Privacy Notice for Diana Alejandra Pinzón Ocampo

This Privacy Notice was last reviewed in January 2024.


As a complementary therapist, I am committed to protecting and respecting your privacy. This notice outlines how I collect, use, and protect your personal data in accordance with the Data Protection Act 2018, UK General Data Protection Regulation (GDPR), and Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

I am registered with the Information Commissioners Office (ICO) under the number: C1435963

This privacy notice informs you of how I handle your personal information from initial point of contact until the end of your therapy with myself and afterwards, including:

  • What personal information is collected

  • The purposes of processing your personal information

  • The legal basis for processing your personal information

  • Third party recipients of personal data

  • The period for which personal data is retained

  • Your rights to personal data

  • How to contact the authority if you have concerns

 

What personal information, ‘personal data,’ is collected and for what purpose

The details collected at the time of your initial contact with myself at counselling@unit12 will be used throughout the counselling relationship to communicate with you in relation to appointments. As a reminder, these details include: your name, preferred contact, i.e. email address or telephone number, your availability and reasons for seeking counselling

If you decide to proceed further, then further information such as your address, emergency contact, GP details will be collected in a personal information sheet together with a signed copy of this Privacy Notice and a signed Working agreement/Contract as part of the registration process and to ensure that the arrangement and work together can be carried out.  If you decide not to proceed, I will ensure all your personal data is deleted within one week of receipt of you confirming this. If you would like me to delete this information sooner, just let me know.

 

My legal basis for holding and using (processing) your personal information

The GDPR states that I must have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which I am processing your data. If you have had therapy with me and it has now ended, I will use legitimate interest as my lawful basis for holding and using your personal information. If you are currently having therapy or if you are in contact with me to consider therapy, I will process your personal data where it is necessary for the performance of our contract. The GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is that it is for provision of health treatment (in this case Complementary/Massage Therapy) and necessary for a contract with a health professional (in this case, a contract between me and you).

 

How I store and use and your information

Storage of your personal data

I will keep a record of your personal data, i.e. your name, address, email and telephone contact details, dates attended and brief notes in regard to your physical condition that is relevant to our Complementary/Massage therapy to aid memory about the work, as is standard professional practice. These details are kept securely in a lockable cabinet during the work and for maximum of one year following ending therapy, after which they are destroyed securely. If you want me to delete your information sooner than this, please tell me. 

Your GP details are held so that they may contacted in the event that you are considered to be at risk.  

Details of someone you wish to be an emergency contact are held in case anything happens to you within our session, such as serious illness and it is considered that someone needs to be contacted to support you beyond the session. It is important that this person is someone that is aware that you are having Complementary/Massage therapy as this will become apparent if I need to contact them.

Use of your personal data

Your personal contact data is used for initial contact and arranging sessions. 

While you are accessing counselling, rest assured that everything you discuss with me is confidential. That confidentiality will only be broken if the law requires me to. I will always try to speak to you about this first, unless there are safeguarding issues that prevent this. 

There are times when it may be necessary to share your name, date of birth and address in order to safeguard you or someone in your care in an emergency situation. These are as follows: 

Your name and date of birth would be shared with your GP to identify you if they are contacted in the event that you are considered to be a risk.   

Your name and address may be shared with the emergency services in the event that you or someone in your care is at risk. 

If it is considered necessary to contact your emergency contact your name will be shared with this person for the purposes of identifying you to them in the context of them as your named emergency contact.

 

Third party recipients of personal data

Sometimes your personal data may get shared with third parties, for example, where you pay by bank transfer, your details will be shown as a transaction on a statement. I have done everything I can to check that such third parties are also data protection compliant.

 

Your rights

I try to be as open as I can be in terms of giving people access to their personal information. You have a right to ask me to delete your personal information, to limit how I use your personal information, or to stop processing your personal information. You also have a right to ask for a copy of any information that I hold about you (with notice of 30 days) and to object to the use of your personal data in some circumstances. You can read more about your rights at ico.org.uk/your-data-matters. If I do hold information about you I will:

• give you a description of it and where it came from

• tell you why I am holding its, tell you how long I will store your data and how I made this decision

• tell you who it could be disclosed to

• let you have a copy of the information in an intelligible form. You can also ask me at any time to correct any mistakes or amend the personal information I hold about you.

To make a request for any personal information I may hold about you, please put the request in writing addressing it to Diana Alejandra Pinzón Ocampo at dapoarttherapy@gmail.com.

If you have any complaint about how I handle your personal data please do not hesitate to get hold of me by writing or emailing to the contact details given above. I would welcome any suggestions for improving my data protection procedures. If you want to make a formal complaint about the way I have processed your personal information you can contact the ICO which is the statutory body that oversees data protection law in the UK. For more information go to ico.org.uk.

 

Data security

I take the security of the data I hold about you very seriously and as such I take every effort to make sure it is kept secure. 

I store the vast majority of my records in paper form. Paper records, such as signed working agreements or session notes will be stored in secured filing cabinets contained in areas with access restrictions. 

Electronic records, such as your contact details, are stored in a number of different systems. As far as it is reasonably practical, these systems have been carefully selected on grounds of the security they enforce. All systems are set up with unique usernames and strong password combinations and utilise access controls to restrict unauthorised access.

 

Your rights relating to your personal data 

Your personal data belongs to you. As a client, you are entrusting your personal data to me, so that I can provide you with the therapeutic help that you are seeking, but you retain certain rights over your data and how it is used. 

Below are a list of your rights and how you can exercise them.


The right to be informed

This is your right to know how and why your data is being collected and used by me. We hope that this Privacy Notice provides you with that information. Should anything be unclear though, please do not hesitate to contact me.


The right of access

You have a right to know what data I hold on you. As the controller of your data, I am required to respond to any request that you make to see the data I hold within 30 days of you making such a request. This is commonly referred to as a Data Subject Access Request. If you would like to see the data I hold on you, please contact me. 

Please note, while it may sound contradictory, to properly protect your privacy, I may be required to request additional personal data to verify your identity before providing the personal data to you if you email us with a data subject access request. This is in an effort to stop other people claiming to be you from getting access to your personal data.


The right to rectification

You have the right to ensure that any personal data that you have provided me with is correct. As such, if your circumstances change, for example you get a new contact telephone number, or wish to change your preferred method of contact from telephone to email, please do provide me with the up-to-date information and I will correct my records immediately. 

Please note, there may be circumstances when I am not required to follow up on you exercising your right for rectification. Full details about this right can be found here:
https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected


The right to erasure

This right allows you to ask me to delete the personal data I hold on you. However, there are certain instances when I would not be able to honour your request, including those were I am under a legal obligation to retain the data, for instance the HMRC requirement for my financial records to be held for 5 financial years. 

Also, please note, while you are actively engaged with the Complementary/Massage Therapy work, I would not be able to delete the personal data that I hold on you, as this is required by me to fulfil our side of the working agreement.


The right to restrict processing

Related to your right to erasure, you have a right to restricting how I use the personal data that you have provided me with. This right is closely linked to your right to erasure, and also has some restrictions as to when it can be exercised. 

If you would like more information about this right, you can find some here:
https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data


The right to data portability

Should you wish to move from working with me to another therapist, you have the right to request that I make the personal data I hold on you available in a format that easily accessible and machine-readable. Specifically, this right applies to data I hold electronically. 

Should you wish to exercise this right, please do let me know.


The right to object

Another right that is similar to both the ‘right to erasure’ and the ‘right to restrict processing’ is your right to ask me to stop using your data at any time. 

This again does only apply in certain circumstances, so please do contact me to discuss exercising this right. Also, you can find additional information here:
https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data


Rights in relation to automated decision making and profiling

I do not profile you or make any automated decisions regarding you in any way. As such, while this is a right you have, it does not apply to the services I provide.

 

How to contact the authority if you have concerns

If you have any concerns around the use of your personal data, I would prefer it is you would address these with me first. You can either contact me by email at dapoarttherapy@gmail.com or, if you are a current client, you can speak to me. 

However, if you do not feel that I am providing you with a satisfactory response, you are also entitled to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
You can contact the ICO via their website: https://ico.org.uk

 

My contact and registration details

Name: Diana Alejandra Pinzón Ocampo

You can contact me by Email: dapoarttherapy@gmail.com or Telephone: 07827507188 

Information Commissioners Office (ICO) registration number: C1435963

Availability & Location

Sessions available 7am – 9pm weekdays

Based in unit 12, Winnall Valley Road, Winchester, SO23 0LD