Data Protection Procedures for DTMC.

Obtaining and storing data.

What data is held?

  • Names 
  • Address
  • Date of Birth
  • Phone no
  • Email
  • Doctors details
  • Next of Kin
  • Medical History
  • Medical ref flags
  • Treatment notes
  • Relationship data
  • Browsing data


Why is this data held?

  • Name: Client identification
  • Address: for health insurance claims (address needs to be on receipt); identification;safery of practitioner; address to send them home if something hapens; if a solid relationship, to send Christmas card.
  • Date of birth; identification, i.e. for occasions when we have duplicate names. This is especially helpful for online bookins, to indicate if a duplicate profile has been created for an individual.
  • Phone; to send reminder texts the day before, to keep cancellations and no shows to a minimum; in case we need to contact them to cancel due to illness, etc.
  • Email; to send receipts and appointment confirmations. Only requested when clients book through an online system or for some specific reason, ie forwarding information. It is never added to any marketing list. 
  • Doctors details: if clients present with serious medical issues, in which case we may liaise with the GP or specialist.
  • Next of kin: taken only in the case of children (with signed consent from parent of gaurdian and their presecnce in the room) and vulnerable adults.
  • Medical History; To help our therapists understand what the client is presenting with on a given day, so a decision whether treatment is appropriate or not can be made, and to carry out any treatments in a safe way. We ask for a baseline level of detail as seen on our consultation chart initially and work off the extended consultation chart to seek clarification where there is a more complex medical history.
  • Medical red flags: this is taken from our paper records and oted in a highlighted area on pur system, to ensure whoever is seeing the client on a particular day is reminded and proceeds to treat appropriately. No details are given here. 
  • Treatment notes: our record of what happened during any contact with clients.
  • Relationship data: record of other clients whom you have informed us you have intimate relationships with, to help us provide a complete service. Records of who you may have referred you or you them, to help us understand and improve our marketing and services. 
  • Browsing data: through cookies and google analytics to help us understnad how people use our website so we can identify issues and improve our service here. 

Who is the data controller?

Name in organisation or if individual, then you.


How was the data obtained?

Primarily, the data we hold is obtained during face to face consultation with clients. We go through a consultation form with them and discuss their presenting problem, expanding our questions as necessary to understand. 


On the original booking, we will obtain a name and phone no by phone of if the booking is through our online system, we will look for date of birth and email address. 


Why was the data originally gathered?

Name, phone, email and date of borth are gathered at time of booking to secure booking, letting us kow who is coming in anhow to contact them with reminder text or should we need to cancel due to unforeseen circumstances. 


Where is the data stored? 

On our computer, we hold client name and our chart no for their records, for accessibility only, especially if internet goes fown or our online system is offline. 


On our online booking system, we hold client name, our chart no, address, phone no, email if we have it, medical red flags if any, who referred them if relevant, clients who are related if any 

on our paper records, we hold client name, our chart no, address, phone no, medical history and treatment notes, and reports received from client in relation to their condition and any letters we have sent to them or on their behalf at their request. 


 Browsing data is held by Google Anayltics


How secure is the data; encryption and accessibilty?

We use a cloud-based online booking system to track and take bookings. This has extensice encryption security built into it and has been expanded with the GDPR 2018.


When we are not at the desk, the computer screen is locked and needs a password to access. This password is known to therapists in the clinic only and is recorded in a book that is kept in a locked safe and can only be accessed by clinic owners. 

Names, address, phone no, email and date of birth are stored on this booking system, as well as their payment history and appointment schedule. 

These and all other details, i.e. medical history, treatment notes, etc. are kept manually in a locked filling cabinet in a locked room. Access to this room is for clinic staff only and access to the filling cabinet is further restricted. The key to the cabinets is kept in the safe and can only be accessed ny clinic owners. 

CLient record charts in use each day are kept in a folder that is with the therapist at all times and is not left lying around around in view of a client. 

Newly filled out records charts are put in a seperate folder and locked into the filling cabinet at the end of each working day, awaiting processing, at which point they can be filed away with the rest. 

Phones and devices used to take calls or access cloud-based online booking systems are kept locked by passwords and not left accessible to unauthorised people. 

Is the data shared with 3rd Parties and on what basis?

We use a cloud-based booking system to provide our services. This company books appointments, stores and processes all transactions, emails appointment confirmations, receipts and account statements. Please view their privacy policy. 

We also use PayPal, please view their privacy policy.

How long shall the data be retained?

Our insurance providers require us to retain all records for a period of 7 years after the last appointment, or in the case of minors, for 7 years after their 18th birthday. 


                                               AMENDING DATA

Amending incorrect data

A change of name, address, phone no, email, doctor, etc, is done by the owner/manager of the clinic. Once the change needed has been brought to their attention directly by a client, or by another therapist on behal of a client, the data will be updated on the online booking system straigh away. Their paper records will be pulled and the update will be made to this file also. 

Transferring data

Upon receiving a request from a client to transfer data to another therapist, solicitor, medical professional, the paper records including all medical history and treatment history will be sent by registered post, with no amendments, to the address provided by the client. The client must sign consent to this transfer, which stated the date, the name and address of the recipient and acknowledgemtn of permission to send. This will be kept in place of their original records, with name, date of birth and address until the allocated time has passed, in which case it will be destroyed. 


Destroying data

Data will only be destroyed after the allotted time frame as quoted above. 

The online booking system can fully delete any details. The client records i question will be archived as per their system and then deleted completely.

The record of client name and chart no. listed on our computer will continue to be listed with a highlighted note indicating the date of its destruction

The paper record will be removed and shredded on site. These are brought home in 2 seperate bags one at a time, to burn in a fire, checking that all paper is properly burned and that nothing is remaining.



              Obtaining Data and consent to hold data

How is data obtained?

  • Clients make contact with us to book a treatment.
  • Once it is determined appropriate to book a treatmentm basic details are recorded on our online system only. If the booking is taken in person,by email or by phone, name and phone number is akk that is asked for. If the booking is done by the individual through our online system, they are asked for name, phone no, email and date of birth. 
  • At no point do we chase a client for details without them initiating the contact.
  • We will not secure a booking without a name and phone no.
  • During the initial session with a new client, a full consultation form is gone through and filled out. At this point it is explained to clients the purpose of the data required. They can refrain from giving us an address, email, doctors details, next of kin, date of birth if they prefer and are not a child or vulnerable adult; however we will not proceed with treatment without name, phone no or medical history.
  • They must sign consent to treatment and to data retention at this point. 
  • Browsing data is obtained by their use of our website. 


                                       Data breaches

What is a data breach?

A data breach is when our online system has been accessed at the core or if our account has been accessed at our level or if a person has got access to our premises and there is evidence or a risk of data being copied, accessed, destroyed or remived from our premises.

How to identify a data breach.

  • Most systems online are so locked down that cybercriminals are looking for human error to access data.
  • They are looking for card details and identity theft.
  • They are getting in through administrative access.
  • Half or more small to medium sized businesses are hacked at some point and nearly three-quarters of these are unable to restore all information.
  • Card breaches are identified when clients all begin reporting fraudulent charges on their accounts coming from our payment facilty. Please see 'Card Security Fraud Prevention' for more.
  • Physical break-in; be on the look-out for tampering signs at the door and windows accessing the premises, the internal doors, the safe and the cabinet where documents are stored.
  • Online breaches have a number of signs that you can look out for.
  • On your computer, look for unusually slow internet/computers - sign it may be exporting a lot of data.
  • Look for high CPU cycle, memory usuage or hard disk activity - sign it may beexporting a lot of data. 
  • Is your computer tampered with, not on/off as you left it?
  • Are there new/moved/deleted files?
  • Are there pop-ups and redirected websites while browsing (lot of advertisements) - your malware is trying to get you to slip-up and grant access.
  • Locked out of accounts on first passwords entry - someone else has been trying/succeeded in getting access.


What to do if there has been a data breach

Fill out a Data Breach incident form asap and let the data controller know, who will then do the following.

Within 72 hours (legal obligation or face a fine) of knowing something has happened, get in touch with the Data Protection Commissioners referring to the Data Breach form. 

Consider if clients affected need to be notified (risk of identity theft, card fraud or breach of confidentiality), so that they can take appropriate measures to mitigate the effects to their property, person or reputation. Notifying data subjects is a remidial measure intended to redress the balance and restore some measure of knowledge and control. Let them know who to contact in our organisation for more details. 

3rd parties may need to be contacted to help; i.e An Garda Siochana, the financial istitutes

Keep a diary of any data breaches or suspected data breaches


support by © The Irish Association Of Craniosacral Therapists(IACST)
follow us on Facebook |follow us on Instagram |Privacy Statement | The Irish Association Of Craniosacral Therapists(IACST)