Lymph Solutions
Ltd. Privacy
Policy
(Updated
20th. September 2021)
1. CONTACT
INFORMATION
2. CLIENTS:
2.2.1
Health Data
2.2.2
GDPR: Article 6
2.2.3
GDPR: Article 9
2.3
Data and Information Storage
2.3.1
Retention Policy
2.4
Your Rights
3. STUDENTS:
3.3
Data and Information Storage
3.4
Your Rights
4. HOW TO
COMPLAIN
4.1
Lymph Solutions and ICO contact
1. CONTACT
INFORMATION
Website:
www.lymphsolutions.co.uk
|
Jeanne
Everett
(Director) 6, Fellside
Gardens
Durham
City DH1
1AB Mb: 07983
385283 Email:
jeanne@lymphsolutions.co.uk or jeanne.everett@btopenworld.com |
John
Everett
(Company
Secretary) 6, Fellside
Gardens Durham
City
DH1
1AB Mb: 07976
013709 Email:
|
Data protection laws
and regulations require all companies who “process” personal information (i.e.
companies who keep written/computerised records concerning their
customers/clients) to provide public information about the type of personal
information they collect.
2.
CLIENTS
2.1 Personal
Information (Return to index: Ctrl +
Click)
We (Lymph Solutions
Ltd) collect and process the following personal information from clients for
whom Jeanne is providing MLD therapy or other appropriate treatment or
treatments.
·
Name
·
Address
·
Contact telephone
number
·
Email
address
We will ask you to
provide us with this information so that we can keep in contact with you and
make contractual arrangements for your treatment, which is usually given in
your own home.
Once treatment has
been given, we will also keep records of how much has been paid for it. This
is so that we can keep accounts – as required by law – for Company House and
HMRC.
The information
will not be used for any kind of promotion, nor will it be shared with any
third parties except insofar as it is necessary to do so with any agents for
the purpose of making legally-required financial
returns.
Under the General
Data Protection Regulations (GDPR), Article 6, the lawful bases
we rely on for processing this information are:
·
Your
consent
·
We have a
contractual obligation
·
We have a legal
obligation (e.g.to keep detailed company
accounts)
These bases are
explained in further detail in section 2.2.2 below.
2.2
Special Category
Data (Return to index: Ctrl +
Click)
This data is
“special” because it is of a more sensitive nature than the personal data
listed above.
The UK General Data
Protection Regulations (GDPR) lists nine types of special categories and the
one which is relevant to Lymph Solutions Ltd. is data concerning
health.
We collect and
process the following Special Category Data from clients for whom Jeanne is
providing MLD therapy or other appropriate treatment or
treatments.
·
Age
·
Weight
·
Diet
·
Information about
client’s GP (name, surgery name & address etc.)
·
Current
medication
·
Relevant medical
history, including cellulitis history
·
Lymphodoema
diagnosis and present condition
Jeanne will ask you
to provide her with some or all of this information so that she can ensure you
are provided with the correct treatment.
She will also keep
a record of information she acquires from a clinical examination of the body
areas affected by lymphatic swelling and infection,
including:
Skin condition;
tissue condition; swelling shape, site and size
Once treatment has
begun, Jeanne will also process and record:
·
Treatment provided
and outcomes, including:
o Therapies
given
o bandaging,
ointments, lotions or other pharmaceutical product given
·
Any other
information out-with this list which is relevant to a client’s request for
treatment from Lymph Solutions Ltd., and for which their explicit consent has
been received. This may include any additional data which has been obtained by
virtue of communications with other health care professionals and
providers.
2.2.2
GDPR: Article
6 (Return to index: Ctrl +
Click)
Under the General
Data Protection Regulation (GDPR), the Article 6 lawful bases we rely
on for processing this information are one or more of the following –
depending on the specific nature of the information and
data:
i.
Your consent:
Jeanne will ask you
to sign a statement of consent when treatment is
begun.
ii. If you accept,
verbally or in writing, a quotation for treatment provided by Jeanne (also
verbally or in writing) then this will be the basis of the contract
between Lymph Solutions and yourself. We will need to keep records
concerning the treatment given in order to demonstrate how we have fulfilled
the contact between ourselves.
iii.
We have a legal
obligation to keep treatment records:
iii.1.
To comply with the
Nursing and Midwifery Council code of professional conduct, section 10.
“keep clear and accurate records relevant to your
practice”
iii.2.
To comply with the
requirements of MLD UK (association of MLD practitioners) and insurance
provided through them by Balens Insurance. Section 14
(a) of the policy requires us to “adequately record each and every
treatment given to each and every client”.
Section 14 (c)
requires us to keep the records for “at least 7 years following the last
occasion on which treatment was given”.
iii.3.
Appendix ll of the
NHS Records Management Code of Practice, 2021, stipulates that adult health
records should be recorded accurately and retained for 8
years
2.2.3
GDPR: Article
9 (Return to index: Ctrl +
Click)
Because we are
processing special category data, the GDPR regulations also requires us
to identify at least one Article 9 condition for doing so. We have
identified the following conditions from Paragraph 2 of the article as
being appropriate:
(a)
Explicit
Consent
(g) Reasons of Substantial Public
Interest (with a basis in law)
(h) Health or Social Care (with a
basis in law)
Schedule 1 of the
Data Protection Act 2018 provides a list of legally valid ways to meet the
conditions which have been identified from Paragraph 2 of Article
9.
·
Lymph Solutions
Ltd. meets the Public Interest condition (Article 9.2g above), on
account of the need to process special category data for Insurance
Purposes, as detailed in Paragraph 20 of Schedule 1 (Data Protection Act,
2018).
As previously
mentioned, to comply with the requirements of MLD UK (association of MLD
practitioners) and the terms of the insurance provided through them by Balens
Insurance (Section 14a), Lymph Solutions Ltd. is required to “adequately
record each and every treatment given to each and every
client”.
Section 14c of the
policy requires us to keep the records for “at least 7 years following the
last occasion on which treatment was given”.
·
Lymph Solutions
Ltd. meets the Health Care condition (Article 9.2h above), on account
of the need to process special category data for Health Care purposes
(i.e. Lymphoedema treatment), as detailed in Paragraph 2 of Schedule 1
(Data Protection Act, 2018).
The specific
health purposes which apply to the special category data processed by Lymph
Solutions Ltd. are listed in Paragraph 2 as being:
(a) Preventive or
occupational medicine
(b) Medical
diagnosis
(d) Provision of
health care or treatment
By way of
summary:
In order to provide
professional and safe lymphoedema-related treatment, Lymph Solutions Ltd. needs
to collect and process special category data for the public interest and
health care purposes which we have identified from Article 9 of the GDPR. The
legal bases which underpin our data processing are given in Article 6 of the
GDPR: consent, contract requirements and legal
requirements.
·
Finally, Lymph
Solutions Ltd. meets the Explicit Consent condition for processing
special category data (Article 9.2a above) by explaining to our clients the
nature of the data we will collect and specifically asking for their consent.
We ask them to confirm their agreement with a signature on the appropriate
document.
Having explained to
you, our clients, what data we collect, why we collect it, and how the General
Data Protection legislation both permits and controls our data processing, we
rely on the Explicit Consent condition as the final
arbiter. Without your consent, confirmed by your signature on a clearly
worded document, we will not begin to collect special category health
data. In consequence, it will not be possible to provide you with specific
health treatment. This will be explained to you at an early stage in our
relationship with you as a client.
Once – having
obtained your consent – treatment has begun, none of the personal
information or special category data will be shared with any third parties. It
will be held securely by Lymph Solutions Ltd. and treated as entirely
confidential.
Should it be
necessary to share any of your personal information or special category data
with a client’s GP – or any other health care professional/provider – in order
to provide what Jeanne has determined to be the most appropriate treatment,
then your consent will be requested and you will be asked to confirm this with
a signature.
This consent can be
withdrawn at any time. Please see the section further on concerning your rights.
Important
condition: Lymph Solutions
Ltd. would like our clients to be aware that any personal information
contained on invoices MAY need to be seen by the tax authorities and/or our
appointed accountants if this is required in order to submit annual returns or
if a disclosure request is made by any authorized government agency. Further
information on our retention policy with respect to invoices and other
financial documents can be found at 3.1.2 and 3.2.1 below (ctrl/click here)
2.3
Data and
Information Storage: (Return to index: Ctrl +
Click)
Article 5
(paragraph 1a) of the UK’s GDPR requires us to process your (our clients’)
information and data “lawfully, fairly, and transparently”. We have
spent a long time reviewing how we look after your information to ensure that
we comply these three principles. We aim to ensure that we don’t collect and
hold any more information than we need to in order to provide our clients with
safe and appropriate treatment, whilst – at the same time – also ensuring that
we, as Lymph Solutions Ltd., fulfil our legal
obligations.
We recognise that a
significant amount of the personal information and special category data which
Lymph Solutions Ltd. processes concerning our clients’ health is potentially
extremely sensitive. We also recognise that the loss, disclosure or theft of
these health records could cause considerable embarrassment and distress to
those affected.
Having made a
comprehensive review of our security processes, however, and carefully studied
the advice from the Information Commissioner’s Office, we have not felt it
necessary to complete a formal Data Protection Impact Assessment (DPIA).
Although we process special category data (health), we do not do so on a scale
sufficiently large to warrant a DPIA. This is because, having reviewed what
information we process and how we record it, we don’t believe that our
processing activities are likely to result in a high risk to the rights
and freedoms of our clients. In this regard, we would like to reassure our
clients that the information which we store electronically is only ever
accessed by John and Jeanne. Together, as officers of Lymph Solutions Ltd., we
have an agreed documented procedure for ensuring that the security and
confidentiality of client records is paramount.
All of the
information and data which we process is kept securely in cloud storage. We
have set a two-factor verification system for cloud access, and we have a
verified “strong” password for the laptops and tablets which we use. All of
our data storage devices (laptops, tablets and phones) are encrypted as fully
as possible.
We have a written
company policy for electronic data security (including safeguards against loss
or theft), and a copy is available on request.
2.3.1
Retention policy
(Return to index: Ctrl +
Click)
As explained in
section 2.2.2. above (click here), in order to
comply with the requirements of MLD UK (association of MLD practitioners) and
the terms of the insurance provided through them by Balens Insurance (Section
14a), Lymph Solutions Ltd. is required to “adequately record each and every
treatment given to each and every client”.
Section 14c of the
policy requires us to keep the records for “at least 7 years following the
last occasion on which treatment was given”.
We also explained
how Appendix ll of the NHS Records Management Code of Practice, 2021,
stipulates that adult health records should be recorded accurately and
retained for 8 years.
Before beginning
treatment, we will always ask for the explicit consent of our clients to
process the data which we need in order to fulfil our contractual
responsibility to provide them with the best possible health care in relation
to the treatment of their lymphoedema or associated condition (ctrl/click here). Once we have
begun to collect this information, we will need to keep it for eight years
since we last treated a client. After this time limit has passed, all
information concerning the client will be securely erased from our cloud
storage and electronic storage devices. All paper records will also be
destroyed – if they haven’t already been.
You, our client,
will always have a right to withdraw your consent. This is explained below in
section 2.4.5 (click here). We will then
stop processing further information and data, although existing records will
still need to be kept in line with our retention policy.
2.4
Your Rights.
(Return to index: ctrl + click here)
Under data
protection law, you have various rights. These are:
2.4.1
Access to any electronic
information which we hold about you.
If you contact
either Jeanne or John (ctrl/click here), then we will
arrange to let you have a copy of the information we are
holding.
This will be
presented to you in a written report which is both comprehensive and clear.
Normally, we would expect to provide you with this within 14 working days from
the date of your request. This may need to be extended if either of us/both of
us are away on holiday or experiencing ill health. In this event, we will let
you know how long we expect your request to take.
2.4.2
Rectification of any information
which you believe to be incorrect and/or inclusion of any relevant
information which you believe to be missing.
If any such
correction is needed, please will you contact Jeanne or John in writing
using the contact information given above (ctrl/click here). If the
correction is straightforward, then we would expect to make the changes in
line with the timeframe given at 2.4.1 above.
If the changes are
needed urgently, then we will do our very best to ensure that they are made
more quickly.
If we need to
obtain any further verification before the change can be made, then the change
may be delayed until we are in receipt of the required
verification.
2.4.3
Erasure – in certain
circumstances – of any personal information of yours which we are
holding.
If you don’t want
Lymph Solutions Ltd. to carry on holding personal information about you and
your treatment, then please contact John or Jeanne in writing using the
contact information given above (ctrl/click here).
We will be glad to
review your records to determine if there is any information we can erase. We
need to emphasize that is highly unlikely there will be any such information.
This is explained in our retention policy at 2.3.1
above.
Following any
request for erasure, we will offer you a full explanation of what is possible
and what the implications for your treatment are.
2.4.4
Portablility
of information which are holding about you. You have the right to ask that we
transfer the personal information you gave us to another organisation, or to
you, in certain circumstances.
If any such
transfer is needed, please will you contact Jeanne or John in writing
using the contact information given above (ctrl/click here). If the request
is straightforward, then we would expect to make the changes in line with the
timeframe given at 2.4.1 above. In certain circumstances, however, it
may take us up to one month to comply with your request.
2.4.5
Object
to Lymph Solutions
Ltd processing your personal information or special category data, or
withdraw your consent for us to do so.
2.4.6
Request that we
restrict the type of information or data which we process
The reasons why
Lymph Solutions Ltd. needs to collect and process the client information and
data specified above in sections 2.1 and 2.2 have been explained throughout
this policy.
On account of these
reasons, and provided we have acted in compliance with data protection law, it
is unlikely that any objection you make to Lymph Solutions Ltd. collecting and
processing the personal information and special category data which we have
referenced in sections 1a and 1b will result in removal of information and
data already processed. Nor is it likely that you will be able to request that
we restrict the information and data which we collect and process if you still
require ongoing treatment.
You will always,
however, retain the right to withdraw the original consent which you provided
with your signature. Lymph Solutions Ltd. will then stop processing any
information or data that is dependent on your consent.
To withdraw your
consent, please will you contact Jeanne or John in writing using the
contact information given above (ctrl/click here). As soon as we
have been able to satisfy ourselves that there is no other lawful reason
restraining us (and – at the time of writing this policy – we can think of no
such reason), then we will reply to you in writing confirming that your
request has been complied with. As explained in 2.3.1 above, we will still
need to retain information which has already been collected and
processed.
Please be aware
that without your consent to processing certain personal information and
special category data, it will not be possible for Jeanne to provide/continue
providing you with a particular course of treatment. We will write to you with
a full explanation of the situation as soon as possible after we have received
your written notice of consent withdrawal.
3.
STUDENTS (Return to index: Ctrl + Click here)
Jeanne
Everett, director of Lymph Solutions Ltd., organises and teaches at training
courses for health care professionals. The courses can be broadly classified
under the title of “the management and treatment of lymphoedema and associated
conditions”.
3.1 Personal
Information
We (Lymph Solutions
Ltd) collect and process the following personal information from students who
are applying to attend or are attending a lymphoedema training
course:
·
Name
·
Place of
work
·
Job
title
·
Email
address
·
Mobile
number
·
Health care
qualifications
·
Amount paid for
training
·
Evaluation of
training achievment
Under the General
Data Protection Regulations (GDPR), Article 6, the lawful bases
we rely on for processing this information are:
·
We have a
contractual obligation
·
We have a legal
obligation (e.g.to keep detailed company
accounts)
3.1.1
We have a
contract with the students who enrol on a course
delivered by Jeanne. In short, you (the student) agree to pay Lymph Solutions
Ltd. a sum of money and we (Lymph Solutions Ltd.) agree to provide the
education detailed in the course outline.
We need to collect
much of the personal information listed above in order to arrange and deliver
the training courses. Some of the information is also required for course
evaluation, which will be delivered at your request and with your consent to
appropriate third parties (e.g. employers, course funders, or potential
employers).
Some of the
information is also required in order to prepare invoices, to yourself or to
employers.
3.1.2
We have a legal
obligation to issue and retain invoices as part of our limited company
record-keeping obligations.
Information on
the Gov.UK website concerning “running a limited company” states that
“you must keep accounting records that include all money received by the
company, for example invoices, contracts, sales books and till
rolls.”
Lymph Solutions Ltd. would like our
clients to be aware that any personal information contained on invoices MAY
need to be seen by the tax authorities and/or our appointed accountants if
this is required in order to submit annual returns or if a disclosure request
is made by any authorized government agency.
3.2
Retention Policy
(Return to Index: Ctrl + Click here)
3.2.1
In 3.1.2 above we
explained that the tax authorities require us, as a company, to keep and
retain accounting records. The same Gov.UK source adds that “you must keep
records for 6 years from the end of the last company financial year they
relate to.”
In keeping with
this requirement, any personal information which forms an essential part of
Lymph Solutions Ltd. invoice preparation (e.g. name, address, cost of
treatment, and any other data on the invoice given to you) will be retained
for 6 years as specified in 3.2.1. At the end of this period, the information
will be securely deleted from our cloud storage and electronic storage
devices. All paper records will also be destroyed – if they haven’t already
been.
3.2.2
Apart from the
invoice information referred to in 3.2.1 above, all other information and data
relating to students will be securely removed from our cloud storage and
electronic storage devices as soon as it is possible for us to do so after
three years have elapsed since
the date of the student’s last course date.
The reason why
the personal information of students will be retained for three years is so
that it can be used as proof of training and also a record of evaluation.
Where appropriate, and with explicit consent, the student’s name, email
address, job title and date of training will be shared with Casley-Smith
Lymphoedema Education UK (CASLE UK) so that their training records can be
updated. During the three year period, Lymph Solutions Ltd. will be happy to
share the information being held with any agency or institution (e.g. a
nursing body or potential employer) following a written request from the
student.
3.2.3
Lymph Solutions
Ltd. will not share your personal information with any third party
except if we are required to do so in order to comply with our accounting
obligations as a limited company. Nor will your information be used for any
promotional purposes. Lymph Solutions may, however, use your information to
advise you of future courses being held as and when this is appropriate. We
would like to offer assurance that this will only ever be
occasional.
3.3
Data information
and storage.
On account of
processing special category health data for our clients, Lymph Solutions Ltd.
has ensured that our storage systems are as safe and secure as we can possibly
make them. The personal information and data of our students benefits from
exactly the same level of storage security Please refer to section 2.3 for
further information concerning this. (Ctrl/click
here)
3.4
Your
Rights (Return to index: Ctrl + Click here)
Your rights – as
a Lymph Solutions Ltd. student – of access, rectification, erasure,
portability and objection in respect of the information and data
which we process and hold are broadly in line with those of our clients.
Please refer to section 2.4 (Ctrl/click here) for further
information about these rights and how to exercise them.
In sections 3.1.1
and 3.1.2 we explained our contractual and legal obligations in relation to
the personal information we collect from our st. In
summary:
·
We need to
collect the information and data we have listed in order to for you to enrol
on a training course and enter into a contract with Lymph Solutions Ltd. as
the course provider. And we need to retain this information and data until the
course has been completed and payment made. We generally, however, retain the
information for three years as explained in 3.2.2 above.
·
We also need to
collect certain invoice information for our company accounting
responsibilities and retain it for 6 years as explained in 3.2.1
above.
These bulleted
points will act as constraints on your rights as listed above. Aside from
these constraints, however, Lymph Solutions will ensure your rights are fully
enacted following a written/emailed request.
4.1.
If you have
any concerns about our use of your personal information, you can make a
complaint to us at john@lymphsolutions.co.uk
4.2 You
can also complain to the ICO if you are unhappy with how we have used your
data.
Information
Commissioner’s Office
Wycliffe
House
Water
Lane
Wilmslow
Cheshire
SK9
5AF
Helpline number:
0303 123 1113
ICO website:
https://www.ico.org.uk