Who I am
I am a Craniosacral Therapist and Traditional Thai Massage Therapist who works from my home in Old Town, Swindon. My contact details can be found here. Under GDPR, this means that I am classified as the data controller, because I process your data. My website address is: https://cranio-swindon.co.uk. My professional body is the Craniosacral Therapy Association (CSTA) and its ethics cover both Craniosacral Therapy (CST) and Traditional Thai Massage treatments.
General Data Protection Regulation (GDPR), 2018
In response to the new regulations set out by GDPR, and as your practitioner, I state the way in which I use, share and store your information and the reasons for this, below. Everything I do follows normal, good practice but it is your legal right to read and understand the information before you come for treatment with me.
Whose information does GDPR apply to?
GDPR applies to information that I collect from clients, prospective clients, former clients and visitors to my website.
Information I hold about you
When you come for an initial treatment, I take your name, contact details (address, phone numbers, email address), and your date of birth, as well as notes about your personal history. This can include information about your physical, mental and emotional health. In future sessions, I will add to this information as you talk more about your circumstances or the issues you are seeking help with. I will also note my impressions from our sessions, including what I perceive through the treatment.
How is this information used?
Your contact information is used only in order to arrange appointments or to follow up with you and never for any other reason. The case history information is important in order to understand your situation, to get to know you, support your health and to give you the best treatment possible.
Reasons for holding information
It is important to hear some of your history in order to work with you responsibly and carefully, as well as to track your progress with you over time. You can choose how much you wish to share about your history and you should never feel obliged to talk about anything that you don’t want to. Although I take notes, this is a requirement of my professional body, I may not note every detail of our verbal conversations but just what is needed to keep a clear record of how you are doing.
Sharing information about you
Your personal data will be treated as strictly confidential and will not be shared with others unless there is a genuine need to, or you have given your written consent. This could be your GP, another health care professional, insurance company or solicitor. To ensure that I am doing my job effectively and that I have the right support, I may discuss elements of your sessions with my supervisor*. During these dicussions I do not disclose any details that may identifiy you. * Supervisors are specially trained and also adhere to the CSTA Code of Ethics and GDPR.
How long will I keep your information?
I am required to retain your personal data for 7 years from the date of your last session with me, or if you are a child, until your 28th Birthday, as required by law and my professional body. I am not allowed to hold on to your personal data for longer than needed, and only related to the original reason for holding the information in the first place. For those who legally lack ‘capacity’, the rules are more complicated but will usually be at least 15 years rather than seven, sometimes followed by legal advice. In all cases, after this time, information will be deleted and shredded securely.
Security
Your personal information is kept on my computer drive and in hand written files. All computer files that store personal information are password protected. All handwritten files are kept in a locked cabinet. Any emails, that we exchange or that I exchange with other professionals, will be password protected. My mobile phone is also password protected.
Given that emails can never be guaranteed to be fully secure, and that they may count as ‘data processing’ under the GDPR, if you want to discuss something personal about your situation or treatment I ask that you contact me to arrange a chat rather than sending personal information by email. Please do let me know if any of your details change so I can keep your records up to date.
Will your information remain in the UK?
I will never remove your information from the UK/the European Economic Area.
Access to your personal information
You have the right to see what your personal, the right to ask me to amend it and the right to ask me to erase it (provided the legal minimum period has lapsed). You can read about your rights in more detail at the Information Commissioner’s Office (ICO) https://ico.org.uk/.
Your right to refuse to give information
Under the GDPR, you are not required to give your personal information. A case history is needed in order to give you the best treatment possible, including understanding your situation and any difficulties you are seeking help for, as well as to comply with my Code of Ethics. So if you do not wish to give any information at all, I may be unable to give you a treatment, but I am always happy to have a chat about what may or may not feel comfortable for you.
Your right to make a complaint
You have the right to complain if you are unhappy about the way I look after your information, or feel I have not properly respected your rights – in the first instance to me, and then also to the CSTA admin@craniosacral.co.uk, or if you are still unhappy, to the ICO https://ico.org.uk/ or 0303 1231113
Please be reassured that I will treat your personal data with total intergrity and respect. Should you have any worries, I will always answer any questions or concerns that you may have. Any changes to GDPR will be posted on my website.