Privacy Notice
1 Introduction
Ephemeral Energy, also referred to as ‘we’, ‘us’, ‘our’ is a sole tradership business registered to Vegard Engen in England, United Kingdom. We deliver healthcare services to the public. We value your privacy and we recognise the need to process your Data appropriately.
The purpose of this Privacy Notice is to inform you and help you understand what information (Data) we collect to be able to deliver the services at Ephemeral Energy, and how we process this information.
‘Data’ refers to the personal data that we hold about you from which, either on its own or in combination with other data, you can be identified. A list of what data we collect is set out below.
Processing means doing anything with your Data, such as collecting, recording or holding the Data as well as disclosing, destroying or using the Data in any way.
We will be processing your Data under the current Data Protection Act 1998 (DPA) until 24 May 2018 and then under the General Data Protection Regulations (GDPR) from 25 May 2018.
We keep this Privacy Notice under regular review and it may be amended from time to time. This was last updated 17th May 2018.
2 What personal data we are processing
As a healthcare business, we collect and process the following categories of data:
- Personal data such as an individual’s name, address, date of birth, gender and contact details
- Special category of personal data about clients’ health
As a visitor of the Ephemeral Energy website, no personal data is collected or processed about you. For more information on this please see the terms and conditions of using the Ephemeral Energy website, which includes information about your privacy and the use of cookies: https://www.ephemeralenergy.com/termsandconditions/
As a client, we collect and process the following Data about you:
- Consultation records
- Name, gender, address, email address, phone number, date of birth, next of kin, General Practitioner (GP) details
- Lifestyle factors that may affect your health such as occupation, hobbies, diet and stress factors
- Medical diagnoses, medication, operations, allergies
- Accidents and physical/emotional trauma
- Things that may affect the nervous system such as scars, piercings, tattoos and insertions
- Details of reasons for seeking treatment, e.g., physical issues and relevant history
- Health records from other healthcare practitioners, if provided
- Treatment records
- Pseudonymised identifier
- Follow-up comments on outcomes of past treatments (if applicable)
- Information about how you are feeling before the treatment
- Specific treatment notes, e.g., the type of treatment performed and what we found during the treatment
- Post-treatment notes, e.g., comments on how you felt afterwards and any recommended homework
- Other comments relevant to your health and wellbeing, e.g., information shared about outcomes or advice from other healthcare professionals
- General communication and follow-up (especially if done via electronic mediums)
- Scheduling and confirming appointments
- Sending confirmation of homework (if applicable)
- Treatment follow-ups and feedback
- Financial records
- Name and contact details
- Type of service and cost
- Records of information requests (see Section 8)
- Name and contact details
- Date, purpose, justification and details of data requested
- Photos from public or arranged events
- Testimonials, quotes and reviews
Points e) to f) are typically rare occurrences only only apply to a small subset of people based on informed consent. Finally, non-personal data may also be collected and processed, such as anonymous feedback surveys and case studies.
3 Where we get your personal data from
We obtain your Data directly from you. This includes any Data you implicitly share by contacting us via phone, email, and social media, which would reveal details such as your name, phone number, email addresses and other social media profile information you make available.
With your permission, we may also obtain Data about you from other healthcare providers.
4 Why we are processing your personal data
Collecting and processing personal data is required for the core business functions at Ephemeral Energy in order to provide healthcare services. It is also a legal requirement, which we will discuss further below in Section 5.
As noted above in Section 3, points f) and g), some personal data may also be collected and processed with your informed consent for marketing purposes in order to raise awareness and promote the services at Ephemeral Energy.
5 Data retention
Client records and communications about treatments are retained for 7 years after the last treatment, or 7 years after a client has turned 18 if under aged when they had their last treatment. This is required as a condition of the insurance policy (with Balens Ltd), required for practising as a healthcare business.
Financial records are kept for 5 years after the 31 January submission deadline of the relevant tax year. This is a legal requirement as a UK business registered with HMRC.
6 How we are keeping your data safe and secure
Client records and financial records in hard copy form are kept in a locked filing cabinet.
We also keep some Data in electronic form, including the use of secure 3rd party services: Dropbox and Evernote. These services fulfil strict privacy and security requirements, participating in the EU-U.S. Privacy Shield framework and offer both encryption of Data at rest (when data is stored) and when it may be transferred. Additional risk mitigation is employed by means of password protection, pseudonymising personal details (e.g., no names and gender references) and minimising data stored electronically. Client consultation forms, which contain the most sensitive personal information, are only stored in hard copy form.
We may also get your personal data from you if you communicate with us via 3rd party services, such as Facebook, Twitter, LinkedIn and WhatsApp. You are expected to familiarise yourself with the terms and conditions, and privacy and security notices of such services, and be aware of what information may be considered private (such as private messages on Facebook Messenger and WhatsApp) and public (commenting on Facebook posts, Tweets or LinkedIn posts).
Communication via email is encrypted during transit with any email addresses part of the @ephemeralenergy.com domain (e.g., [email protected]). Clients also have the option to use an email address served by ProtonMail that is encrypted at rest as well: [email protected]
Any use of the Ephemeral Energy website is also secured by SSL encryption. This includes services hosted on the Ephemeral Energy website such as surveys for taking client consultation and feedback.
7 Sharing your data
Your data will not be shared unless you give informed consent or there are exceptional circumstances such as threat to life.
A typical scenario where you may be asked to consent to sharing your Data is when you receive treatment from multiple practitioners. In this case, Data sharing could come in the form of us speaking with the other practitioners/care givers to understand the care you are given and any advice they may offer from their perspective. Similarly, you may consent to information being shared with them of the care you receive at Ephemeral Energy.
There are exceptional circumstances where personal Data may be shared without your informed consent. As noted above, this may be if there is a serious perceived threat to your health/life or that of somebody else. The General Medical Council provide more information about this, which you can access online: https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/disclosures-for-the-protection-of-patients-and-others
As a professional member of the UK Reiki Federation, the code of ethics and professional practice we adopt also provides some more information on exceptional circumstances where your Data may be shared without your consent (Section 5.4 and Appendix 2): https://www.reikifed.co.uk/regulation/code-of-ethics-and-professional-practice/
Non-personal data may be shared with other professional practitioners in order to get advice on improving the care offered to you. For example, getting advice on treating a specific condition.
8 Accessing your data
Under the GDPR you have the right to access Data held about you. You can raise a request via this online form: https://www.ephemeralenergy.com/privacy/subject-access-request/
Please allow up to 7 days to process your request, depending on how complex it is. Simple requests will be dealt with much quicker.
9 Contacting us
If you have any questions about this Privacy Notice, please don’t hesitate to get in touch. You can do this by emailing [email protected] or using the contact form on our website: https://www.ephemeralenergy.com/contact/
If you are dissatisfied with any aspect of the way in which we process your personal data please contact our Data Privacy Representative. You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website which is https://ico.org.uk/concerns/, by live chat or by calling their helpline on 0303 123 1113.
Vegard Engen, trading as Ephemeral Energy, is registered with the ICO, number: A8293990.