LucyHarperHealth – Privacy Policy

As part of your health care, LucyHarperHealth needs to gather and use certain information about clients, suppliers or organisations it has a relationship with or may need to contact.

LucyHarperHealth is committed to a policy of protecting the rights and privacy of clients and others in accordance with General Data Protection Regulation.

Personal Data:   LucyHarperHealth may hold data for the following purposes:

• Provision of direct healthcare
• Marketing and newsletters
• Case histories (anonymous)

Data Protection Principles:   There are six data protection principles that are core to the General Data Protection Regulation. LucyHarperHealth will make every possible effort to comply with these principles at all times in our information-handling practices.  The principles are:

1. Lawful, fair and transparent:  Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
2. Limited for its purpose:  Data can only be collected for a specific purpose.
3. Data minimisation:  Any data collected must be necessary and not excessive for its purpose.
4. Accurate:  The data we hold must be accurate.
5. Retention:  We cannot store data longer than necessary.
6. Integrity and confidentiality:  The data we hold must be kept safe and secure.

Responsibilities:   LucyHarperHealth is the data controller for all personal data held by us and is responsible for:

• Analysing and documenting the type of personal data we hold
• Checking procedures to ensure they cover all the rights of the individual
• Identifying the lawful basis for processing data
• Ensuring consent procedures are lawful
• Implementing and reviewing procedures to detect, report and investigate personal data breaches
• Storing data in safe and secure ways
• Assessing the risk that could be posed to individual rights and freedoms should data be compromised

Data accuracy and relevance:   LucyHarperHealth will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Data Security:   LucyHarperHealth will keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, we will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations. 

Storing Data Securely:

• In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it.
• Printed data will be shredded when it is no longer needed.
• Data stored on a computer will be protected by strong passwords that are changed regularly.
• Data stored on CDs or memory sticks will be encrypted or password protected and locked away securely when they are not being used
• Cloud services used to store personal data will be assessed for compliance with GDPR principles.  An authenticator app will be used to access cloud data.
• All servers containing sensitive data must be protected by security software
• All possible technical measures will be put in place to keep data secure
• LucyHarperHealth will retain personal data for no longer than is necessary. This shall be in accordance with the guidelines of our professional association, BANT.  

Accountability & Transparency:   LucyHarperHealth will ensure accountability and transparency in all our use of personal data.   We will regularly review our data processing activities and implement measures to ensure privacy by design including data minimisation, pseudonymisation, transparency and continuously improving security and enhanced privacy procedures.

Consent:   LucyHarperHealth will ensure that consents are specific, informed and plain English.  We will seek explicit consent wherever possible.  We will maintain an audit trail of consent by documenting details of consent received including who consented, when, how, what, if and when they withdraw consent.  For online consent, we may use a cryptographic hash function to support data integrity.  Alternatively we will maintain the consents information in a spreadsheet with links to the consent forms. 

Direct Marketing:   LucyHarperHealth will comply with both data protection law and Privacy and Electronic Communication Regulations 2003 (PECR) when sending electronic marketing messages.  We will seek explicit consent for direct marketing. We will provide a simple way to opt out of marketing messages and be able to respond to any complaints. 

Subject Access Requests:

An individual has the right to receive confirmation that their data is being processed, access to their personal data and access the privacy notice.  LucyHarperHealth  will provide an individual with a copy of the information requested, on a PDF, free of charge. This will occur within one month of receipt. We endeavour to provide data subjects access to their information in commonly used electronic formats.

We can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. If the request is for a large quantity of data, we can request the individual specify the information they are requesting.

Once a subject access request has been made, we will not change or amend any of the data that has been requested. Doing so is a criminal offence. 

Using third party controllers and processors such as testing laboratories:  As a data controller, LucyHarperHealth will only appoint processors who can provide sufficient guarantees under GDPR and that the rights of data subjects will be respected and protected.  We will only act on your documented instructions.

Data breaches:   LucyHarperHealth has a legal obligation to report any data breaches to UK Supervisory authority, which is the Information Commissioners Officer, within 72 hours.