your Data will not be used for any other purposes other than those explicitly stated in this policy or requested by you in your dealings with us.
You can opt-out of our anonymous Google Analytics by clicking here: Disable Google Analytics.
- The identity of the controller.
You are hereby informed that the Data that you provide is collected, used, protected, processed and shared by the clinic directors.
- Collection of Data
We may collect Data about our clients, prospects and visitors.
Your Data are collected when you browse our website, contact us via email, phone or in person or through our website.
Data we collect fall into the following categories:
- Identification information
- Contact information
- Medical information
- Browsing information
These Data are gathered directly from you via online booking and from direct communication with us, i.e. client intake form. Browsing history is collected via automated methods.
2.1. Information you provide to us
We process Data you provide directly to us, in particular when you complete a client intake form or book online.
For example, we collect Data when you create a booking, use the services, participate in a contest or promotion, register for an event or an online course, apply for a job, request customer support or otherwise communicate with us.
The Data may include the following data as well as any other type of information that we specifically request you to provide to us through our client intake forms, such as:
- Date of Birth
- Phone no
- Doctor’s details
- Next of kin
- Medical history
- Medical red flag
- Treatment notes
- Relationship data
- Browsing data
2.2. Data We collect automatically when you use our online services
When you access or use our online services, we automatically collect the following information about you:
- Log Information:We log information about your use of the Services, including the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to Our Services.
- Device Information:We collect information about the computer or mobile device you use to access Our Services, including the hardware model, operating system and version, unique device identifiers and mobile network information.
- Location Information:We may with your consent collect information about the location of your device each time you access or use one of Our mobile applications. If you initially consent to Our collection of location information, you may be able to subsequently stop the collection of these Data through your device operating system settings. You may also stop Our collection of location information by following the standard uninstall process to remove Our mobile applications from your device.
2.3. Information we collect automatically through Cookies and other tracking technology
A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and which is used to record information related to the navigation or the use of a device or a website.
A “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity. They are also sometimes referred to as pixels and tags (also known as “tracking pixels”). It may be used in Our Services or emails and help deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon. For more information about cookies, and how to disable them, please see “Your Choices” below.
Some of the cookies are used for the exclusive purpose of enabling or facilitating communication or are strictly necessary for the provision of our online services.
These are essentially of session cookies for authenticating and connecting to our online services, as well as memorizing navigation items during a session.
You have the ability to decline cookies by changing the settings on your browser but this might prevent you from benefiting from some elements of our online services. You can also consult or destroy cookies if you wish, since they are stored on your hard disk.
We may also use these technologies for other purposes than our online service operation such as:
- To improve our online services;
- To remember you, for your convenience, when you use our online services.
2.4. Third Party Cookies
When you access or use our online services, one or more cookies from third party are likely to be placed on your equipment.
We inform you that we have no access and cannot exercise any control over third party cookies. However, we shall ensure that the partner companies agree to process the information collected on our online services in compliance with the GDPR and undertake to implement appropriate measures for securing and protecting the confidentiality of the Data.
- How we use the Data
We may use information about you for the following purposes:
- provide, maintain and improve our services
- provide and deliver the service you request, process transactions and send you related information including confirmations and invoices
- send you technical notices, updates, security alerts and support and administrative messages
- respond to your comments, questions, requests and provide customer service
- monitor and analyse trends, usage and activities in connection with our services
- personalize and improve the services we provide
According to the GDPR, each Data processing is performed on one of the following legal basis:
- your consent
- the performance of the service requested by you
- How we share your Data
- We share your Data with our online booking system to help us provide our service including bookings, transactions, booking confirmations.
- In response to a request for information if we are required by, or believe disclosure is required by, any applicable law, regulation or legal process, including in connection with lawful requests by law enforcement, national security, or other public authorities.
- The period of Data retention
Our insurance providers require us to retain all records for a period of 7 years after the last appointment, or in the case of minors, for 7 years after their 18th birthday. We work off this for all data. (GDPR states that clients have a right to be forgotten and can request data deleted – queries have been put to the Data Protection Commissioners in regards to the conflict here)
Card details when card payments are taken over the phone. The card number is typed directly into the terminal and is never written or stored anywhere.
- Data transfer
Upon receiving a written request from you seeking Data transfer, we will provide a hardcopy copy of your original treatment notes with no alterations from the original. These will be handed in person or send by registered post.
- Data amendments
Upon receiving a request from you in regards to updating Data held by us, we will seek to correct our records at the earliest possible time.
We are committed to taking appropriate measures designed to keep your Data secure. Our technical, administrative and physical procedures are designed to protect Data from loss, theft, misuse and accidental, unlawful or unauthorized access, disclosure, alteration, use and destruction. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once it is received.
- Your rights
Under the General Data Protection Regulations 2018 (GDPR) individuals have the significantly strengthened rights to:
- obtain details about how their data is processed by an organisation or business;
- obtain copies of personal data that an organisation holds on them;
- have incorrect or incomplete data corrected;
- have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
- obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
- object to the processing of their data by an organisation in certain circumstances;
- not to be subject to (with some exceptions) automated decision making, including profiling.
Please contact us if you wish us to gather or delete your data.
- In the event of a Breach
Every precaution will be taken to avoid a breach of your Data, but if such a breach should occur, it will be documented, assessed as to its severity and appropriate action taken. The Data Proctection Commissioner will be informed, An Garda Siochana, the PSNI and financial institutions will be contacted for assistance and you will be contacted to help you take steps to mitigate the risks to yourself, if it is deemed a severe enough breach as to put you, your identity, your financial means etc. at risk.
Data Protection Procedures
Obtaining and storing data
What data is held?
- Date of Birth
- Phone no
- Doctor’s details
- Next of kin
- Medical history
- Medical red flag
- Treatment notes
- Relationship data
- Browsing data
Why is this data held?
- Name: client identification
- Address: for health insurance claims (address needs to be on receipt); identification; safety of practitioner; address to send them home if something happens.
- Date of birth: identification, i.e. for occasions when we have duplicate names. This is especially helpful for online bookings, to indicate if a duplicate profile has been created for an individual.
- Phone: to send reminder texts the day before, to keep cancellations and no shows to a minimum; in case we need contact them to cancel due to illness etc.
- Email: to send receipts and appointment confirmations. Only requested when clients book through our online system or for some specific reason, i.e. forwarding information. It is never added to any marketing list.
- Doctor’s details: if clients present with serious medical issues, in which case we may liaise with the GP or specialist.
- Next of kin: taken only in the case of children (with signed consent from parent or guardian and their presence in the room) and vulnerable adults.
- Medical history: to help our therapists understand what the client is presenting with on a given day, so a decision whether treatment is appropriate or not can be make, and to carry out any treatments in a safe way. We ask for a baseline level of detail as seen on our consultation chart initially and work off the extended consultation chart to seek further clarification where there is a more complex medical history.
- Medical red flags: this is taken from our paper records and noted in a highlighted area on our online system, to ensure whoever is seeing the client on a particular day is reminded and proceeds to treat appropriately. No details are given here.
- Treatment notes: our record of what happened during any contact with clients, kept only in hardcopy form.
- Relationship data: record of other clients whom you have informed us you have intimate relationships with, to help us provide a complete service. Records of who may have referred you or you them, to help us understand and improve our marketing and services.
- Browsing data: through cookies and Google analytics to help us understand how people use our website so we can identify issues and improve our service here.
Who is the data controller?
Herbs of Grace including it’s .
How was the data obtained?
Primarily, the data we hold is obtained during face to face consultation with clients. We go through a consultation form with them and discuss their presenting problem, expanding our questions as necessary to understand.
On the original booking, we will obtain a name and phone by phone or if the booking is made through our online system, we will look for date of birth and email address, home address and if applicable payment details.
Why was the data originally gathered?
Name, phone, email, home & billing address, payment details and date of birth are gathered at time of booking to secure booking, letting us know who is coming in and how to contact them with reminder text or should we need to cancel due to unforeseen circumstances. Other data is needed to carry out the treatments requested by the client.
Where is the data stored?
On our computer, we hold client names and our chart no for their records, for accessibility only, esp if internet goes down or our online system is offline.
On our phones, no names are stored, so as to ensure if they go missing, there is nothing of value on them. Our personal phones are not used for making or receiving work calls.
On our online booking system, we hold client name, our chart no, address, phone no, email if we have it, medical red flags if any, who referred them if relevant, clients who are related if any.
On our online store, we hold customer name, address, phone no, email. The website along with the information is stored on secure servers ran by TSO HOST a compliant UK-based hosting agency.
On our paper records, we hold client name, our chart no, address, phone no, medical history and treatment notes, and reports received from client in relation to their condition and any letters we have sent to them or on their behalf at their request.
Browsing data is held by Google Analytics.
The payment processors we work with are:
How secure is the data; encryption and accessibility?
We use a cloud-based online booking system to track and take bookings. This has extensive encryption security built into it and has been expanded with the General Data Protection Regulation 2018.
When we are not at the desk, the computer screen is locked and needs a password to access. This password is known to therapists in the clinic only and is recorded in a book that is kept in a locked safe and can only be accessed by clinic owners.
Names, addresses, phone no, email and date of birth are stored on this booking system, as well as their payment history and appointment schedule.
These and all other details, i.e. medical history, treatment notes, etc. are kept manually in a locked filing cabinet in a locked room. Access to this room is for clinic staff only and access to the filing cabinet is further restricted. The key to the cabinets is kept in the safe and can only be accessed by clinic owners.
Client record charts in use each day are kept in a folder that is with the therapist at all times and is not left lying around in view of a client.
Newly filled out record charts are put in a separate folder and locked into the filing cabinet at the end of each working day, awaiting processing, at which point they can be filed away with the rest.
Phones and devices used to take calls or access cloud-based online booking systems are kept locked by passwords and now left accessible to unauthorised people.
Client names are not saved to our phones to ensure the numbers are anonymous.
Is the data shared with 3rdparties and on what basis?
How long shall the data be retained?
Our insurance providers require us to retain all records for a period of 7 years after the last appointment, or in the case of minors, for 7 years after their 18thbirthday. We work off this for all data.
The one exception is when we take card payments over the phone. The card number is typed directly into the terminal and is never written or stored anywhere.
Amending incorrect data.
A change of name, address, phone no, email, doctor, etc. is done by the owner/managers of the clinic. Once the change needed has been brought to their attention directly by a client, or by another therapist on behalf of a client, the data will be updated on the online booking system straight away. Their paper records will be pulled and the update will be made to this file also.
Upon receiving a request from a client to transfer data to another therapist, solicitor, medical professional, a photocopy of the paper records including all medical history and treatment history will be sent by registered post, with no amendments, to the address provided by the client. The client must sign consent to this transfer, which states the date, the name and address of the recipient and acknowledgement of permission to send. This will be kept with their original records, as a record of the transfer and request to do so.
Data will only be destroyed after the allotted time frame as quoted above.
The online booking system can fully delete any details. The client records in question will be archived as per their system and then deleted completely.
The record of client name and chart no. listed on our computer will continue to be listed with a highlighted note indicating the date of its destruction.
The paper record will be removed and shredded on site. These are brought home in 2 separate bags, one at a time, to burn in a fire, checking that all paper is properly burned and that nothing is remaining.
Obtaining Data and consent to hold data
How is data obtained?
- Clients make contact with us to book a treatment.
- Once it is determined appropriate to book a treatment, basic details are recorded on our online system only. If the booking is taken in person, by email or by phone, name and phone number is all that is asked for. If the booking in done by the individual through our online system, they are asked for name, phone no, email and date of birth.
- At no point do we chase a client for details without them initiating the contact.
- We will not secure a booking without a name and phone no.
- They must sign consent to treatment and to data retention at this point.
- Browsing data is obtained by their use of our website.
What is a data breach?
A data breach is when our online system has been accessed at the core or if our account has been accessed at our level or if a person has got access to our premises and there is evidence or a risk of data being copies, accessed, destroyed or removed from our premises. If our work phones are accessed, they hold no risk as nothing is held on them. Our personal smart phones where we have accessed our online booking system pose more of a risk and so should be well locked and protected.
How to identify a data breach.
- Most systems online are so locked down that cybercriminals are looking for human error to access data.
- They are looking for card details and identity theft.
- They are getting in through administrative access
- Half or more small to medium sized businesses are hacked at some point and nearly three-quarters of these are unable to restore all information.
- Card breaches are identified when clients all begin reporting fraudulent charges on their accounts coming from our payment facility. Please see ‘Card Security Fraud Prevention’ for more.
- Physical break-in; be on the look-out for tampering signs at the door and windows accessing the premises, the internal doors, the safe and the cabinet where documents are stored.
- Online breaches have a number of signs that you can look out for.
- On your computer, look for unusually slow internet/computers – sign it may be exporting a lot of data.
- Look for high CPU cycle, memory usage or hard disk activity – sign it may be exporting a lot of data.
- Is your computer tampered with, not on/off as you left it?
- Are there new/moved/deleted files?
- Are there pop-ups and redirected websites while browsing (lot of advertisements) – your malware is trying to get you to slip-up and grant access.
- Locked out of accounts on first passwords entry – someone else has been trying/succeeded in getting access.
What to do if there has been a data breach.
- Fill out a Data Breach incident form asap and let the data controller know, who will then do the following.
- Within 72 hours (legal obligation or face a fine) of knowing something has happened, get in touch with the Data Protection Commissioners referring to the Data Breach form.
- Consider if clients affected need to be notified (risk of identity theft, card fraud or breach of confidentiality), so that they can take appropriate measures to mitigate the effects to their property, person or reputation. Notifying data subjects is a remedial measure intended to redress the balance and restore some measure of knowledge and control. Let them know who to contact in our organisation for more details.
- 3rdparties may need to be contacted to help; i.e. An Garda Siochana, the financial institutes.
- Keep a diary of any data breaches or suspected data breaches.