Ebb & Flow client privacy notice

This privacy notice explains what I do with your personal information and how to get in touch if you have any questions or concerns about this.

Contact details

Email - contact@ebbandflow.scot

What information I collect, use, and why

I collect or use the following personal information for information updates or marketing:

·  Names and contact details

·  Marketing preferences

Lawful bases and data protection rights

Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis I rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

·  Your right of access - You have the right to ask me for copies of your personal information. You can request other information such as details about where I get personal information from and who I share personal information with. There are some exemptions which means you may not receive all the information you ask for.

·  Your right to rectification - You have the right to ask me to correct or delete personal information you think is inaccurate or incomplete.

·  Your right to erasure - You have the right to ask me to delete your personal information.

·  Your right to restriction of processing - You have the right to ask me to limit how I can use your personal information.

·  Your right to object to processing - You have the right to object to the processing of your personal data.

·  Your right to data portability - You have the right to ask that I transfer the personal information you gave me to another organisation, or to you.

·  Your right to withdraw consent – When I use consent as our lawful basis you have the right to withdraw your consent at any time.

If you make a request, I must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact me using the contact details at the top of this privacy notice.

My lawful bases for the collection and use of your data

My lawful bases for collecting or using personal information for information updates, marketing or market research purposes are:

·  Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

·  Contract – I have to collect or use the information so I can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

Where I get personal information from

·  Directly from you

How I keep, store and destroy information

Personal information is stored for no longer than is necessary and only as long as needed to fulfil contractual agreements with you and for legal obligations. Information such as notes, letters and emails will be held for up to 12 months from your last appointment or contact. Financial agreements/payments are held for 7 years for HMRC compliance.

Information is held securely in Microsoft One Drive electronic storage. Access to information is password protected and data is encrypted for further safety. Information is completely erased from One Drive once no longer needed.

No internet security is 100% safe therefore I cannot guarantee absolute security, however I do take your security seriously, and follow ICO guidance carefully.

Duty of confidentiality

I am subject to a common law duty of confidentiality. However, there are circumstances where I will share relevant health and care information. These are where:

·  you’ve provided me with your consent (I have taken it as implied to provide you with care, or you have given it explicitly for other uses);

·  I have a legal requirement (including court orders) to collect, share or use the data;

·  on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);

·  I have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.

How to complain

If you have any concerns about my use of your personal data, you can make a complaint using the contact details at the top of this privacy notice.

If you remain unhappy with how I have used your data after raising a complaint with me, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office Scotland
45 Melville Street
Edinburgh
EH3 7HL

Helpline number: 0303 123 1115

Website: https://www.ico.org.uk/make-a-complaint