The Slimming Clinic – DATA PROTECTION POLICY (GDPR)
The Slimming Clinic is the trading name of Slim Holdings Limited, company number 02284712, registered in England and Wales at 5 Trinity, 161 Old Christchurch Road, Bournemouth, BH1 1JW
The Slimming Clinic is committed to complying with privacy and data protection laws, including:
The General Data Protection Regulation, EU Regulation 2016/679 (“the GDPR”) and any related legislation which applies in the UK, including, without limitation, any legislation replacing and/or repealing the Data Protection Act 1998;
The Privacy and Electronic Communications Regulations (2003) and any successor or related legislation, including without limitation, E-Privacy Regulation 2017/0003;
All other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issues by the Information Commissioner’s Office (“ICO”) or any other supervisory authority.
(together “the Legislation”)
This policy sets out what we do to protect individuals’ personal data.
Anyone who handles personal data in any way on behalf of The Slimming Clinic must ensure that we comply with this policy. The definition of “personal data” is outlined below. Any breach of this policy will be taken seriously and may result in disciplinary action and sanctions, including dismissal for serious breaches of this policy.
This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
The Slimming Clinic handles personal data relating to:
Potential patients with registered interest
Catherine Meyrick (Data Protection Officer) is responsible for ensuring compliance with the GDPR and with this policy. Any questions or concerns about this policy should be referred in the first instance to Catherine Meyrick, who can be contacted at firstname.lastname@example.org or on 01202555233.
DEFINITIONS OF DATA PROTECTION TERMS
The following terms will be used in this policy and are defined below:
Data Subjects include all living individuals about whom we hold personal data, for instance, an employee or a patient. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data. In particular, data subjects in the European Union have rights under the GDPR.
Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our or another’s possession e.g. pseudonymisation). Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as those contained in a performance appraisal). It can also include an identifier such as an identification number, location data, an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. Slim Holdings Limited, trading as The Slimming Clinic is the data controller of all personal data that we manage in connection with our work and activities.
Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website hosts, fulfilment houses or other service providers which handle personal data on our behalf.
European Economic Area includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.
ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK).
Processing is any activity that involves the use of personal data, whether or not by automated means. It includes but is not limited to:
Adapting or altering
Disclosing by transmission
Disseminating or otherwise making available
Alignment or combination
Destruction of personal data
Sensitive Personal Data (which is defined as “special categories of personal data” under the GDPR) includes information about a person’s:
Racial or ethnic origin
Religious, philosophical or similar beliefs
Trade union membership
Physical or mental health or condition
Sexual life or orientation
Such other categories of personal data as may be designated as “special categories of personal data” under the Legislation.
DATA PROTECTION PRINCIPLES
Anyone processing personal data must comply with the six data protection principles set out in the GDPR. We are required to comply with these principles (summarised below), and show that we comply, in respect of any personal data that we deal with as a data controller.
Personal data should be:
Processed fairly, lawfully and transparently
Collected for a specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes
Adequate, relevant and limited to what is necessary for the purpose for which it is processed
Accurate and, where necessary, kept up to date having regard to the purposes for which they are processed
Not kept longer than necessary
Processed in a manner that ensures appropriate security of the personal data
PROCESSING DATA FAIRLY, LAWFULLY AND IN A TRANSPARENT MANNER
The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract.
To comply with this principle, every time we receive personal data about a person directly from that individual, which we intend to keep, we need to provide that person with information relating to the processing that we intend to carry out. In particular, we will tell them:
The type of information we will be collecting (categories of personal data concerned)
Who will be holding their information, i.e. The Slimming Clinic
Why we are collecting their information and what we intend to do with it
The legal basis for collecting and processing their personal information
If we are relying on legitimate interests as a basis for processing, what those legitimate interests are
Whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data
The period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period
Details of the people or organisations with whom we will be sharing their personal data
If relevant, the fact that we will be transferring their personal data outside the EEA and details of relevant safeguards
The existence of any automated decision-making including profiling in relation to that personal data
Where we obtain personal data about a person from a source other than the person his or her self, we must provide that individual with the following information in addition to the above:
The categories of personal data that we hold
The source of the personal data and whether this is a public source
In addition, in both scenarios (where personal data is obtained both directly and indirectly), we must also inform individuals of their rights outlined below, including the right to lodge a complaint with the ICO and, the right to withdraw consent to the processing of their personal data.
This fair processing information can be provided in a number of places including on web pages, in mailings or on application forms. We must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.
PROCESSING DATA FOR THE ORIGINAL PURPOSE
The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when we first obtained their information.
This means that, ordinarily, we should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, that is not specifically permitted by the GDPR, the individual should be informed of the new purpose beforehand.
PERSONAL DATA SHOULD BE ADEQUATE AND ACCURATE
The third and fourth data protection principles require that personal data that we keep should be accurate, adequate and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Personal data that is no longer needed should be destroyed securely, and we must take every reasonable step to ensure that personal data which is inaccurate is corrected.
NOT RETAINING DATA LONGER THAN NECESSARY
The fifth data protection principle requires that we should not keep personal data for longer than we need to for the purpose it was collected for. This means that the personal data that we hold should be destroyed or erased from our systems when it is no longer needed.
As a provider of medical services, we are legally required to hold certain data for specific periods of time. For guidance on how long particular types of personal data that we collect should be kept for before being destroyed or erased, please contact Catherine Meyrick (Data Protection Officer).
The sixth data protection principle requires that we keep secure any personal data that we hold.
We are required to put in place procedures to keep the personal data that we hold secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
When we are dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held on a memory stick or other portable device it should always be encrypted.
When deciding what level of security is needed, our starting point will be to look at whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
The following security procedures and monitoring processes must be following in relation to all personal data processed by us:
Backing up data (daily back-ups are taken of all the data on the system and data should not be stored by staff on local drives or removable media as these will not be backed up)
Staff should always ensure that individual monitors do not show confidential information to passers-by and that they log off or “lock” their PC when it is left unattended
Paper documents should be shredded, memory sticks, CD-ROMs and other media on which personal data is stored should be physically destroyed when they are no longer required
Personal data must always be transferred in a secure manner (the degree of security required will depend on the nature of the data)
Desks and cupboards should be kept locked if they hold confidential information of any kind
Staff must keep data secure when travelling or using it outside the offices
Staff must take steps to ensure we are giving information only to authorised persons when it is requested. This involves requesting at least two pieces of security information that you can match with data we have on record, for example, a date of birth and a postcode.
RIGHTS OF INDIVIDUALS UNDER THE GDPR
The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of The Slimming Clinic needs to be aware of these rights. They include (but are not limited to) the right:
To request a copy of any personal data that we hold about them (as a data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights)
To be told, where any information is not collected from the personal directly, any available information as to the source of the information
To be told of the existence of automated decision-making
To object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests
To object to direct marketing, including profiling for such purposes
To have all personal data erased (the right to be forgotten) unless certain limited conditions apply
To restrict processing where the individual has objected to the processing
To have inaccurate data amended or destroyed
To obtain and reuse their personal data for their own purposes across different services (right to data portability). This right only applies to data that has been provided to us by the data subject, where the processing is based on consent or the performance of a contract and when processing is carried out by automated means. The data will be provided in a structured, commonly used and machine-readable format.
SUBJECT ACCESS REQUESTS
Under the GDPR, people have the right to request a copy of any personal data we hold about them. To do this, they must request a copy of the data in writing (email requests are valid as are requests made via other social media platforms). Staff should refer all such requests to Tom Pearson (HR & Operations Manager) immediately on receiving a request and in any event within 24 hours. Staff should not disclose personal data themselves in response to a request.
In almost all cases, there will be no charge for a subject access request and the company should usually respond to the request within one month of receipt of the request.
We must verify the identity of the individual making the request by asking for proof of ID.
TRANSFERRING DATA OUTSIDE THE EEA
The GDPR requires that when organisations transfer personal data outside the EEA, they take steps to ensure that the data is properly protected.
The European Commission has determined that certain countries provide an adequate data protection regime. These countries currently include Andorra, Argentine, Canada, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Faroe Islands, Jersey and Uruguay, but this list may be updated.
As such, personal data may be transferred to people or organisations in these countries without the need to take additional steps beyond those you would take when sharing personal data with any other organisation. In transferring personal data to other countries outside the EEA (which are not on this approved list), it will be necessary to enter into an EC-approved agreement, seek the explicit consent of the individual, or rely on one of the other derogations under the GDPR that apply to the transfer of personal data outside the EEA.
We currently do not transfer any personal data outside of the EEA.
For further information, please speak to Catherine Meyrick (Data Protection Officer).
PROCESSING SENSITIVE PERSONAL DATA
On some occasions we may collect information about individuals that is defined by the GDPR as special categories of personal data, and special rules will apply to the processing of this data. In this policy we refer to “special categories of personal data” as “sensitive personal data.” The categories of sensitive personal data are defined earlier in this document.
Purely financial information is not technically defined as sensitive personal data by the GDPR. However, particular care should be taken when processing such data, as the ICO will treat a breach relating to financial data very seriously.
In most cases, in order to process sensitive personal data, we must obtain explicit consent from the individuals involved. As with any other type of information we will also have to be absolutely clear with people about how we are going to use their information.
As The Slimming Clinic provides a medical service, we have a legal and regulatory obligation to obtain and record certain medical information. If an individual is not willing to provide “explicit consent” to us processing relevant medical or sensitive personal data then we will have to refuse treatment or services.
We recognise that whilst there is no obligation for us to make an annual notification to the ICO under the GDPR, we will consult with the ICO where necessary if and when we are carrying out “high risk” processing.
We will report breaches (other than those which are unlikely to be a risk to individuals) to the ICO where necessary, within 72 hours. We will also notify affected individuals where the breach is likely to result in a high risk to the rights and freedoms of these individuals.
Staff that become aware of a breach should immediately notify his/her line manager and Tom Pearson (HR & Operations Manager)
MONITORING AND REVIEW OF THE POLICY
This policy is reviewed annually by the company Directors and Senior Management to ensure that it is achieving its objectives.
Data Protection Policy
The Slimming Clinic – DATA PROTECTION POLICY (GDPR)