top of page

Privacy Policy

Data Protection Policy 

 

This policy applies to the processing of personal data in manual and electronic records kept by Hilot Massage Therapy under the General Data Protection Regulations. 

 

This policy applies to the personal data of clients of Hilot Massage Therapy (the company). These are referred to in this policy as relevant individuals.

 

“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, address, contact details.

 

“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, and religion.

 

“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Hilot Massage Therapy makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and conducts themselves in line with this, and other related, policies. In line with current data protection legislation, the company   understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

 

Types of Data Held

Personal data is kept in files within the company’s own systems. The following types of data may be held, as appropriate, on relevant individuals:

 

  • name, address, phone numbers 

  • medical or health information

  • treatment records 

 

 

Data Protection Principles

All personal data obtained and held will:

 

  • be processed fairly, lawfully and in a transparent manner

  • be collected for specific, explicit, and legitimate purposes

  • be adequate, relevant, and limited to what is necessary for the purposes of processing

 

  • only use it in the way that we have told you about

  • ensure it is correct and up to date

  • process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed.

  • be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay

  • not be kept for longer than is necessary for its given purpose

  • be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage by using appropriate technical or company measures

  • comply with the relevant data protection procedures.

 

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:

 

  • the right to be informed

  • the right of access

  • the right for any inaccuracies to be corrected (rectification)

  • the right to have information deleted (erasure)

  • the right to restrict the processing of the data 

  • the right to portability

  • the right to object to the inclusion of any information 

  • the right to regulate any automated decision-making and profiling of personal data.

​

Procedures

The company has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:

 

  • it can account for all personal data it holds.

  • access to data is limited, secure and protected. 

  • it recognises the importance of seeking individuals’ consent for obtaining, recording, using, storing, and retaining their personal data, and regularly reviews its procedures for doing so. 

  • The company understands that consent must be freely given, specific, informed, and unambiguous. Consent will be sought on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time.

 

Access to Data

Relevant individuals have a right to be informed whether the company processes personal data relating to them and to access the data that the company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:

 

  • the request should be made in writing to  [insert details]  

  • there will not charge for the supply of data unless the request is manifestly unfounded, excessive, or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request.

  • the company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.

 

Relevant individuals must inform the company immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The company will take immediate steps to rectify the information. 

 

Data Security 

The company adopts procedures designed to maintain the security of data when it is stored. 

 

  • ensures that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them

  • ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people

  • refrain from sending emails containing sensitive information

  • check regularly on the accuracy of data being entered into computers

  • always use passwords to access the computer system and not pass them on to people who should not have them

  • use computer screen blanking to ensure that personal data is not left on screen when not in use.

  • ensure that laptops or USB drives are not left lying around where they can be stolen.

 

Breach Notification

Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the company becoming aware of it and may be reported in more than one instalment. 

 

Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.

bottom of page