SALLY ANN HUTCHESON
50 West Hill Way
London N20 8QS
sally@sallyannhutcheson.co.uk
www.sallyannhutcheson.co.uk
077667 10057
0208 446 7935
The business of the provision of homoeopathy, kinesiology, allergy testing and naturopathy and cranio-sacral and nutritional therapy services (“The Business”)
 
PRIVACY NOTICE

The Business holds some information about each of its clients. This document outlines how that information is used, who I may share that information with and how I keep it secure. This notice does not provide exhaustive detail. However, I am happy to provide any additional information or explanation needed. Any requests for this should be sent to me at the address or e mail address above.

I keep my Privacy Notice under regular review. This Privacy Notice was last reviewed in June 2018.

What I Do

The Business provides the above listed services to clients to seek to improve their health. I aim to understand the underlying causes of clients’ health issues which I will seek to address through personalised dietary advice, nutritional and homoeopathic prescription, cranio sacral therapy and lifestyle advice.
 
How I Obtain A Client’s Personal Data

A. Information provided by the client in one or more of the following ways:
  • By completing a pre-consultation questionnaire
  • By signing a terms of engagement form
  • During a consultation
  • Through email, over the telephone or by post 
This may include the following information:
  • basic details such as name, address, contact details and next of kin
  • details of contact I have had with the client such as referrals and appointment requests
  • health information including the client’s previous medical history, dietary, lifestyle, supplement and medicine details, biochemical test results, clinic notes and health improvement plans
  • GP contact information 
I use this information in order to provide a client with direct healthcare.  This means that the legal basis of my holding a client’s personal data is for ‘legitimate interest’. 

Following completion of a client’s healthcare I retain their personal data for the longest of the periods specified by those professional associations to which I belong that govern the particular treatment(s) the client has received. This will usually be the date seven years following the date of the final consultation; in the case of treatment of a minor, the later of that date and the date seven years after achieving the age of majority. This enables me to process any complaint the client may make.  In this case the legal basis of my holding a client’s personal data is for contract administration.

B. Information I get from other sources

I may obtain sensitive medical information in the form of test results from biochemical testing companies.  I use this information in order to provide the client with direct healthcare.  This means that the legal basis of my holding that client’s personal data is for legitimate interest.  
I may obtain sensitive information from other healthcare providers.  The provision of this information is subject to the client giving me their express consent. If I do not receive this consent, I will not be able to coordinate a client’s healthcare with that provided by other providers which means the healthcare provided by me may be less effective.


How I use a client’s personal data

I act as the Business’ data controller for use of a client’s personal data to provide direct healthcare.  I also act as  controller and processor in regard to the processing of a client’s data from third parties such as testing companies and other healthcare providers.
 
I undertake at all times to protect all clients’ personal data, including any health and contact details, in a manner which is consistent with my duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection.  I will also take reasonable security measures to protect all clients’ personal data storage.

I may use a client’s personal data where there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.  Also where there is a legal requirement such as a formal court order.
 
Do I share a client’s information with other organisations?

I will keep information about each client confidential.  I will only disclose such information with other third parties with a client’s express consent with the exception of the following categories of third parties:
  • My registrant body and relevant professional association(s), for the processing of a complaint made by that client
  • Any contractors and advisors that provide a service to me or act as my agents on the understanding that they keep the information confidential
  • Anyone to whom I may transfer my rights and duties under any agreement I have with that client
  • Any legal or crime prevention agencies and/or to satisfy any regulatory request (eg, if I have a duty to do so or if the law allows me to do so).
I will seek a client’s express consent before sharing their information with their GP or other healthcare providers.  However if I believe that a client’s life is in danger then I may pass their information onto an appropriate authority (such as the police, social services in the case of a child or vulnerable adult, or GP in case of self-harm) using the legal basis of vital interests.

I may share a client’s case history in a strictly anonymised form with my peers for the purpose of professional development.  This may be at clinical supervision meetings, conferences, online forums, and through publishing in medical journals, trade magazines or online professional sites.  I will seek the relevant client’s explicit consent before processing their data in this way.
 
What are a client’s rights? 

Every individual has the right to see, amend, delete or have a copy, of data held that can identify them, with some exceptions. A client does not need to give a reason to see their data.
If a client wants to access their data they must make a subject access request in writing to me at the above address or e mail address. Under special circumstances, some information may be withheld. I shall respond within 20 working days from the point of receiving the request and all necessary information from the client.  My response will include the details of the personal data we hold on the client including:
  • Sources from which I acquired the information
  • The purposes of processing the information
  • Persons or entities with whom I am sharing the information
The client has the right, subject to exemptions, to ask to:
  • Have their information deleted. (This is subject to professional regulatory requirements).
  • Have their information corrected or updated where it is no longer accurate
  • Ask me to stop processing information about them where I am not required to do so by law or in accordance with the guidelines of the professional bodies to which I belong relevant to that client’s treatment
  • Receive a copy of their personal data, which they have provided to me, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller, without hindrance from me.
  • Object at any time to the processing of personal data concerning themI do not carry out any automated processing, which may lead to automated decision based on a client’s personal data.
If a client would like to invoke any of the above rights then please write to me as Data Controller of the Business at the above address or e mail address
 
What safeguards are in place to ensure data that identifies a client is secure?

I only use information that may identify a client in accordance with GDPR. This requires me to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, I also have to follow the common law duty of confidence, which means that where identifiable information about a client has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.
I will protect all clients’ information, inform each client of how their information will be used, and allow each client to decide if and how their information can be shared.
I also ensure the information I hold is kept in secure locations; access to information is restricted to myself and any specifically authorised locum only; personal and confidential information held on equipment such as laptops is protected with encryption (which masks data so that unauthorised users cannot see or make sense of it). I will ensure that any external data processors that support me are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
The Business is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website (search by business name).


How long do I hold confidential information for?

All of a client’s records held by the Business will be kept for the longest of the periods specified by guidance from those professional associations to which I belong which govern the particular treatment(s) that client has received. This will usually be the date seven years after the date of the final consultation. In the case of a minor, it will usually be the later of that date and the date on which the patient achieves the age of majority. 

Website technical details

My website www.sallyannhutcheson.co.uk uses cookies to ensure that visitors get the most out of the Site.
A cookie is a text file sent by a web server to a web browser and stored by the browser. The text file is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser. Thus a cookie may be sent which may be stored on your browser on your computer’s hard drive. The information obtained from the cookie may be used in the administration of the site and to improve the site’s usability, as also to recognise a site visitor’s computer on a later visit to the site.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org Note that where a browser is set to reject cookies, use of some site features may be limited.


Analytics

My website may make use of analytics software for website traffic analysis and reporting in order to help understand the trends in popularity of my website and of different sections. Analytics service providers generate statistical and other information about website use by means of cookies. The information thus generated may be used to create reports about the use of the site and the relevant analytics service provider will store this information.
I make no use of any personally identifiable material from any such information.


Complaints

If a client has a complaint regarding the use of their personal data then they should please contact me by writing to me as Data Controller of the Business at the above address or email address and I will do my best to help.
If a complaint is not resolved to a client’s satisfaction and they wish to make a formal complaint to the Information Commissioner’s Office (ICO), they can be contacted on 01625 545745 or 0303 1231113. 
 
  
 
I practise in North London in Totteridge and Hampstead.
I work from 8:15am - 6:00pm weekdays & from 8:15- 4:00pm on Saturdays.

To book an appointment, please call me on 020 8446 7935 or send me an email via the contact form.