Data Protection Policy - Extracellular Wellness

Data Protection Policy
Organisation	Ratnarajah Medical Services Limited trading as Extracellular Wellness
Scope of policy	Extracellular Wellness clients.
Policy operational date	01/01/2025
Policy prepared by	Ratnarajah Medical Services Limited
Policy review date	01/01/2028
Introduction
Purpose of policy	To: ∙ complying with the law ∙ following good practice ∙ protecting clients, staff and other individuals ∙ protecting the organisation
Personal data	∙ Client notes ∙ Demographics including email addresses
Policy statement	A commitment to: ∙ comply with both the law and good practice ∙ respect individuals’ rights ∙ be open and honest with individuals whose data is held ∙ provide training and support for staff who handle personal data, so that they can act confidently and consistently ∙ Notify (see notes) the Information Commissioner voluntarily, even if this is not required.

Data Protection Officer	Drs Niruban Ratnarajah and Maria Ratnarajah. Their responsibilities include: ∙ Briefing new staff on data protection ∙ Reviewing Data Protection and related policies ∙ Ensuring that Data Protection induction and training takes place whenever someone is hired ∙ Notification (see notes) ∙ Handling subject access requests from clients wanting to access or delete their data ∙ Approving unusual or controversial disclosures of personal data Approving contracts with Data Processors such as external payment processors, or mailing software like MailChimp (see notes)
Staff & volunteers	All staff and volunteers should be required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. (From now on, where ‘staff’ is used, this includes both paid staff and volunteers.)
Enforcement	The penalties for infringing the Data Protection and related policies are usually a disciplinary process. Extreme data breaches will be reported to ICO directly.
Confidentiality

Scope

Data that is confidential, but may well not be subject to Data Protection, include:

∙ Information about your clients

∙ Information about their children or extended family ∙ Information which is not recorded, either on paper or electronically, such as their emotional condition or aspects of their lives which are private and only revealed to you

∙ Information that may be private and / or embarrassing to them

Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a “relevant filing system” in the Data Protection Act

Communication with Data

Subjects

Clients, staff and other Data Subjects will be informed about confidentiality, via the Extracellular Wellness website.

Data recording and storage
Storage	Data will be stored digitally using a compliant clinical recording system.
Retention periods	Data will be held in line with current guidance.

Subject access
Responsibility	Extracellular Wellness will ensure that subject access requests (see notes) are handled within the legal time limit of 40 days.
Procedure for making request	Subject access requests must be in writing.
Transparency
Commitment	Data Subjects will be made aware that their data is being processed and ∙ for what purpose it is being processed ∙ what types of disclosure are likely, and ∙ how to exercise their rights in relation to the data

Notes

Data Controller

The Data Controller is the legal ‘person’ responsible for complying with the Data Protection Act. It will almost always be the organisation, not an individual staff member or volunteer. Separate organisations (for example a charity and its trading company) are separate Data Controllers. Where organisations work in close partnership it may not be easy to identify the Data Controller. If in doubt, seek guidance from the Information Commissioner.

Data Processor

When work is outsourced, which involves the contracting organisation in having access to personal data, there must be a suitable written contract in place, paying particular attention to security. The Data Controller remains responsible for any breach of Data Protection brought about by the Data Processor.

Fair processing conditions

Schedule 2 of the Data Protection Act lays down six conditions, at least one of which must be met, in order for any use of personal data to be fair. These are (in brief):

∙ With consent of the Data Subject

∙ If it is necessary for a contract involving the Data Subject

∙ To meet a legal obligation

∙ To protect the Data Subject’s ‘vital interests’

∙ In connection with government or other public functions

∙ In the Data Controller’s ‘legitimate interests’ provided the Data Subject’s interests are not infringed

Notification

All Data Controllers have to consider whether they are exempt from Notification. If they are not exempt, they have to Notify. This means completing a form for the Information Commissioner, and paying a fee of £35 a year. The Notification form covers:

∙ The purposes for which personal data is held (from a standard list) and for each purpose (again from standard lists):

∙ The types of Data Subject about whom data is held

∙ The types of information that are held

∙ The types of disclosure that are made

∙ Any transfers abroad

There is probably no need to mention the details of the organisation’s Notification in the policy. The Notification entry has to be reviewed each year, and may have to change if the organisation changes its processing in significant ways.

Subject access

Individuals have a right to know what information is being held about them. The basic provision is that, in response to a valid request (including the fee, if required), the Data Controller must provide a permanent, intelligible copy of all the personal data about that Data Subject held at the time the application was made. The Data Controller may negotiate with the Data Subject to provide a more limited range of data (or may choose to provide more), and certain data may be withheld. This includes some third party material, especially if any duty of confidentiality is owed to the third party, and limited amounts of other material. (“Third Party” means either that the data is about someone else, or someone else is the source.)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Recent Posts

Recent Comments

Working Hours

Book Your Free Discovery Call

Quick Links