Created: 22 May 2018
Date of Last
Review: 22 May 2018
Date of Next
Review: 22 May 2019
Protection Policy: Simply Massage
Station Road, Coltishall, Norfolk NR12 7JG
266029 or 07713578718
policy outlines my data protection policy, and thus how I comply with the GDPR.
have registered with the ICO and this is renewed automatically each year.
1. The data that I process and how it flows
into, through and out of my business.
Data comes into my business in 4 ways:
Via email messages to me from
potential clients (PC) and clients (C) who have my email address, linked
through my website.
Via text messages (as above)
c. Via my website
Via Facebook Messenger
It flows through my business via:
My PC/laptop/tablet - which never
leave the house
My smart phone - everywhere I go
My paper file – All client notes
are held on paper/record card and remain at home.
The information does not flow out of my
2. The personal data I hold, where it came from, who I
share it with and what I do with it.
Information Asset Register
I hold personal information about
my clients that they have given me.
This includes name, address,
contact details, and, where appropriate, age.
I also hold health and wellbeing information about them which I collect
from them at their first consultation.
I hold information about each
treatment that they receive from me.
I don’t share this information
I use the information I have to
inform my treatments and provide them with any appropriate advice within the
realms of the treatment, my professional experience and qualifications
I keep all data for:
a. claims occurring insurance: for which I
am required to keep my records for 7 years after the last treatment
b. law regarding children’s records: for
which I am required to keep my records until the child is 25, or if 17 when treated then until they are 26.
c. registration with The Complementary Therapists
Association for which I am required to retain information for 8 years.
3. The lawful bases for me to process personal data and
special categories of data.
I process the personal data under:
Legitimate interest: I am
required to retain the information about my clients in order to provide them
with the best possible treatment options and advice.
Category Data - Health Related: I process under special category
data, therefore the additional condition under which I hold and use this
information is for me to fulfil my role as a healthcare practitioner.
4. Privacy Notice
Individuals need to know that their data is collected, why
it is processed and who it is shared with.
This information in included in my privacy notice which is signed and
presented at my first consultation with my client.
to recognise and respond to individuals' requests to access their personal
All individuals will need to submit a written request to
access their personal data - either by email or by letter. I will provide that information without delay
and at least within one calendar month of receipt. I can extend this period by
a further two months for complex or numerous requests (in which case the
individual will be informed and given an explanation).
I will identify the client using reasonable means, which
because of the special category under which I process data, will be
I will keep a record of any requests to access personal
to ensure that the personal data I hold remains accurate and up to date.
I will ensure that client information is kept up to date
during our treatments, and will update client information as I am informed of
any changes. This will be reviewed periodically.
to dispose of various categories of data, and its secure disposal.
Periodically I will review my client information and will
place dormant clients in a separate file.
This will be assessed periodically to ensure that data that is no longer
required to be kept under GDPR is destroyed by shredding.
Procedures to respond to an individual’s request to restrict the processing of
their personal data.
As I only hold data in order to provide
treatments, I cannot envisage a situation where I would receive a request to
restrict their processing of an individual’s personal data. However, if I do receive a request I will
respond as quickly as possible, and within one calendar month, explaining
clearly what I currently do with their data and that I will continue to hold
their data but will ensure that it is not processed.
9. Processes to allow individuals to move, copy or
transfer their personal data from one IT environment to another in a safe and
secure way, without hindrance to usability.
Should clients wish their data to be
copied or transferred I would work with the client to ensure that this is done
in a way that was most appropriate for them - for example this could be an
electronic summary of treatment received and progress made or copies of
individual treatment records. I do not
hold any treatment information electronically.
10. Procedures to handle an individual’s objection to the
processing of their personal data.
I will inform my clients of their
right to object “at the point of first communication” and have clearly laid
this out in my privacy notice.
11. Processing operations that constitute automated
I do not have any processing
operations that constitute automated decision making and therefore, do not
currently require procedures in place to deal with the requirements. This right is, however, included in my
12. Data Protection Policy
This document forms my data protection
policy and shows how I comply with GDPR.
This is a live document and will be
amended as and when any changes to my data processing takes place, at the very
least it will be reviewed annually.
As the only member of staff I believe
that I have done an appropriate amount of research around the implications of
the new GDPR, including taking heed of the advice and guidance provided by my
professional membership organisation (Complementary Therapists Association).
13. Effective and structured information risks management
The risks associated with my data, and
how that risk is managed is as follows:
Theft of electronic devices -
both have password locks on all electronic devices which are changed regularly
and are not shared with anyone.
Break in to home - all my paper files
are stored in filing cabinet in a locked house.
14. Named Data Protection Officer (DPO) and Management
Although not required to have a named
DPO, as the sole trader I am the DPO and will ensure that I remain compliant
15. Security Policy
As detailed in my risk assessment. I have also chosen my electronic equipment
based on their industry record as having the most robust inbuilt protection
16. Data Breach Policy
A personal data breach means a breach of security leading
to the destruction, loss, alteration, unauthorised disclosure of, or access to,
I understand that I only have to notify the ICO of a
breach where it is likely to result in a risk to the rights and freedoms of
Where a breach is likely to result in a high risk to the
rights and freedoms of individuals, I will notify those concerned directly and
without undue delay.
In all cases
I will maintain records of personal data breaches, whether or not they were
notifiable to the ICO.
Data Protection Policy created: 22 May 2018
This is a live document and will be
updated as and when changes occur.
Date of Next Review: 22 May 2019
ALL CLIENT INFORMATION IS CONFIDENTIAL BETWEEN THE CLIENT
AND SIMPLY MASSAGE AND NOT SHARED WITH ANYONE ELSE