Who is the data controller?
Lisa Linton, Managing Therapist.
What data is held?
Name, Address, Date of Birth, Phone Number, Email Address, Doctor’s Details, Next of kin, Medical history, Treatment Notes, Relationship Data, Monies Payed.
Why is this data held?
Names: Client Identification
Address: For Receipts (including Health Insurance and Revenue), Client Identification; safety of practitioner; address to send them home if something happens (example: if client feels unwell).
Date of birth: For Client Identification, Type of Treatment, Treatment Considerations.
Phone Number: to send reminder texts for appointments, to keep cancellations and no shows to a minimum, in case we need contact them to cancel/reschedule appointment.
Email Address: It is a necessary part to fill in on the consultation forms (Note: We don’t contact clients using email)
Doctor’s Details: if clients present with serious medical issues or are unwell, we may liaise with client’s GP or specialist.
Next of kin: If client feels unwell while attending the clinic, next of kin may be contacted.
Medical history: So that our therapists understand what the client is presenting with on a given day, to decide if treatment is appropriate and if so what kind, and to carry out these treatments in a safe way.
Treatment notes: To keep a record of what happened during any contact with clients, and to track effectiveness, or otherwise, of treatments.
Relationship data: To keep a record of who client was referred by to help us understand and improve our marketing and services, and to keep record of who parent/guardian is to book appointments, pay for treatments, and discuss treatment options (if client is under 18 or a vulnerable adult).
Monies Payed: To make sure treatments have been payed for up to date and in full, to issue receipts, and for tax purposes.
How is data obtained?
In order to book an appointment (by call or text), we require full name, phone number and treatment type they wish to book. Once it is determined appropriate to book a treatment, client’s name, phone number and treatment type are recorded in the business diary. We will not secure a booking without client’s name, phone number and treatment type. At initial appointment, the data we hold is obtained during face to face consultation with clients, during which consultation form is filled out and therapist discusses medical history, presenting complaint, stress levels, doctor’s details, and anything else clients wish to discuss as it is their treatment time. We then review our Data Protection Procedures and Privacy Policy with clients and ask them to sign consent to treatment and to our Data Usage & Retention Statement. We will not proceed with treatment without this statement being signed and/or without Consultation form being filled out. This information, along with name of client, address, date of birth, phone number, email address, next of kin, and relationship data is recorded in client’s file.
Where is the data stored?
On Business Laptop: Client’s Name, Address, Phone Numbers’, Treatment Category, and Monies Payed. These are stored on Contact List to track client contact information and on Business Sales Accounts.
On Business Mobile: Client’s Name, Phone Numbers’, and Treatment Category. These are stored in Phone Contacts in order to contact clients regarding appointment booking, special offers, appointment cancelations/rescheduling.
On Business DropBox System: Client’s Name, Address, Phone Numbers’, Treatment Category, and Monies Payed. These are copies of data on Business Laptop stored on Business DropBox System as back-ups.
On Business External Hardrive and Business USB Stick: Client’s Name, Address, Phone Numbers’, Treatment Category, and Monies Payed. These are copies of data on Business Laptop stored on Business External Hardrive and Business USB Stick as back-ups.
On Business Diary Book: Client’s Name, Phone Number, Treatment Category. This information is given by client and written into Business Diary Book to book appointment for that client.
On Client’s File: Client’s Name, Address, Date of Birth, Phone Number, Email Address, Doctor’s Details, Next of kin, Medical History, Treatment Notes, Relationship Data and Monies Payed. These are the original physical documents filled out during first appointment.
How secure is the data; encryption and accessibility?
Clients’ data stored as physical documents are stored in two separate cabinets:
- Clients who have attended the clinic in the last 5 years have their files stored in a locked filling cabinet located in the clinic. Both keys to this cabinet are kept in hidden locations known only by staff of the clinic.
- Clients who have attended the clinic between the last 5 and 7 years either have their files stored in the said locked filling cabinet located in the clinic or kept in an offsite locked cabinet accessible only by the owner of clinic, Lisa Linton. It is at the full discretion of Lisa Linton where files of clients who have attended the clinic between the last 5 and 7 years are stored, whether that is in the said locked filling cabinet located in the clinic or in the locked cabinet located offsite. This is because currently the insurance company require us to keep client files for a minimum of 5 years, while other entities (i.e. organisations and Revenue) require clients’ files to be kept for a minimum of 7 years.
- Files of clients who have not attended the clinic in 7 years or more will be kept in the locked cabinet kept offsite and will be destroyed in due course. This will be done on an annual basis.
Both rooms in the clinic are locked, accessible only by staff of the clinic and by the facilities manager. To gain access to the building, a front door key is needed to the locked front door. These are only given to other renters of the building. Keys to clinic building and treatment rooms are always kept on staff. Client files in use each day are kept in a plastic pocket that is with the therapist at all times and is not left lying around in view of a client.
Data stored on Business Laptop is secured with a password to gain access to the device. This password is known only by clinic staff.
Data stored on the Business Mobile is secured with a PIN code to gain access to the device. This PIN code is known only by clinic staff.
Data stored on Business DropBox System is secured with a password and login details. The password and login details are known only by Lisa Linton and by the Business Accountant.
Data stored on Business External Hardrive and Business USB Stick is secured with a password. This password is known only by Lisa Linton and both devices are kept in a hidden location known only by Lisa Linton.
Business Diary Book is kept in a locked room in the clinic, accessible only by clinic staff. When in transit, it is kept in a locked travel case, accessible only by clinic staff.
Is the data shared with 3rd parties and on what basis?
No Client Data of any kind is shared with any 3rd parties unless explicit permission is requested by the client to share their data (Example: treatment receipts for VHI).
An exception is applied if, in response to a request for information if we are required by, or believe disclosure is required by, any applicable law, regulation or legal process, including in connection with lawful requests by law enforcement, national security, or other public authorities (example: An Garda Síochána).
How long shall the data be retained?
Our insurance providers require us to retain all Client Data for a minimum of 5 years after the client’s last appointment. Other entities (i.e. organisations and Revenue) require us to keep certain Client Data for a minimum of 7 years after the client’s last appointment. Therefore, certain Client Data obtained between 5 and 7 years ago may be retained by the clinic at the full discretion of Lisa Linton. Data of clients who have not attended the clinic in 7 years or more will be retained by the clinic and will be destroyed in due course. This will be done on an annual basis.
Amending data
If a client’s name, address, phone number, email address, doctor’s details, next of kin, medical history, relationship data and/or treatment information changes, the treating therapist may amend the Client Data when informed by the client. This information shall be updated by the treating therapist on the Client’s File. If client’s name, address, phone number, and/or treatment category is amended on the Client’s physical document files, it will be amended on the Business Laptop, Business DropBox System, Business Mobile, Business Diary, Business External Hardrive and Business USB stick by Lisa Linton in due course.
Transferring data
Upon receiving a request from a client to transfer data to another therapist, solicitor, and/or medical professional, a photocopy of the client’s original physical document file(s), kept by the clinic, will be sent by registered post, to the address provided by the client. The client must sign consent to this transfer, which states the date, name and address of the recipient and acknowledgement of permission to send. This will be kept with the client’s file, as a record of the transfer and request to do so. Client will be responsible for all charges.
Destroying data
Data will only be destroyed after the specified time frame as quoted above.
The client may request that any data regarding themselves may be destroyed (i.e. Client’s File and client’s data stored on Business Devices). Please Note: If the client choses to do this, then the clinic may refuse to treat client as we require this data to treat clients safely and effectively. The client’s physical document file will be shredded and burned after the specified time frame as quoted above, ensuring that each individual paper shred is burned so that no discernible information is available.
Data breaches
What is a data breach?
A data breach is when a person has gained access to our premises (i.e. Client Files and/or Business Diary) and there is evidence of or a risk of data being copied, accessed, destroyed and/or removed from our premises or our offsite locked cabinet. A data breach can also occur if our Business Phone, Business Laptop, Business DropBox System, Business External Hardrive and/or Business USB Stick are accessed by anyone who is not working with the clinic, and there is evidence that client data has been accessed, deleted, copied and/or removed from the device. These devices remain locked and accessible only by clinic staff for this reason.
How to identify a data breach
Our data storage systems are so secure that criminals are looking for human error to access data. They would look for the PIN code for the Business Phone or passwords for the Business Laptop, Business DropBox System, Business External Hardrive and/or Business USB Stick. Criminals may also attempt to illegally enter the clinic building, our treatment rooms (where Business Diary is stored), our filling cabinet (where client physical document files are stored) or offsite cabinet. They would get in through forceful entry (breaking through clinic door, treatment room doors, lock on filling cabinet or lock on offsite cabinet) or through theft of keys for these. For physical break-in; be on the look-out for tampering signs or broken locks at the door and windows of the building, the treatment room doors, the filing cabinet or offsite cabinet. For digital break-in; If the Business Phone, Business Laptop, Business External Hardrive and/or Business USB Stick are accessed illegally, look for signs such as; if you are contacted by ‘the business’ via email or post, as we don’t contact clients using these methods or if these devices are in the clinic, be on the look-out for signs of device theft or anyone accessing these devices without permission from clinic staff.
What to do if there has been a data breach
Fill out a Data Breach Incident Form ASAP (obtained from the clinic) and let the data controller know, who will then do the following: Within 72 hours (legal obligation or face a fine) of knowing something has happened, get in touch with the Data Protection Commission referring to the Data Breach Incident Form. Consider if clients affected need to be notified (risk of identity theft, theft of Client Files and/or breach of confidentiality) so that they can take appropriate measures to mitigate the effects to their property, person or reputation. Notifying data subjects is a remedial measure intended to redress the balance and restore some measure of knowledge and control. Let them know who to contact in our organisation for more details. 3rd parties may need to be contacted to help (i.e. An Garda Siochana, the financial institutes, or the organisations) Keep a diary of any data breaches or suspected data breaches.