In this Privacy Notice “we”, “us” or “our” to refer to Francesca Straniero as the health professionals who are using your personal information.
What services do we offer?
Here at FS Nutritionist we offer nutrition consultations and workshops aimed to inform, motivate and help our clients to reach their nutrition and health goals.
What types of data do we capture?
As one of our patients / clients, the personal information we hold about you may include the following:
- Contact details, such as postal address, email address and telephone number (including mobile number)
- Financial information, such as your bank details
- Occupation and lifestyle
- Background referral details
We will use “special categories of personal information” (previously known as “sensitive personal data”) about you, such as information relating to your physical and mental health.
As one of our clients, we will hold information relating to your medical treatment which is known as a special category of personal data under the law, meaning that it must be handled even more sensitively.
This may include the following:
- Details of your current or former physical or mental health, including information about any healthcare you have received from other healthcare providers such as GPs, dentists or hospitals (private and/or NHS), which may include details of clinic and hospital visits, as well as medicines administered. We will provide further details below on the manner in which we handle such information.
- Details of services you have received from us
The confidentiality of your medical information is important to us, and we make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health (or indeed any of your personal information more generally). In doing so, we will comply with UK data protection law, including the Data Protection Act 2018 and all applicable medical confidentiality guidelines issued by professional bodies.
In addition, you should note that in the event you amend data which we already hold about you (for instance by amending a pre-populated form) then we will update our systems to reflect the amendments. Our systems will continue to store historical data.
How do we collect your information?
We may collect personal information from a number of different sources including, but not limited to:
- Medical records from your GP
- Medical records from consultants and other clinicians (including their medical secretaries)
- Medical records from hospitals, the NHS and private hospitals and organisations
- Medical records from Mental health providers
- Commissioners of healthcare services
- Directly from you. Information may be collected directly from you when:
- You enter into a contract with us
- You use our services
- You submit a query to us including by email or by social media
- You correspond with us by letter, email, telephone or social media.
The medical records may include information about your diagnosis, clinic and hospital visits and medicines administered.
Do we collect information from third parties?
As detailed in the previous section, it is often necessary to seek information from other healthcare organisations. We may also collect information about you from third parties when:
- You are referred to us for the provision of services including healthcare services
- We liaise with your current or former health professional or other treatment or benefit provider
- We liaise with your family
- We deal with experts (including medical experts) and other service providers about services
How will we communicate with you?
We may communicate with you in a range of ways, including by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate, including only sufficient basic details to enable you to identify who the call is from, very limited detail as to the reason for the call and how to call us back.
However, to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders)), we may communicate with you by SMS and/or unencrypted email where you have provided us with your SMS or email address).
To provide you with your consultation information and/or invoicing information, we may communicate with you by email where you have provided me with your email address.
Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare service.
What is our role in the protection of your data?
We are Data Controllers in respect of your personal information which we hold about you. This will mainly relate to your health or medical treatment but will be likely to also include other information such as financial data in relation to billing. We must comply with the data protection legislation and relevant guidance when handling your personal information.
From 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR) and a new Data Protection Act. All uses of your information will comply with the GDPR and the new Data Protection Act from that date onwards.
What are the purposes for which your information is used?
We may ‘process’ your information for a number of different purposes, which is essentially the language used by the law to mean using your data. Each time we use your data, we must have a legal justification to do so. The particular justification will depend on the purpose of the proposed use of your data. When the information that we process is classed as a “special category of personal information”, we must have a specific additional legal justification in order to use it as proposed.
Generally, we will rely on the following legal justifications, or ‘grounds’:
- Taking steps at your request so that you can enter into a contract to receive healthcare services from us.
- For the purposes of providing you with healthcare pursuant to a contract between you and us.
- We have an appropriate business need to process your personal information and such business need does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, monitoring outcomes and responding to any complaints.
- We have a legal or regulatory obligation to use such personal information.
- We need to use such personal information to establish, exercise or defend our legal rights.
- You have provided your consent to our use of your personal information.
Note that failure to provide your information further to a contractual requirement with us may mean that we are unable to set you up as a patient or facilitate the provision of your healthcare.
We provide further detail on these grounds in the sections below.
Appropriate business needs
One legal ground for processing personal data is where we do so in pursuit of legitimate interests and those interests are not overridden by your privacy rights. Where we refer to use for our appropriate business needs, we are relying on this legal ground.
The right to object to other uses of your personal data
You have a range of rights in respect of your personal data, as set out in detail in sections below. This includes the right to object to us using your personal information in a particular way (such as sharing that information with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.
You will find details of our legal grounds for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications, or grounds, which allow us to do so. You will note that we have set out a legal ground, as well as an ‘additional’ legal ground for special categories of personal information. This is because we have to demonstrate additional legal grounds where using information which relates to a person’s healthcare, as we will be the majority of the times we use your personal information.
Purpose 1: To provide you with healthcare and related services
Clearly, the reason you come to us is to provide you with healthcare, and so we have to use your personal information for that purpose.
a) Providing you with healthcare and related services
b) Fulfilling our contract with you for the delivery of healthcare
Additional legal grounds for special categories of personal information:
We will use your personal information in order to ensure that your account and billing is fully accurate and up-to-date
Our having an appropriate business need to use your information which does not overly prejudice you
Additional legal grounds for special categories of personal information:
Purpose 3: For clinical audit purposes
We may process your personal data for the purposes of local clinical audit – i.e. an audit carried out by ourselves or our direct team for the purposes of assessing outcomes for patients / clients and identifying improvements which could be made for the future. We are able to do so on the basis of our legitimate interest and the public interest in statistical and scientific research, and with appropriate safeguards in place. You are, however, entitled to object to our using your personal data for this purpose, and as a result of which we would need to stop doing so.
Purpose 4: Communicating with you and resolving any queries or complaints that you might have.
a) The use is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional
b) The use is necessary in order for us to establish, exercise or defend our legal rights
Purpose 5: Communicating with any other individual that you ask us to update about your care and updating other healthcare professionals about your care.
In addition, other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. Further details on the third parties who may need access to your information is set out at section 47 below.
a) Providing you with healthcare and other related services
b) We have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in your care have a full picture of your treatment Additional legal ground for special categories of personal information:
Purpose 6: Complying with our legal or regulatory obligations, and defending or exercising our legal rights
a) We need to use the data in order to provide healthcare services to you
b) The use is necessary for reasons of substantial public interest under UK law
c) The use is necessary in order for us to establish, exercise or defend our legal rights
As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. We may be required by law or by regulators to provide personal information, and in which case we will have a legal responsibility to do so. From time to time, clinicians are unfortunately also the subject of legal actions or complaints. In order to fully investigate and respond to those actions, it is necessary to access your personal information (although only to the extent that it is necessary and relevant to the subject-matter).
a) The use is necessary in order for us to comply with our legal obligations.
Purpose 7: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice)
In order to do this, we will not need to use your special categories of personal information and so we have not identified the additional ground to use your information for this purpose.
a) Our having an appropriate business need to use your information which does not overly prejudice you
Disclosures to third parties:
We may disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:
a) A doctor, nurse, carer or any other healthcare professional involved in your treatment
b) Other members of support staff involved in the delivery of your care
We need to use the data in order for others to provide informed healthcare services to you. The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems
a) The use is necessary for establishing, exercising or defending legal claims
b) Anyone that you ask me to communicate with or provide as an emergency contact, for example your next of kin or carer
c) NHS organisations, including NHS Resolution, NHS England, Department of Health
d) Other private sector healthcare providers
e) Your GP
f) Your dentist
g) Other clinicians (including their medical secretaries)
h) Third parties who assist in the administration of your healthcare, such as insurance companies
i) Private Healthcare Information Network
Automated Decision Making
An automated decision is a decision made by computer without any human input, and there will be no automated decision-making in relation to your treatment or other decisions which will produce legal or similarly significant effects.
How long do we keep personal information for?
This means that we retain such records for a period of at least ten (10) years from the date of treatment and, in the case of a minor, for a period of at least ten (10) years after that minor attains majority and, in the case of a patient with mental incapacity, we retain such records indefinitely.
If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details outlined in section 3.
Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details provided at section 3 above.
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in writing unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.
You are entitled to the following under data protection law.
- The purposes for which we use your personal information
- The types of personal information we hold about you
There will not usually be a charge for handling a request to exercise your rights.
If we cannot comply with your request to exercise your rights we will usually tell you why.
There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary legislation which regulates the use of personal information.
If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request, then we do not have to respond. Alternatively, we can charge for responding.
Your rights include:
The right to access your personal information
Under Article 15(1) of the GDPR we must usually confirm whether we have personal information about you. If we do hold personal information about you, we usually need to explain to you:
Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
If the personal data we hold about you was not provided by you, details of the source of the information
Your right to ask us to amend or delete your personal information
Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
Your right to complain to the Information Commissioner’s Office
We also need to provide you with a copy of your personal data, provided specific exceptions and exemptions do not apply.
We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances, we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks that are in the public interest, including public health, or for the purposes of establishing, exercising or defending legal claims.
The right to restriction of processing
In some circumstances, we must “pause” our use of your personal data if you ask me to do so, although we do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, we must transfer personal information that you have provided to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to withdraw consent
In some cases we may need your consent in order for our use of your personal information to comply with data protection legislation. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting us using the details provided at section 3 above.
The right to complain to the Information Commissioner’s Office
You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.
More information can be found on the Information Commissioner’s Office website: Making a complaint will not affect any other legal rights or remedies that you have.
What technology do we use to support our business?
- Google is our primary technology provider, we use their apps across the business from their forms application to capture information about yourself to their Gmail application. Google is in compliance with Data Security and Protection Toolkit (DSP Toolkit). More information can be found here.
- We store any client specific notes on Google Drive in one of Google’s EU data centre’s. Google drive is ISO 27001 certified. More information can be found here.
- We use Microsoft Office applications primarily for note taking.
- Most web browsers allow some control of most cookies through the browser settings.
To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout