PRIVACY POLICY and NOTICE

Your privacy and the protection of your personal data are important to Synthesis Clinic.  The goal of the new GDPR framework is to make sure that we deal with your data in a lawful and transparent manner and that we take steps to ensure that your data are adequately protected.

This Privacy Policy is a notice to explain to you how Synthesis Clinic will collect your data, use your data and store it. It also lays out who your data may be shared with and how you can request that your data updated and deleted.

How we obtain your personal data

You provide us with personal data in the following ways:

-       By completing any clinic questionnaire

-       By signing a terms of engagement form

-       During a consultation

-       Through email, over the telephone or by post

-       By taking credit card and online payment 

This may include the following information:

-       basic details such as name, address, contact details and next of kin

-       details of contact we have had with you such as referrals and appointment requests

-       health information including your previous medical history, dietary, lifestyle, supplement and medicine details, biochemical test results, clinic notes and health improvement plans

-       GP contact information

-       Bank details

We use this information in order to provide you with direct healthcare.  This means that the legal basis of our holding your personal data is for legitimate interest.

Legitimate interest

Your Personal Data is held and processed on the lawful basis that such action is in the legitimate interest of the company in pursuing the purposes described. This has been considered through the use of a legitimate interest assessment which does not outweigh risks to the rights, freedoms and interests of you as the Data Subject.

The purposes of collecting your Personal Data is to provide health and wellbeing services to you. Personal Data is collected and used for the purpose of delivering the services you have requested from Synthesis Clinic and/or the practitioners contracted with Synthesis Clinic as Data Controllers.

We have adopted a “Privacy by Design” approach to your personal information, meaning that, to the best of our ability, we will employ state of the art means of collecting, storing, and transmitting your data, with a view to promoting privacy and data protection from the outset.

We use the services of Data Processors, who are contracted by Synthesis Clinic. In respect of legitimate interest, our 2019-2020 Data Processor is Red Guava Pty. Ltd who own and operate Cliniko, our practice management application and service platform.  Our 2021 Data Processor will be Swandoola Ltd, our new practice management application and service platform.

Please note that we are transitioning our services to be within the UK and EU. In 2019-2020 the data we hold is backed up to Cliniko servers in Australia outside of the EU. The Living Matrix data we hold is stored in the US. From November 2020 and into 2021 our previous providers (Cliniko and the Living Matrix) will be asked to provide archived records to us that will be securely stored on offline drives at the offices of Synthesis Clinic with active files uploaded to the new Swandoola system, the servers for which are based in the EU.

How we use your personal data

We act as a data controller for use of your personal data to provide direct healthcare.  We also act as a controller and processor in regard to the processing of your data from third parties such as testing companies and other healthcare providers.  We act as a data controller and processor in regard to the processing of credit card and online payments.

We undertake at all times to protect your personal data, including any health and contact details, in a manner which is consistent with our duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection. 

We will also take reasonable security measures to protect your personal data storage.

We may use your personal data where there is an overriding public interest in using the information e.g. in order to safeguard an individual, to prevent a serious crime and where there is a legal requirement such as a formal court order. We may use your data for clinical audit, education and marketing purposes, such as newsletters, but this would be subject to you giving us your express consent. You will receive a separate GDPR information consent form to complete. You may opt out at any time.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment, such as laptops with password protection and/or encryption (which masks data so that unauthorised users cannot see or make sense of it). We ensure that all our staff operate the clinical system with 2FA (two-factor authentication) in place. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. 

Sharing your personal data

Synthesis Clinic and its practitioners use your Personal Data for legitimate interest to provide health and wellbeing services for you.

Within the health sector, we have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare. We will protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Please note that information will be shared within the clinic between staff as necessary for the purposes of providing safe and effective care. We will ask for your explicit consent to share any information outside the clinic with your NHS or other private care providers.

We do not sell or trade your Personal Data to others. 

Our website also uses cookies and collects IP addresses, which means a number that can uniquely identify a specific computer or other device on the internet. This non-personal identification data may be collected whenever you interact with our website and may include technical data about your browser, type of device used, operating system, Internet service provider, and other similar data. For more information on this see our cookie policy.

Swandoola (swandoola.com), which is our practice management system, also collects certain standard information about your computer for security and identification purposes. This information may include IP addresses, domain names, access times, cookies and other unique identifying information of machines that have our software downloaded and installed on them. This information is used for the operation of the service, to identify and protect our customers and to control unauthorized use or abuse of our services. All information is encrypted during transmission and is stored securely within our servers. You are strongly encouraged to use 2 factor authentication with Swandoola web portal or app where possible to ensure the security of your personal data.

We use Google Analytics to track visits to the site. More information about Google Analytics can be found on the Google Analytics website.

If you would like detailed information from Get Safe Online on how to protect your Personal Data and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org.

Your rights

You have the right to determine how your data is collected and used by us. In particular:

·       Your personal information can only be held on valid bases, such as your consent, and our contractual obligation to provide services to you.

·       You have the right to know whether or not we are processing your personal information.

·       You can request that your personal information be sent to you in electronic format.

·       You have the right to restrict the purposes for which we may use your personal information.

·       You have the right to request that incorrect information about you be rectified.

·       You have the right to request that your personal information be erased, also known as the “right to be forgotten,” subject only to imperatives of public policy specified in the GDPR (Art. 17.3), or to our own specific needs concerning legal obligations or claims.

You can exercise your rights at any time by contacting us. If you consented to us collecting and/or processing your personal information but change your mind, you can get in touch with us to request that we erase the personal information that we hold about you.

Contact information

If you have any questions or concerns regarding any aspect of this policy, wish to find out what data we hold about you, or would like to request the erasure of your personal data, please contact us using one of the methods outlined below.

Synthesis Clinic – hello@synthesisclinic.co.uk, 023 8017 8340