1.1 Principles The Ear Wax Clinic is a data controller and has a legal duty, in line with the General Data Protection Regulation (GDPR), to explain why it is using client data and what data is being used.
1.2 Status The Ear Wax Clinic aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies. This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.
1.3 Training and support The Ear Wax Clinic will provide guidance and support to help those to whom it applies to understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.
2.1 Who it applies to This document applies to all who work at The Ear Wax Clinic and other individuals performing functions in relation to The Ear Wax Clinic.
2.2 Why and how it applies to them Everyone should be aware of the practice privacy notice and be able to advise clients, their relatives and carers what information is collected, how that information may be used and with whom The Ear Wax Clinic will share that information. The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to clients about how their personal data is used is a key element of the General Data Protection Regulation.
3 Definition of terms
3.1 Privacy notice A statement that discloses some or all of the ways in which The Ear Wax Clinic gathers, uses, discloses and manages a client’s data. It fulfils a legal requirement to protect a client’s privacy.
3.2 Data Protection Act 2018 (DPA18) 1 The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.
3.3 Information Commissioner’s Office (ICO)2 The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
3.4 General Data Protection Regulation (GDPR)3 The GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR came into effect in May 2018.
3.5 Data controller The entity that determines the purposes, conditions and means of the processing of personal data.
3.6 Data subject A natural person whose personal data is processed by a controller or processor.
4 Compliance with regulations
4.1 GDPR In accordance with the GDPR, The Ear Wax Clinic will ensure that information provided to subjects about how their data is processed will be: • concise, transparent, intelligible and easily accessible, • written in clear and plain language, particularly if addressed to a child, and • free of charge.
4.2 Article 5 compliance In accordance with Article 5 of the GDPR, The Ear Wax Clinic will ensure that any personal data is: • processed lawfully, fairly and in a transparent manner in relation to the data subject, • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay, • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, and • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.
4.3 Communicating privacy information At The Ear Wax Clinic, the privacy notice is displayed on our website, through signage in the waiting room and in writing during client registration. We will: • inform clients how their data will be used and for what purpose, and • allow clients to opt out of sharing their data, should they so wish.
4.4 What data will be collected? At The Ear Wax Clinic, the following data will be collected: • client details (name, date of birth, NHS number), • address and NOK information, • care notes (paper and electronic), • details of treatment and care, including medications, and • any other pertinent information.
4.5 Privacy notice checklists The ICO has provided a privacy notice checklist which can be used to support the writing of The Ear Wax Clinic’s privacy notice. The checklist can be found by following this link.
4.6 Privacy notice template A privacy notice template can be found at Annex A.
It is the responsibility of all staff at The Ear Wax Clinic to ensure that clients understand what information is held about them and how this information may be used. Furthermore, The Ear Wax Clinic must adhere to the DPA18 and the GDPR to ensure compliance with extant legal rules and legislative acts.
Annex A – Practice privacy notice The Ear Wax Clinic has a legal duty to explain how we use any personal information we collect about you, as a registered client, at The Ear Wax Clinic.
Staff at The Ear Wax Clinic maintain records about your health and the treatment you receive in electronic and paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment, etc. and any other relevant information to enable us to deliver effective ear care.
How we will use your information.
Your data is collected for the purpose of providing direct client care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest.
Maintaining confidentiality and accessing your records.
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR) as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
What to do if you have any questions.
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit www.ico.org.uk and select “Raising a concern”.