Privacy Policy

Read our Privacy Policy

101 Harley Street – Confidentiality and data protection Policy

1.1 L’Atelier Aesthetics independent healthcare service is fully committed to complying with the Data Protection Act 1998 which came into force on 1 March 2000.

1.2 It is important that L’Atelier Aesthetics protects and safeguards patient-identifiable (or person-identifiable) and confidential business information that it gathers, creates, processes and discloses, in order to comply with the law, and to provide assurance to patients who use the healthcare services on offer.

1.3 All employees of L’Atelier Aesthetics are bound by a legal duty of confidentiality to protect personal information they may come into contact with during the course of their work.

1.4 This policy sets out the principles that must be observed by all staff who work within L’Atelier Aesthetics and have access to person-identifiable information or confidential information.

1.5 All members of staff need to be aware of their responsibilities for safeguarding confidentiality and preserving information security.

1.6 Respect for confidentiality is an essential requirement for L’Atelier Aesthetics as an independent healthcare provider.

2. Data protection

2.1 The ease with which personal information can be passed L’Atelier Aesthetics – often electronically – is a benefit for patients and for those involved in their care and treatment. However, all staff need to be aware of their legal responsibilities under the Data Protection Act to protect the confidentiality of patient information, and other information relating to the business activities of L’Atelier Aesthetics.

2.2 Personal information on staff is also protected by the Data Protection Act. The Act affords members of staff the same rights of protection for, and of access to, their personal information held by L’Atelier Aesthetics.

2.3 The term ‘person-identifiable information’ refers to information relating to any identifiable individual and it is important to be aware that healthcare information is considered in the Data Protection Act to be ‘sensitive information’ requiring the highest levels of care and protection.

2.4 L’Atelier Aesthetics fully supports and complies with the principles of the Data Protection Act. In summary, this means personal information must be:

processed fairly and lawfully
processed for limited purposes and in an appropriate way
adequate, relevant and sufficient for the purpose
accurate and up-to-date
kept for as long as is necessary and no longer
processed in line with individuals’ rights
secure and protected against unlawful access, loss or damage, and  only transferred to others that have suitable data protection controls.

2.5 Everyone working for L’Atelier Aesthetics who records, handles, stores or otherwise comes across information, has a statutory duty under the Data Protection Act, along with a duty of confidentiality in common law, to patients and to L’Atelier Aesthetics as an employer.  These duties apply equally to staff who are permanent or temporary, full or part-time, agency or bank staff, staff who have been granted practising privileges, students or trainees, volunteers, or to staff on temporary placements.

2.6 L’Atelier Aesthetics will follow procedures to ensure that all employees, contractors, agents, consultants and other relevant parties who have access to any personal information held by, or on behalf of L’Atelier Aesthetics, are fully aware of and abide by their duties and responsibilities under the Act.

3. Roles and responsibilities

3.1 The Medical Director The Medical Director has overall responsibility for maintaining confidentiality within L’Atelier Aesthetics and ensuring that this policy is complied with by all staff. This responsibility may be delegated to a senior member of staff.

3.2 All members of staff All staff have a responsibility to protect the personal information held by L’Atelier Aesthetics.

Each member of staff will be expected to take steps to ensure that personal data is kept secure at all times and protected against unauthorised, unlawful or accidental loss, damage or disclosure. This applies to all personal identifiable information held in all formats, whether is it in patients’ healthcare records or staff employee files, or in any other format such as diaries, message books, notebooks, appointment books, emails and other notes held about individuals.

In particular staff must ensure that:

they are appropriately trained and knowledgeable in the handling of personal information
paper files and other records or documents containing personal/sensitive data are kept in a secure environment
where they are required to take personal information away from the L’Atelier Aesthetics premises as part of their work, including information held in all formats, this should be held securely at all times and everything possible done to safeguard against unauthorised access or accidental loss or damage
personal information is transferred securely at all times, whether it is being sent electronically or by surface post
personal data held on computers and computer systems is protected by the use of secure passwords, and  all relevant policies are adhered to when processing personal data to ensure adequate levels of protection are maintained.  Where staff, as part of their L’Atelier Aesthetics responsibilities, collect, hold and process information about other people, they must comply with this policy. No-one should disclose personal information outside this policy or use personal data held about others for their own purposes.  All healthcare professionals practising within L’Atelier Aesthetics have professional and ethical duties of confidentiality within their respective codes of conduct which they are expected to follow.

4. Person identifiable information

4.1 Person-identifiable information is anything that contains the means to identify a person, e.g. an individual name, address, postcode, date of birth, email address, telephone number, or unique identifiable reference number.

4.2 Confidential information within L’Atelier Aesthetics is not restricted to a person’s health information. It also includes private information that an individual would not expect to be shared such as staff employee records, occupational health records, and business information about L’Atelier Aesthetics.

4.3 Information can relate to L’Atelier Aesthetics patients and staff (including temporary staff), however stored. Information may be held in:

paper format
computers
laptops
tablet devices
mobile phones
digital cameras
compact discs (CDs)
x-rays
digital versatile discs (DVDs), and  USB devices. This list is not exhaustive.

5. Disclosure of personal information

5.1 Strict conditions apply to the disclosure of personal information within L’Atelier Aesthetics. L’Atelier Aesthetics will not disclose personal information to any third party unless it is believed to be lawful to do so.

5.2 Information relating to identifiable patients must not be divulged to anyone other than an authorised person, for example medical, nursing or other healthcare professional staff, as appropriate, who are concerned directly with the care, diagnosis and/or treatment of the patient.

5.3 Maintaining confidentiality is an important duty but there are circumstances when it may be appropriate to disclose confidential patient information. These are:

when the patient has given consent
when the law says it must be disclosed, or  when it is in the public interest to do so.  An example of such circumstances would be child protection where the overriding principle is to secure the best interests of the child.

5.4 L’Atelier Aesthetics will also seek the consent of staff for the passing on of identifiable personal information for any purpose other than those outlined to staff on appointment. In certain circumstances, information relating to staff acting in a business capacity may be made available provided:

L’Atelier Aesthetics has the statutory power or is required by law to do so, or
the information is clearly not intrusive in nature, or
the member of staff has consented to the disclosure, or
the information is in a form that does not identify individual employees.

5.5 If staff have any concerns about disclosing information they must discuss this with the Medical Director.

6. Caldicott principles

6.1 The following seven Caldicott principles will be adhered to by L’Atelier Aesthetics in all cases where the appropriate use of person identifiable health information is considered.

Principle 1  Justify the purpose Every proposed use or transfer of personal confidential data, within or from, L’Atelier Aesthetics should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by the Practice Manager or Medical Director.

Principle 2  Don’t use personal confidential data unless it is absolutely necessary Personal confidential data should not be used unless it is essential for the specified purpose. The need for patients to be identified should be considered at each stage of satisfying the purpose.

Principle 3  Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data transferred or accessible as is necessary for a given function to be carried out.

Principle 4  Access to personal confidential data should be on a strict need to know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see.

Principle 5  Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data, both clinical and non-clinical staff, are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6  Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. In L’Atelier Aesthetics, this is the Medical Director.

Principle 7  The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of patients within the framework set out by these principles. They should be supported by policies of their respective regulators and professional bodies.

Examples of justifiable purposes include:

delivering personal care and treatment
assuring and improving the quality of care and treatment
monitoring and protecting public health
managing and planning healthcare services
risk management
investigating complaints and potential legal claims
teaching purposes
statistical analysis, and
medical or health services research.  The above principles do not and cannot provide definitive answers for every situation as much depends on the context of each individual case. If in doubt, staff working at L’Atelier Aesthetics must seek appropriate advice from the Medical Director before releasing personally identifiable information.

7. Handling of personal information

7.1 L’Atelier Aesthetics will handle all person-identifiable information securely and in keeping with the requirements of the Data Protection Act.

7.2 All staff, through appropriate training and responsible management, will be expected to:

fully observe conditions regarding the collection and use of personal information
meet legal obligations to specify the purposes for which personal information is gathered and used
collect and process appropriate personal information only to the extent that it is needed to fulfil L’Atelier Aesthetics’s operational needs or to comply with any legal requirements
apply strict checks to determine the length of time personal information is held, and
take appropriate technical and organisational security measures to safeguard personal information.

7.3 L’Atelier Aesthetics will take disciplinary action against any member of staff found to have breached patient confidentiality, and ensure

that all staff are aware that they risk personal prosecution for breaches of the Data Protection Act.

8. Compliance

8.1 L’Atelier Aesthetics will ensure that:

there is always someone with specific responsibility for Data Protection in L’Atelier Aesthetics
patients are pro-actively informed of the uses to which their information is put
staff are informed, on appointment, of the uses to which their personal information is put, e.g. equal opportunity monitoring
consent is sought before passing personal identifiable information on for any reason other than to fulfil justifiable purposes
staff are reminded of their obligations under the Data Protection Act
everyone managing and handling personal information understands that they are directly and personally responsible for following good Data Protection practice
only staff who need access to personal information as part of their duties are authorised to do so. Unauthorised access to personal information, either in paper or electronic format, is considered to be a breach of the Data Protection Act and this L’Atelier Aesthetics policy
everyone managing and handling personal information is appropriately trained to do so
everyone managing and handling personal information is appropriately supervised, where necessary
anyone wishing to make enquiries about handling personal information knows what to do
queries about handling personal information are dealt with promptly and courteously
methods of handling personal information are clearly described, and
the way personal information is managed and handled will be regularly  reviewed and evaluated.

9. Breaches of confidentiality

9.1 Breaches of confidentiality are often unintentional. They are often caused by staff conversations being overheard, by files being left unattended, or by poor computer security. However, the consequences could be equally serious for all concerned.

9.2 Obligations to maintaining confidentiality and preventing breaches include;

not gossiping
taking care not to be overheard when discussing a patient’s circumstances in a public area
closing and locking doors/cabinets/drawers when not in use
not leaving a computer unattended and logged-in
always logging out of a computer when work is finished or when leaving a desk
making sure computer screens are never visible to the public, especially in public reception areas
querying the status of visitors and strangers to London Interventional Radiology, and
knowing who to tell if anything is suspicious or worrying.

9.3 The simple rule of thumb is that personally identifiable information must  always be held securely and, when used, treated with respect.  This rule applies whether the information is held in paper format, in a computer, or in a member of staff’s head.

10. Policy awareness

10.1 All new members of staff at L’Atelier Aesthetics will be made aware of this policy through their induction programme.

10.2 Existing staff will be reminded of the policy which will be readily accessible within L’Atelier Aesthetics.

10.3 All staff and relevant third parties must be familiar with and comply with this policy at all times.

Storage and security of your personal information

Security

We comply with the standard procedures and requirements as laid down by applicable law to ensure that your personal information is kept secure and we use the latest in Secure Server Technology (SSL – 128bit encryption) to ensure that all of your personal information is protected to the highest standards.

The transmission of information via the internet is not completely secure. Any emails we send or receive may not be protected in transit. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website; any transmission is at your own risk.

Any passwords that you use must be kept securely. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Additionally, the information that we collect from you may be transferred to, and stored at, a destination outside the UK and the European Economic Area (“EEA”). It may also be processed by our third party suppliers outside of the UK and EEA.

Google Analytics

This site uses Google Analytics to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.

Google Analytics records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this.

Disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website.Read Google’s overview of privacy and safeguarding data or Read Google Analytics use of cookies – Google’s developer guides.

Email newsletters – Campaign Monitor

We use a third party provider, Campaign Monitor, to deliver our e-newsletters using the email address that you submit to us. We gather statistics around email opening and clicks.

Your email address will remain within Campaign Monitor’s database for as long as we continue to use Campaign Monitor’s services for email marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any email newsletters.

We consider Campaign Monitor to be a third party data processor. For more information, please see MailChimp privacy notice

If you are under 18 years of age you MUST obtain parental consent before joining our email newsletter.

Use of cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We may also use trusted third-party services that track this information on our behalf.

Most web browsers allow some control of most cookies through the browser settings. Every browser is different, look at your browser’s Help Menu to learn the correct way to modify your cookies. If you turn cookies off, some features may be disabled.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.