Introduction
The Healing Haven is committed to keeping your personal data safe and secure. Your trust is really important to us and we want you to be confident when sharing your personal information with us that we will keep it safe.
Due to a change in the law, we’ve updated our Privacy Policy to make it easier for you to understand what information we collect and keep, why we collect this information and how your data is handled by us in line with good practice. It also sets out your individual rights to know what data is being held about you, how this data is processed and how you can place restriction on the use of your data.
The Policy meets the requirements of the General Data Protection Regulation (“GDPR”).
The services we offer
The Healing Haven offers complimentary therapy services, workshops and publishes an irregular free newsletter to clients.
The type of data collected will differ for each of these services and so each is outlined separately below.
Whilst we aim to ensure that there are no breaches to this Policy, mistakes do, unfortunately, sometimes happen. We would take any breach of this kind very seriously and would contact the individual concerned, as well as the ICO if necessary.
What counts as personal data?
Personal data is information relating to an identified or identifiable individual, such as name, address, contact details and in some cases age, date of birth and gender.
Specific details about the data that we collect for each of the services outlined above is set out here:
1. Publishing information for the public about services via our website and in newsletters
Our website is set up to automatically collect cookies from our visitors. When you visit the site you will be asked to confirm that you are happy for this information to be collected.
Cookies are small text files placed on your device that remember your web preferences and some details of your visits to websites. They don’t collect personal information. The point of them is to enhance your online user-experience by helping a website respond to you as an individual user and tailor how it works to your needs, likes and dislikes.
What if I don’t want you to collect this information?
By continuing to use our website you agree that we can save cookies on your device. If you don’t want this to happen, we can’t stop them from being collected but there’s a clever way to switch off cookies at your end in your web browser (e.g. Firefox, Safari, Internet Explorer). To find out how to do this you just need to search online for ‘Disable Cookies’ along with the browser you use (or your device e.g. Samsung phone, iPad, Android tablet).
2. The Healing Haven Newsletter list
Our newsletter is a free service open to members of the public and our clients. We use it to publicise what is happening within The Healing Haven - including forthcoming events, discounts, new services etc – as well as sharing other information that we feel might be of interest to people who have signed up to receive the newsletter.
You will only be on our mailing list if you have signed up to be on it since May 2018. You might have joined through the button on our website or seen us as a client.
We will have asked you to sign up with your name and email address and you will have given your permission to us to send specific emails to you.
Some key points:
- We will only keep your name and email address and these will be stored on the newsletter site (we use Yahoo) and on the database held by our administrators. This database is password protected.
- We will never share this information with any other company or use to contact you except for the purpose of sending you our newsletter.
- If, at any time, you no longer want to receive the newsletter, use the ‘unsubscribe’ link at the bottom of the newsletter to take your contact details off the mailing list.
Why do we need your personal data?
We will use your personal data to manage your treatment with us, to provide you with information of services, discounts and events. Your documents are held on a physical and/or electronic file for each client/sunscriber. The physical files are held in a lockable archiving cabinet, the electronic files are saved on a password protected laptop.
Where deemed of interest to our members, we might also send out advertising information on third parties (i.e. information on health programs or platforms) to a group of members or all of our members.
Guidance to our Clients – duties of the practitioner
Guidance to all our clients has been received on the type of data that might keep.
For example, they might keep:
- Contact information – phone, email, address and next of kin
- Client questionnaire – signed by the client– which might include details of medical history and any medication, and what the client would like to work with at the outset (this might, of course, change over time). The client’s signature would confirm they understand their practitioner’s Privacy Policy and how their data will be used, stored and protected.
- Session notes – details of what has been worked with in the sessions
- To enable them to get in touch with their clients about booking and organising your sessions
- It helps to know who to contact in an emergency and flags up any medical conditions the practitioner needs to be aware of
- To have a better idea of what the client is bringing to the sessions and what they hope to get out of it
- Insurance companies require practitioners us to keep records of their work for legal purposes
Confidentiality is in the very nature of each practitioner’s work with their clients – it underpins all of their work and so it’s important that clients can trust that any information they share will be looked after and respected. This allows the practitioner and client the opportunity to work together in a deep and safely held way.
The Healing Haven ensures that all our clients see keeping personal information safe as central to their work and a priority.
- Using locked storage of all paper records
- Using security and passwords on all devices (phones, laptops) where information is stored. This might include encryption, if possible
- Agreeing not to share client information and session notes without their consent. The exception here is when practitioners might use information from sessions as the basis for discussion in mentoring for reflection and guidance. In this case the identity of the client is not revealed.
- In this case, practitioners would first support their client to find a course of action to create safety.
- If that proved impossible, the practitioner might need to contact other appropriate professionals, for example the client’s GP, and they would hope to do this with the client’s permission.
- In the unlikely event of a practitioner being under a legal obligation to disclose information, they would first take appropriate professional advice, discuss the matter with the client if possible and keep the disclosure to the minimum necessary.
For legal purposes, insurance companies ask practitioners to keep client records and notes for seven years from the point of their final session.
Our guidance to our members is to regularly check their records to make sure that any client information that has passed this ‘retention’ period is taken out of secure storage and safely destroyed.
The rights of individuals
For all of the above categories, all individuals have legal rights governing the use of their personal data. These grant them the right to understand what personal data relating to them is held; for what purpose; how it is collected and used; with whom it is shared; where it is located; to object to its processing; to have the data corrected if inaccurate; to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
The GDPR provides eight rights for individuals. This section summarises each of these and provides the Healing Havens associated with each.
When an individual makes a request regarding any of these rights then, before any action is taken concerning the request, the Healing Haven will check that:
- The request is reasonable.
- Their identity is confirmed.
- There is no impact on other individuals’ personal data and their rights.
- There is no legal, regulatory or contractual requirement to retain the data in its current form.
1. The right to be informed about the personal data being processed
We need to let you know that we’re collecting your information and how we plan to use it. We aim to be as transparent as possible about how we use personal data. That’s why we have this privacy policy.
2. The right of access to your personal data
You can ask us to send you a copy of the all personal data we hold about you (subject to some exceptions). You need to officially ask us in writing for this – the best way to do this is to email us at [email protected] We will get this data to you as quickly as we can, but bear in mind that it may take some time for us to pull the information together, make copies of it and send it all on to you.
3. Right to Rectification
Please get in contact with us if you think we hold any incorrect details for you and we will check our records and amend as necessary. Personal data can be rectified if it is inaccurate or incomplete.
The Healing Haven will amend the relevant data as soon as is reasonably possible. An email will be sent to the requesting individual to confirm, and act as a record of, the completion of the request.
4. The right to erasure
The Right to Erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is that an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
You can ask to have your data deleted if we’ve done something unlawful with it (e.g. sold it on to someone else) or we no longer need it (e.g. you’ve asked to be taken off our mailing list or you’re no longer a client). Obviously, this is subject to the rules we have to follow about keeping notes and info for legal/insurance purposes.
You can find out more about all the rights you have on the Information Commissioner’s webpage about individual rights.
After completing the checks detailed at the top of this section, the Healing Haven will delete the relevant data as soon as is reasonably possible. An email will be sent to the requesting individual to confirm, and act as a record of, the completion of the request.
5. Right to Restrict Processing
Individuals have a right to ‘block’ or suppress processing of their personal data.
When processing is restricted, the Healing Haven is permitted to store the personal data, but not further process it. The Healing Haven can retain just enough information about the individual to ensure that the restriction is respected in future.
After completing the checks detailed at the top of this section, the Healing Haven will not process the requesting individual’s personal data until notified. An email will be sent to the requesting individual to confirm, and act as a record of this.
6. Right to Data Portability
The Right to Data Portability allows individuals to obtain and reuse their personal data for their own purposes. It allows them to move, copy or transfer their personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The Healing Haven holds only basic personal data. As such there is no data that falls under this Right.
7. Right to Object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.
Companies can only carry out this type of decision-making where the decision is:
- Necessary for the entry into or performance of a contract; or
- Authorised by Union or Member state law applicable to the controller; or
- Based on the individual’s explicit consent.
Summary of Objectives
The Healing Haven will:
- Adhere to the GDPR Principles for processing personal data, as detailed in this Policy.
- Respect and support individuals’ rights concerning their personal data as detailed in GDPR.
- Ensure data protection is built in by design and default to all processes that include personal data.
- Consider and put in place organisational and technology measures to mitigate risks to personal data.
- Report data breaches to the individual concerned and the ICO if necessary.
- Handle complaints according to the Healing Haven Complaints Process.
- Monitor and maintain records to support the accountability requirement of GDPR.
- Review and audit this Policy and supporting processes and procedures annually as a minimum.
- Correct any identified deficiencies in this Policy and the supporting processes and procedures within a defined and reasonable time frame.
Everyone who works for or with the Healing Haven has responsibility for ensuring that personal data is collected, stored and handled appropriately.
The owner of the Healing Haven is ultimately responsible for meeting the Healing Haven legal Data Protection Obligations.
To ensure the understanding of responsibilities when handling personal data, the Healing Haven will:
- Provide training to all members of our Management Team on their responsibilities including security measures, so that they are aware of, and will adhere to, this Policy and associated documentation.
- Offer guidance to our members about their responsibilities in relation to data protection and privacy for their clients.
There are six data protection principles required by GDPR Article 5 and adhered to by the Healing Haven. This section outlines the responsibilities arising from these principles and the Healing Haven Policy for each. The different aspects outlined here have been included in this Privacy Policy, as necessary.
i) Lawful, Fair, and Transparent Data Processing
The Healing Haven will maintain a register of all personal data that it stores and processes, the purpose, the lawful bases for doing so, and any personal data that is shared with third parties.
ii) Processed for Specified, Explicit and Legitimate Purposes
The Healing Haven will obtain personal data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned.
Healing Haven CONSENT POLICYWhere a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, the Healing Haven is committed to seeking such consent. Where special categories of data are stored and processed consent will always be required. There are some exceptions to this as detailed in Article 9 of GDPR.
If and when the Healing Haven wishes to use personal data for any reason apart from what was originally agreed under the first principle, the Healing Haven will seek explicit consent.
Consent may be withdrawn by an individual at any time. The Healing Haven will record and manage consent given and withdrawn.
iii) Adequate, Relevant and Limited Data Processing
The Healing Haven will identify for each Data Subject the purpose of the processing and the minimum personal data it requires for the purpose.
iv) Accuracy of Data and Keeping Data up to Date
The Healing Haven will periodically check the accuracy of any personal data it stores and processes. Where reasonable, any rectifications identified, or notified by an individual will be undertaken as soon as is practicable.
v) Timely Processing
The Healing Haven will identify the retention period for personal data stored and processed. Personal data will be deleted as soon as is practicable after that time.
vi) Secure Processing
The Healing Haven will use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data.
Changes to this Privacy Policy
This policy may change from time to time. We will do our best to make this visible by highlighting it on the privacy policy.