KEEPING YOUR RECORDS

City Aesthetics Chester complies with the 1998 Data Protection Act and with The General
Data Protection Regulations 2018.

This policy describes our procedures for ensuring that personal information about patients and staff is processed fairly and lawfully. This policy applies to anyone who interacts with City Aesthetics Chester Ltd, if you ask us about, buy or uses our products or services.

If you pass on information to us about other people you must make sure that they have seen a copy of this policy and agree with it.

What personal data do we hold?

In order to provide you with a high standard of care and attention, City Aesthetics Chester Ltd need to hold personal information about you. This personal data comprises:

  • Your past and current medical condition.
  • Personal details such as your age, date of birth, address, telephone number, email address and your general medical practitioner
  • Information about the treatment that we have provided or propose to provide and its cost
  • Notes of conversations/incidents that might occur for which a record needs to be kept
  • Records of consent to treatment
  • Correspondence relating to you with other health care professionals, for example in the hospital or community services
  • Pre and post treatment photographs (these will not be shared externally unless written consent is given for advertising purposes)
  • Email / social media correspondence

Why do we hold information about you?

We need to keep comprehensive and accurate personal data about our patients and our staff in order to provide them with safe and appropriate care.

We also need to process personal data about you in order to provide care under clinical arrangements and to ensure the proper management and administration of the clinic. We also need to be able to justify or defend our own actions in the event of any claim or dispute surrounding a treatment.

How we process the data

We process your personal information for the purposes set out in this privacy notice. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing). We normally process standard personal information if this is necessary to provide the services set out in a contract, or it is
required or allowed by any law that applies.

Please see below for more information about this and the reasons why we may need to process special category information. By law, we must have a lawful reason for processing your personal information.

We process standard personal information about you if this is:
Necessary to provide the services set out in a contract − if we have a contract with you, we will process your personal information to fulfil that contract (that is, to provide you and your dependants with our products and services required or allowed by law).

We process special category information about you because:

  • It is necessary for an insurance purpose (for example, advising on, arranging, providing or managing an insurance contract, dealing with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or law).
  • It is necessary to establish, make or defend legal claims (for example, claims against us for insurance).
  • It is necessary for the purposes of preventing or detecting an unlawful act in circumstances where we must carry out checks without your permission so as not to affect the outcome of those checks (for example, anti-fraud and anti-money-laundering checks or to check other unlawful behaviour, or carry out investigations with other insurers and third parties for the purpose of detecting fraud).
  • It is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response to a safeguarding concern, a member’s complaint or a regulator (such as the Care Quality Commission or the General Medical Council, General Dental Council, Nursing Midwifery Council) telling us about an issue).
  • It is in the public interest, in line with any laws that apply;
  • It is information that you have made public; or we have your permission. As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for and ask you to confirm your choice to give us that permission. If we cannot provide a product or service without your permission (for example, we can’t manage and run a health trust without health information), we will make this clear when we ask for your permission. If you later
    withdraw your permission, we will no longer be able to provide you with a product or service that relies on having your permission.
  • We will process personal data that we hold about you in the following way:

    Security of information

    Personal data about you is held in the clinics computer system and/or in a manual filing system. Manual/ paper copies of information filled in by you are only kept for the minimum amount of time which it takes for us to scan it onto our clinical software; these documents are then shredded. If paper copies are left overnight before shredding they will be placed in a locked
    filing cabinet. The information is not accessible to the public and only authorised members of staff have access to it. All patient information, consent, treatment plans etc are held on Clinic Office Software which is password protected. Our computer system has its own password protection in addition to that on the Clinic office, emails and social media platforms. We have
    secure audit trails and we back up information weekly to an encrypted secure external hard drive.

    All computers / clinical software are locked when left unattended.

    All information held on our computer system has two stage protection in addition to McAfee firewall protection and protection on our WIFI network to prevent hacking.

    All mobile data devices used by clinic staff which contain personal identifiable information about clients have passcodes on, manual login / log out for social media and email systems (not automatically remain signed in) and have remote wiping enabled in the event of loss or theft.

    In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent.

    Where possible you will be informed of these requests for disclosure.

    Data is physically secured via: locks on all doors, locking filing cabinets and physical bolting of computers to desks.

    If you do not agree

    If you do not wish personal data that we hold about you to be disclosed or used in the way that is described in this policy, please discuss the matter with our clinical director. You have the right to object, but this may affect our ability to provide you with treatment.

    GDPR Consent and Regulations

    In line with the new regulations pre 25.05.18 we advised all existing clients of the regulations via a number of platforms and have requested they opt-in to receive future communications. Any clients who opted-out or did not reply have been removed from our marketing correspondence; however, in line with the regulations the required data will continued to be held by us which
    could be used to defend ourselves should a claim arise.

    You can request at any time to be informed about any data we hold on you, we will respond within 1 month of the request. You must provide full identification to us to enable us to release the data in line with GDPR regulations. You will not be charged for any data request.

    You have the right to request we delete any data held on you, apart from that which would aid us in defending a claim as outlined above.

    We will request you fill out our GDPR consent form when you attend the clinic for the first-time post 25.05.18 when the regulations came into force. We will adhere to your answers to this form until you inform us in writing otherwise. We are however entitled under these regulations to contact you via other means if deemed in your best interests or there is a legitimate interest. All our staff who have access to person identifiable information have been trained in these regulations and received a copy of our handbook advising them on their conduct to ensure they comply to the latest regulations fully.

    We will notify all data subjects if a data breach occurs along with the ICO. We are members of the ICO registration number ZA251287.

    How long do we keep your data:

    We follow the Department of Health’s Guidelines on retention periods for medical records along with guidance from our insurance companies. Current guidelines state that records should be kept for:

    • 11years (adults)
    • To the age of 25 years old (children)

    To a maximum of 30 years. Current guidelines do not require us to inform you before we destroy your medical records as long as they have been kept for the recommended period of time. We will always destroy data in a confidential and responsible manner in order to protect your identity and rights.

    Your Rights

    You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer of information you have provided, to withdraw permission you have given us to use your information. For more information, see below.

    You have the following rights (certain exceptions apply).

    • Right of access: the right to make a written request for details of your personal information and a copy of that personal information.
    • Right to rectification: the right to have inaccurate information about you corrected or removed.
    • Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased.
    • Right to restriction of processing: the right to request that your personal information is only used for restricted purposes.
    • Right to object: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interests. You can object to our use of your information for profiling purposes where it is in relation to direct marketing.
    • Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats.
    • Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of City Aesthetics Chester Ltd use of your personal information prior to the withdrawal of your consent and we will let you know if we will no longer be able to provide you
      your chosen product or service.
    • Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have.

    Please note: Other than your right to object to the use of your data for direct marketing (and profiling to the extent used for the purposes of direct marketing), your rights are not absolute: they do not always apply in all cases and we will let you know in our correspondence with you how we will be able to comply with your request.

    If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. If we do not meet your request, we will explain why.

    If you have any queries or concerns relating to this policy please contact us on:

    info@cityaestheticschester.com

    City Aesthetics Chester Ltd
    10 City Road
    Chester
    CH1 3AE