Creation: September 2018 Revisions: September 2020,2021,2022,2023 Revision due: September 2024
What we collect:
Wherever Sage Aesthetic processes personal data, we need to tell you our legal basis for doing so in Data Protection Law. Sage Aesthetic understands its legal basis for processing personal information in order to provide you with medical and cosmetic services as Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation. We also need to be clear of our legal basis for processing special categories of personal information, and we do that under Article 9(2)(h) of the General Data Protection Regulation. We collect patient health information for the purposes of providing each individual patient with aesthetic treatment(s) in a safe and patient-centred manner.
We collect patient contact details so that we can contact them should there be a need to make appointments, or change existing appointments.
We tell our patients what we do with their data by way of a Privacy Notice. Our Privacy Notice is shown at the bottom of this page, and is displayed in our Consulting Rooms at all times
Why:
We require patient health information (Past medical History, current and past medication, allergy information, past aesthetic treatments, risk of pregnancy information) so that we can assess each person’s suitability for the treatment planned. Some treatments can be higher risk and therefore best avoided in certain medical conditions.
We do not knowingly treat anyone who is known to be pregnant, or thought to be at high risk of pregnancy at the time of consultation.
We collect patient contact details to facilitate appointment changes. We do not contact people for marketing purposes. We do not pass your data on to any third party for any other purpose.
Who may have access and for what purpose:
Our regulatory body Healthcare Improvement Scotland (http://www.healthcareimprovementscotland.org) perform regular inspections of the clinic, which may at times include examination/audit of our medical notes for the purposes of quality assurance. HMRC are authorised to audit any company; they would be able to access receipt books, credit card slips but not medical notes.
How we collect it:
Data is collected directly from you (the patient) at the time of consultation, be this face-to-face, by email, text or by telephone. No other sources of data are used. We ask for updated details at every appointment so that the information we hold is as up to date as it can be.
Where it is kept and for how long:
Data is stored in your patient notes, which exist on paper, and are stored in a locked filing cabinet. Access to this filing cabinet is restricted to Dr Morag Stewart, Dr Richard Gordon, Dr Iain Inness, other than occasional access by the statutory regulatory bodies mentioned previously (HIS and HMRC).
Patient records/notes shall be retained for a period of six years after the patient has ceased having treatment. Thereafter, patient records will be destroyed securely at the year end of the retention period.
Emails are stored in the [email protected] iCloud account with fingerprint/passcode protection, which is deemed secure by the Information Commissioner’s Office. Emails will be deleted after a maximum of six years.
Your Rights
You have legal rights about the way Sage Aesthetic handles and uses your data, which include the right to ask for a copy of it, and to ask us to stop doing something with your data. Please contact us by email at [email protected]or in writing to:Sage Aesthetic, The Farmhouse, Upper Terryvale, Dunecht, AB32 7BS.
You also have the right to make a complaint to the Information Commissioner’s Office, (www.ico.org.uk). They are the body responsible for making sure organisations like Sage Aesthetics handle your data lawfully.
In the event of a data breach, we will: • advise the affected person(s) as soon as possible, if possible in writing. • Advise the ICO within the required 72 hour period. Review our systems to understand why a problem has arisen, then make appropriate changes.
Privacy NoticeDisplayed in Clinic
How we use your data When you arrange to have medical or cosmetic treatments at Sage Aesthetic, you are entering into a contract with us for those services. At a consultation and throughout the treatment process, we collect and store (process) personal information about you. We also process what’s called “special category personal information”, e.g information about your health, so that we are clear about any relevant health or medical issues. We need to make sure we have a legal basis to do that by law. Sage Aesthetic process your data because it is necessary for us to provide you with medical and cosmetic services. We keep a record of the personal information you provide to us to establish your safety and suitability for treatment whilst you are a client of ours, and in the event we need to contact you about your appointment. The information you give us may be shared with bodies that regulate how we provide services to you, such as Healthcare Inspectorate Scotland and the General Medical Council, but only where this is necessary to do so. Your information is kept for 6 years from the date of your last treatment, as long as you have asked us to provide you with medical or cosmetic treatments. If you choose not to engage our services, but have made an enquiry, or attended a consultation with us, we will keep your information for 6 years from the date you submitted the enquiry or attended the consultation. We need to keep your data for this long for financial and insurance purposes. Your Rights You’ve got legal rights about the way Sage Aesthetic handles and uses your data, which include the right to ask for a copy of it, and to ask us to stop doing something with your data. Please contact us by email [email protected] or in writing at:Sage Aesthetic, The Farmhouse, Upper Terryvale, Dunecht, AB32 7BS. You also have the right to make a complaint to the Information Commissioner’s Office, (www.ico.org.uk). They are the body responsible for making sure organisations like Sage Aesthetic handle your data lawfully.Our legal basis Wherever Sage Aesthetic processes personal data, we need to tell you our legal basis for doing so in Data Protection Law. Sage Aesthetic understands its legal basis for processing personal information in order to provide you with medical and cosmetic services as Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation. We also need to be clear of our legal basis for processing special categories of personal information, and we do that under Article 9(2)(h) of the General Data Protection Regulation.