Josh Carrington Acupuncture Data Protection Policy 2025
1. Introduction
This policy outlines how Josh Carrington Acupuncture collects, processes, and stores personal data in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The aim is to protect the rights and privacy of patients, prospective patients, and other data subjects.
2. Data Controller
Josh Carrington Acupuncture is the data controller and is responsible for ensuring that personal data is processed in accordance with GDPR. The practice is registered with the Information Commissioner’s Office (ICO), demonstrating commitment to data protection standards. Any questions or concerns regarding this policy can be directed to:
Josh Carrington
Josh Carrington Acupuncture
hello@joshcarrington.com
+447440400113
3. Purpose of Data Processing
Personal data is processed for the following purposes:
- To provide safe and effective acupuncture treatments.
- To manage patient appointments and maintain accurate patient records.
- To comply with legal and professional obligations.
- To respond to patient enquiries and provide information regarding services.
- To send marketing communications, if explicit consent has been obtained.
4. Types of Personal Data Collected
The following types of personal data are collected and stored:
1. Contact Information: Name, address, telephone number, and email address.
2. Health Information: Presenting complaint, relevant medical and family history, and details of treatment provided.
3. Appointment Records: Dates and times of treatments and attendance.
4. Financial Data: Payment records (if applicable).
5. Marketing Preferences: Consent for receiving marketing materials.
5. Lawful Basis for Processing
Personal data is processed under the following lawful bases:
- Legitimate Interests: For purposes such as managing patient care, record-keeping, and responding to enquiries.
- Legal Obligations: Complying with the British Acupuncture Council’s Code of Conduct and other regulatory requirements.
- Consent: For marketing purposes, with explicit consent obtained before sending newsletters or promotional information.
6. Data Security Measures
Appropriate technical and organisational measures are implemented to ensure the security of personal data:
- Patient Management and Appointment Bookings: Patient records and appointment bookings are managed through Cliniko, a GDPR-compliant platform designed for secure handling of patient data.
- Correspondence: Emails and communication are conducted through Google Workspace (Gmail), a GDPR-compliant service with security measures such as encryption.
- Payment Processing: Payments are processed through Square, which complies with PCI-DSS standards and securely handles transaction data. Full payment card details are not stored.
- Social Media and Messaging: Social media interactions and messaging with patients occur on Instagram, LinkedIn, Facebook, and WhatsApp Business. Communication is limited to basic enquiries and information sharing, and sensitive personal data is not collected or stored on these platforms.
In addition to these measures:
- All electronic records are stored on password-protected devices.
- Paper records are stored securely in locked cabinets.
- Secure methods, such as encrypted emails, are used for transferring data when necessary.
- Regular audits and reviews of data protection practices are conducted.
7. Data Retention
Patient records are retained for a minimum of seven years following the last date of treatment. For patients under 18 years, records will be retained until the patient reaches 25 years of age. Personal data that is no longer needed is securely destroyed in line with this policy.
8. Sharing of Personal Data
Personal data is treated as strictly confidential and will only be shared with third parties under the following circumstances:
- With the patient’s explicit consent.
- If required by law (e.g., a court order or safeguarding concerns).
- For the purpose of providing safe and effective healthcare (e.g., referral to other healthcare providers).
- In the event of a complaint or insurance claim against the practice.
9. Patient Rights
Patients and other data subjects have the following rights:
- The right to request access to their personal data.
- The right to request correction of inaccurate or out-of-date data.
- The right to request the deletion of personal data when it is no longer necessary.
- The right to withdraw consent at any time (where consent is the basis for processing).
- The right to object to processing based on legitimate interests.
- The right to lodge a complaint with the Information Commissioner’s Office (ICO).
10. Data Breach Procedures
A documented procedure exists for managing data breaches. In the event of a data breach that poses a risk to the rights and freedoms of individuals, the ICO will be notified within 72 hours, and affected individuals will be informed as soon as possible.
11. Review and Updates
This policy will be reviewed and updated annually, or when there are changes to the nature of data processing or legal requirements.
12. Contact Information
For questions or concerns about this policy or data protection practices, please contact:
Josh Carrington
Josh Carrington Acupuncture
674 Pollolshaws Road
Suite 4, The Cooperage
Queen’s Park Acupuncture
Glasgow, G41 2QE
hello@joshcarrington.com
+447440400113
---
Additional Sections for Online Sales:
13. E-commerce and Online Sales Policy
Josh Carrington Acupuncture utilises the Squarespace platform to offer products for sale online. When purchasing from the website, customers provide personal and financial data, which is handled in accordance with GDPR and UK e-commerce regulations.
14. Data Collected for Online Orders
In addition to the data types listed in Section 4, the following information is collected when customers place an online order:
- Order Information: Details of products purchased, order date, and delivery information.
- Payment Information: Payment transactions are processed through Squarespace Payments, which integrates with third-party payment processors such as Stripe. Full payment card details are not stored on the website’s servers; instead, transaction records are retained as required for financial and legal purposes.
15. Lawful Basis for E-commerce Processing
E-commerce data is processed under the lawful basis of Contractual Necessity (to fulfil customer orders) and Legitimate Interests (for order tracking, delivery, and customer service).
16. Data Security Measures for Online Sales
Additional measures for online sales include:
- All payment transactions are processed through secure payment gateways provided by Squarespace Payments and its partners.
- The website employs SSL encryption to secure data transmitted during online transactions.
- Third-party vendors used for processing payments are GDPR-compliant and adhere to high security standards.
17. Shipping and Order Fulfilment
Reliable third-party courier services are used to fulfil orders. Only essential personal data (such as the recipient’s name, address, and contact details) is shared with delivery partners to ensure proper delivery.
18. Returns, Refunds, and Data Retention for Online Sales
Customer data related to returns and refunds is retained for the duration required by the returns policy and applicable legal and financial regulations.
19. Marketing Preferences for Online Sales
If customers opt-in during checkout, their information may be used for marketing communications, including updates on similar products or special offers. Customers may unsubscribe at any time.
---
ICO Registration
Josh Carrington Acupuncture is registered with the Information Commissioner’s Office (ICO) as a data controller, in line with UK data protection legislation.
---