Practitioners Treatments Healing Links

Clinics 4 days a week
Saturday & evening appointments

The body and mind as a whole is a delicately balanced living miracle,
knowing this we treat each patient as a unique individual


DONCASTER:
45 Thorne Road
Doncaster DN1 2EX

Tel: (01302) 320023
Free parking on site

Privacy Notice & Data Protection Policy
Version 1.0.0    21-05-2018

Healing Partners Ltd takes protecting your data seriously, and will only collect and process data that is required to deliver our services, is lawful and maintains sufficient records to comply with our professional, legal and insurance requirements.


PONTEFRACT:
Kirk Smeaton

Tel: (01977) 620630
 

This Policy sets out Healing Partners Ltd. strategic commitment to data protection. It is the policy of business to ensure the confidentiality, integrity and availability of information owned by both Healing Partners Ltd and clients is maintained in order to:

* Ensure continued quality of service

* Meet the business contractual, legal and regulatory obligations

* Meet the needs and expectations of other interested parties.

Information security management shall be treated as an integral part of management activities and will be pursued in the same manner and with the same vigour as other managerial objectives.

Healing Partners Ltd. is committed to ensuring that personal data:

* is processed fairly and lawfully

* is only obtained for specified and lawful purposes

* is adequate, relevant and not excessive to the purpose(s) of which it is processed

* is accurate and kept up to date

* is not kept for longer than is necessary

* is processed in accordance with the rights of the data subjects

* is kept secure and is protected from unauthorised and unlawful processing and against accidental loss or destruction or damage by appropriate technical and organisational measures

* is not transferred to a country or territory outside of the EEA unless an adequate level of protection and rights and freedoms of the data subject(s) are ensured

1. Controller’s name and contact details

This statement applies to the processing of data by:

Healing Partners Ltd. the data controller and any contracted data processors appointed to provide a service to:

Healing Partners Limited, Midsummer House, Top House Court, Kirk Smeaton, North Yorkshire WF8 3LA

Tel: 01977 620630

Email: enquiries@healingpartners.co.uk

2. Collection and storage of personal data as well as type, purpose and legal basis

a) When you visit our website. We do not use cookies on our website to track behaviour or individually identify you. We do not use analytical software to profile our website traffic. We do not use cookies to track visitors, or for online advertising. We do not collect any personal data on our website. We invite visitors to contact us by email or phone only.

b) When you contact us with an enquiry. Email enquiries are automatically forwarded from the email host account at Namesco Limited (GB), Acton House, Perdiswell Park, Worcester WR3 7GD (for terms and conditions see https://www.names.co.uk/info/terms). Emails are forwarded to our cloud hosted email service at yahoo.com (see their privacy centre at https://policies.yahoo.com/us/en/yahoo/terms/index.htm). Alternatively, you can contact us by phone, where paper enquiry records are kept and stored in a locked, secure environment. At enquiry stage we collect your personal contact details, and any information you voluntarily give us concerning your treatment needs. If you progress with a consultation and treatment nder our professional requirements, we are obliged to retain patient contact history for a minimum of seven years (or to age 25 in the case of minors). We only use your data for the purposes of completing your enquiry, and practice auditing. We do not use this data for electronic or direct marketing purposes.

c) When you book an appointment. You can book an appointment by phone or email. We use the cloud hosted appointment booking service provided by Acuity Scheduling Inc. The service is provided to us under their terms of service (see https://acuityscheduling.com/privacy.php) and when you visit their website or use their app, it is subject to their privacy policy (see https://acuityscheduling.com/tos.php). Their address for legal correspondence is Acuity Scheduling, ℅ Registered Agents Inc., 90 State Street, STE 700 Office 40, Albany, New York 12207. When you book an appointment, we ask you to complete registration forms for new patients, which includes your personal contact data (name, address, telephone, email) and brief information regarding your health, medical carers, medication, lifestyle, family history, how you found us, and presenting conditions. We only use this information for clinical purposes, in compliance with our professional body The British Acupuncture Council https://www.acupuncture.org.uk. This patient records are kept electronically and/or in paper form for a minimum of seven years after the last treatment contact with a patient (or until the patient is 25 years old), which is a requirement of our healthcare profession. Only authorised persons have access to patient records, which are stored in password protected systems and/or in a locked, secure environment. When returning for repeat treatments and booking repeat appointment, the above also applies. We do not use your personal appointment data for marketing purposes, although we may contact you regarding your appointment, such as rescheduling, for transactional purposes and under legitimate interest to provide you with a personalised and quality service to assist your healthcare goals.

d) When you attend an appointment. We may ask you to check and update your registration information (see c above). Your consultation will be with a qualified acupuncturist, who is required to record patient notes regarding diagnosis and treatment, advice given, referral suggestions and review information. These records are required to be retained for a period of seven years after the date of last treatment (or age 25 in the case of minors), in compliance with our professional body The British Acupuncture Council https://www.acupuncture.org.uk. Only authorised persons have access to patient records, which are stored in password protected systems and/or in a locked, secure environment. When returning for repeat treatments and booking repeat appointment, the above also applies. We do not use your personal treatment data for marketing purposes, nor do we share this information with third parties unless we are required by law or under supervision of The British Acupuncture Council.

e) Accounting and business administration. We are required by law to keep records of business income, which includes records of patient appointments and payments, including contact details used for invoicing and receipts (name, address, telephone, email, dates of treatments,

category of treatment and amounts paid). This information is shared with our financial accountants Haigh & Co. Fulham Lane, Doncaster DN6 9BW, and retained for the statutory period. The information is used only for transactional and accounting purposes. This data is held in cloud-based accountancy software, Quick Books (Intuit Limited, 1 Cathedral Piazza, Victoria, London SW1E 5BP). The data is encrypted (see the security page https://quickbooks.intuit.com/uk/data-security/).

f) For payment processing. When you book your appointment you can pay through the cloud hosted appointment booking service provided by Acuity Scheduling Inc. (see 2 c above)

Your personal data will be passed on to third parties to the extent permitted by law and required pursuant to Art. 6 (1) sentence 1 lit. b GDPR for the purpose of payments and maintaining contractual relationships with you. This includes, in particular, the transfer of payment data to payment service providers or banking institutes in order to carry out payment transactions. These third parties are not permitted to use this data passed on to them for any other than the aforementioned purposes.

g) Personal and Special category data may be collected for statutory recording of accidents, and in reporting adverse events. Where possible this will be anonymised.

h) Provision has been made for the safekeeping, transfer and timely destruction of records in the event of death or serious injury to the Data Controller.

3. Rights of data subjects

You have the right:

Pursuant to Art. 15 GDPR to request information regarding your personal data processed by us. In particular, you may request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of appeal, the origin of your data, if this was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information on their details;

Pursuant to Art. 16 GDPR, to demand immediate rectification of incorrect data or completion of personal data stored by us;

Pursuant to Art. 17 GDPR, to request erasure of your personal data stored by us after the statutory 7 year retention period for medical records unless the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;

Pursuant to Art. 18 GDPR, to restrict the processing of your personal data in as far as you dispute the accuracy of the data, if the processing is unlawful but you reject the erasure of data and we no longer need the data, but if you need such data in order to assert, exercise or defend legal claims or if you have filed an objection to processing pursuant to Art. 21 GDPR;

Pursuant to Art. 7 (3) GDPR, to revoke your prior consent at any time to data processed for reasons other than legitimate interest. As a result, we are then no longer permitted to continue processing data based on this consent in the future;

Pursuant to Art. 77 GDPR, to complain to a regulatory authority. For this purpose, you can generally contact the regulatory authority responsible for your usual place of residence or workplace or our company’s registered office.

The contact details of the regulatory authority responsible for our company’s registered office are as follows:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, Tel 0303 123 1113 https://ico.org.uk/global/contact-us/.

4. Right of objection

If your personal data is processed on the basis of our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR.

If you wish to exercise your right of revocation or objection, simply write to Healing Partners Ltd., Midsummer House, Top House Court, Kirk Smeaton, North Yorkshire WF8 3LA, or send an email to enquiries@healingpartners.co,uk. We reserve the right to require proof of identity with all such requests.

5. Data security

Please note that transmitting information and data over the Internet always poses a security risk. We have implemented technical and organisational measures to protect your personal data from unauthorised access, as far as is practically possible, and have terms of service in place with third party system providers as documented above.

“data subject(s)”, “personal data” and “sensitive personal data” have the meanings defined within the Data Protection Act.

This policy, supporting policies and procedures will be subject to periodic internal audit and may be subject to external audits as necessary by the Information Commissioner.

The Business recognises data subject’s rights to raise a Subject Access Request. A formal request from a data subject for information that is held must be made in writing. A fee is payable by the data subject for provision of this information.

The Directors have overall responsibility and authority to ensure that this Policy is effectively implemented and delivered throughout the Business. All personnel are required to play an active role in the protection of company assets and treat information security appropriately in order that this purpose can be achieved.

To support this Policy, the management overseeing security and risk will produce subject specific policies and supporting procedures which will be reviewed and updated in response to changes in risks faced by the Business, legislation, regulation, contractual obligations and operational working practices.

Information security objectives, which are aligned with the business objectives, are reviewed and agreed on an annual basis.

The business recognises the need for continual improvement. The information security management system is constantly reviewed and any changes are communicated to all relevant employees and interested parties.

The Directors will be responsible and have authority for communicating and implementing this policy, supporting policies and procedures within their area of responsibility and will ensure individual accountability. From time to time changes are required to this policy, in order to accommodate changes

in the law or developments within the business. You can view and print the latest version of this privacy statement at any time on the website home page at www.healingpartners.co.uk.

All personnel (i.e. permanent staff, contractors and temporary staff) will adhere to this Policy, supporting policies and procedures.

Failure to comply with this policy, subject specific policies and supporting procedures, may result in disciplinary action being taken.

This Policy and the business performance in meeting its requirements will be monitored and review.

Data Processing Activities are summarised below:

Healing Partners  Data Processing Activities (GDPR) 

Version 1.0.021/05/2018 

 

 

Nature of personal data 

Type of personal data 

Purposes of processing/ Necessity 

Lawful basis 

Personnel with data access &/or platform used for collection and Retention 

Retention & deletion 

Enquiry 

Contact details, name, email, telephone, condition and treatment needs, advice given 

Personal data 

 

Special category 

a) To respond to patients/prospective patients requests for information 

 

b) To schedule appointments 

 

c) To provide individual information pertinent to ongoing treatment and health needs 

[Text Wrapping Break]d) To audit performance and needs of practice 

 

d) To send practice information 

Legitimate interest 

 

Data Controller 

 

Receptionists 

 

Paper messages, email, text 

 

 

For enquiries that become active patients 7 years, in compliance with BACC guidelines, then deleted from inbox or securely disposed of. Enquirers who do not become patients may have their data disposed of safely after the enquiry has been dealt with 

First consultation booking 

Address, date of birth, medical history, family history, medication and supplements taken, referral source, GP and specialist contact details, treatment cautions and contraindications 

Personal data 

 

Special category 

To schedule and communicate the patients appointment. 

  

To collect necessary clinical background and safety data so practitioner is effectively prepared for the consultation 

 

For in house audit 

 

To identify the patient in case of patients with the same name, referral to other practitioners and correspondence with medical professionals 

Legitimate interest and  

processing is necessary for the purposes of preventative medicine, medical diagnosis, the provision of health treatment pursuant to contract with a health care professional and the data is processed by the professional subject to the obligation of professional secrecy under EU and UK law 

Data Controller 

 

Acuity Scheduling 

7 years, in compliance with BACC guidelines  but may be retained indefinitely  

Appointment Booking 

Name, appointment time, date location and type, telephone and email 

Personal Data 

 

 

a) To schedule appointments effectively and efficiently 

 

b) necessary to maintain a permanent record of attendance of when all patients were treated in the event of: infectious disease reporting (RIDDOR), criminal prosecution, civil action, insurance claim or complaint[Text Wrapping Break] 

c) necessary to maintain a record for tax purposes 

 

  1. Legitimate interest 

  1. - c) Necessary for compliance with legal obligation  to which Controller is subject 

Data Controller 

 

Receptionists 

 

Acuity scheduling 

Permanent record in compliance with BACC guidelines 

Patient clinical case notes 

Patient reported signs and symptoms and presenting complaint(s), further medical information, clinician’s notes, diagnosis and treatment planning, clinical findings, progress, treatment given, advice or referrals given to any other health professional, decisions made in conjunction with patient 

Personal data 

Special category 

Necessary for full traditional diagnosis, treatment strategy and treatment planning 

 

In order to keep compliant clinical records for safe practice, and professional body compliance and auditing purposes 

Legitimate interest and  

processing is necessary for the purposes of preventative medicine, medical diagnosis, the provision of health treatment pursuant to contract with a health care professional and the data is processed by the professional subject to the obligation of professional secrecy under EU and UK law 

Data Controller 

 

Paperbased case notes kept n locked cabinet when not in use 

7 years, in compliance with BACC guidelines, then deleted from inbox or securely disposed of within 8 years 

Invoicing and payment confirmation 

Contact details (name, address, email, telephone) 

 

Treatment details (date, location and type) 

 

Payment details (amount paid and method of payment) 

Personal data 

In order to comply with accounting laws and record keeping 

 

To provide documentation of payment and treatments for patients records and insurance claims 

Legitimate interest 

Data Controller 

 

Accountant 

 

Acuity Scheduling 

 

Stripe and Streamline payment services 

 

Intuit Quickbooks 

At the end of the statutory period for record keeping (6 years), but may be retained indefinately  

Payment processing 

Contact information 

Personal data 

For transactional reasons, to take secure payment via Acuity Scheduling 

Legitimate interest 

Data Controller 

 

Receptionists 

 

Streamline 

 

Stripe 

 

Acuity 

 

Intuit Quickbooks 

 

At the end of the statutory period for record keeping (6 years), but may be retained indefinitely 

Accident records for Patients, Practitioner(s) and contracted staff 

Details of accident as required for accident reporting 

Personal data 

 

Special category 

Necessary to comply with UK Accident reporting legislation 

Necessary for the purposes of preventative medicine, medical diagnosis, the provision of health treatment pursuant to contract with a health care professional and the data is processed by the professional subject to the obligation of professional secrecy under EU and UK law 

Data Controller 

 

Adverse Incident Reports (if they identify the patient rather than being completed anonymously) 

May contain Personal data or special category data 

Personal Data 

 

Special Category 

Necessary for the British Acupuncture Council (BAcC) to develop safe practice guidelines, as well as research data and information for the BAcC’s insurers and other interested parities. 

Legitimate interest and  

processing is necessary for the purposes of preventative medicine, medical diagnosis, the provision of health treatment pursuant to contract with a health care professional and the data is processed by the professional subject to the obligation of professional secrecy under EU and UK law 

Data Controller 

 

BAcC Adverse Reporting Team 

 

Insurers 

 

Supplier information 

Including contact name, telephone, and email (including business address) 

Personal data 

For transactional reasons, buying clinic supplies, and maintaining accounting records 

Legitimate interest 

Data Controller 

 

Accountant 

 

Intuit Quickbooks 

At the end of the statutory period for record keeping (6 years), but may be retained for up to 10 years 

 

email:
enquiries@healingpartners.co.uk


REGISTERED ACUPUNCTURE
PRACTITIONER:

Sarah Byfield
BSc(Hons), PGDipAc, MBAcC

Professionally qualified
Member of the
British Acupuncture Council
Local Authority licensed

Healing Partners Limited
Midsummer House, Top House Court, Kirk Smeaton, Pontefract, WF8 3LA
Company Registration: 7291094

 
   

Our fully trained acupuncturists at our Doncaster Acupuncture clinic and Pontefract Yorkshire clinic are proud of their professional status as members of the British Acupuncture Council. The British Acupuncture Council (BAcC) is the leading self-regulatory body for the practice of traditional acupuncture in the UK. It is a member-led organisation, governed by an elected executive committee and driven by a specialist staff team.

The British Acupuncture Council provides their members with a wide range of services to assist their practice and work to expand the awareness of traditional acupuncture and how it works. This UK professional acupuncture body representing the interests of fully qualified traditional acupuncturists establishing and maintaining the highest professional standards of practice for acupuncture. It oversees the accrediting of acupuncture education to ensure excellence in training, funds evidence-based clinical research on the benefits of traditional acupuncture, promotes evidence-based research to the public and other healthcare providers and works with the Department of Health towards the statutory regulation of acupuncture in the UK. The British Acupuncture Council also promotes integrated healthcare.

As members of the British Acupuncture Council, we are professionally regulated and are recognised acupuncture practitioners within the broader healthcare community.