This privacy notice provides you with details of how we collect and process your personal data.
Sarah Oakley Lactation Ltd is owned and run by Sarah Oakley RN, RHV, IBCLC who is the data controller registered with the Information Commissioners Office. As a registered nurse/health visitor Sarah is required by the Nursing and Midwifery Council’s Code of Conduct to respect people’s right to privacy and confidentiality so protecting your privacy is fundamental to her practice. This notice explains what information we collect from you, why we collect this information, under what circumstance this information may be shared, how long it is stored and how you can access it.
Our email address is firstname.lastname@example.org.
Our postal address is Sarah Oakley Lactation Ltd, The Coach House, Clayway Farm, Padnal Bank, Queen Adelaide, Ely, CB7 4UE.
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.
During our contacts by phone, text, messenger, email, via the contact page on our website, via social media and face to face I will collect and record personal information about you and your baby. This information will include medical information relevant to the issue you are seeing me about. I may use your contact information to contact you at a later date for the purposes of follow up, audit and research. NB Whilst I take steps to ensure your information is secure communications by text, email, messenger, social media and my website may not be secure so keep this in mind when using these methods.
I am required by the Nursing and Midwifery Council’s Code of Conduct to keep clear and accurate records relevant to my practice. This is to enable me to contact you and to provide safe and effective care for you and your baby. These records, which will contain your personal/medical information and that of your child, include summaries of our consultations and copies of emails. They are stored on electronic devices which are password protected and have security software installed. Long term storage is on encrypted memory sticks kept securely.
We require your explicit consent for processing sensitive data (medical information) and we will request you complete aa signed consent for this.
2. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when legally permitted. The most common uses of your personal data are:
- Where we need to perform the contract between us.
- Necessary for our legitimate interests.
- Where we need to comply with a legal or regulatory obligation.
Purposes for processing your personal data
Set out below is a description of the ways we intend to use your personal data and the legal grounds on which we will process such data. We have also explained what our legitimate interests are where relevant.
We may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. Please email us at email@example.com if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|Type of data
|Lawful basis for processing
|To register you as a new client
|Performance of a contract with you eg: provision of a consultation and follow up support or provision of training/study days
|To process your payment for services
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
|(a) Performance of a contract with you
(b) Necessary for our legitimate interests to receive payments owed to us
|To manage our relationship with you which may include:
(a) Providing consultations and follow up support (individually and in groups)
(b) Providing training or study days
(c) Asking you to leave a review or take a survey
(e) Managing complaints about our service
(c) Medical data
|(a) Performance of a contract with you
(b) Necessary to comply with a legal and regulatory obligation (NMC Code of Conduct)
(c) Necessary for our legitimate interests including keep our records updated, studying how clients use our services, improving our service
|For the purposes of anonymised audit/research||(a) Contact
(b) Medical data
| Necessary for our legitimate interests to study how clients use our services, to evaluate and to develop them and to assess efficacy and outcomes of interventions
3. DISCLOSURES OF YOUR PERSONAL DATA
We will not share your personal/medical data with any third parties except in the following situations:
- We will write to your GP and HV to inform that your baby has had a tongue-tie division, what type of tongue-tie it was, the reason for division and a very brief summary of any care plan put in place. This is so it can be recorded in your baby’s GP records and to ensure other professionals involved in the care of your baby are informed to promote safe and effective care.
- With your consent we may contact your midwife, GP, HV or other healthcare professionals involved in your care and share relevant information to enhance the care of you and your baby. For example I may write to your GP to request a prescription for a nipple infection or phone your health visitor to discuss extra support.
- Should we have a concern about the safety of your child then we have a legal and professional obligation to share relevant information with the relevant agencies and in this case your consent is not required.
- Anonymised data may be used and shared for the purpose of internal and external audits/research.
- In the event of a complaint or claim relevant information will be shared, with your consent, with my indemnity provider and legal team.
- Photographs may be used to form part of our consultation record, for educational and publicity purposes but only with your consent.
- Transaction and financial data may be shared with our accountant, bank, card payment machine provider and with HMRC in certain circumstances.
We require all third parties we work with (for example the clinics we use) to respect the security of your personal data and to treat it in accordance with the law.
We use SumUp to process card payments. This is what they say about cardholder data security in their privacy notice (https://sumup.co.uk/privacy/).
SumUp is responsible for the security of cardholder data which is processed, transmitted and stored within our systems. To this end, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). SumUp applies best industry practice to safeguard this sensitive data and to ensure that it operates in line with these requirements, and to this end SumUp undergoes annual audits to ensure that we continue to meet this high standard.
We do not transfer your personal data outside the European Economic Area (EEA).
4. DATA SECURITY
We have put in place what we believe are appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access to your personal data will be limited to Sarah Oakley and agents acting on her behalf (for example the administrative and support staff at her clinics). Access to consultation records and emails which may include medical data will be restricted to Sarah Oakley only except in the circumstances listed above in section 3.
In the event of a personal data breach we will notify you and any applicable regulator of the breach where we are legally required to do so.
5. DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
By law medical records on children have to be kept for 25 years.
In some circumstances you can ask us to amend your data: see below for further information.
6. YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you wish to exercise any of the rights set out above, please email us at firstname.lastname@example.org.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month.
Sarah Oakley Lactation Ltd 15/4/18.
© Suzanne Dibble 2018. Copyright in this document belongs to Suzanne Dibble. You may not copy or use it for any purpose unless you have purchased this template document from Suzanne Dibble.