Privacy Policy

Our Policies

Cancellation policy

Please make sure you book your sessions in advance.

All therapy/treatment bookings MUST be paid at time of booking. If you are unable to attend and need to cancel your booking, you must call and/or email the Centre as soon as possible.

Late cancellations or non-attendance mean that income from payments and valuable appointments are lost. Additionally, it denies clients on waiting lists the opportunity to fill vacant appointments.

This policy outlines procedures for cancelling bookings for treatments and therapies that are fair and reasonable for all involved and cost-effective for the Charity.

  • Cancellations should be made by email to administrator@mstc-lothian.org.uk or by telephone to 0131 554 5384.
  • Client cancellations or re-bookings require a minimum 24 hours’ notice.
  • No refund is given for non-attendance or for cancellations under the 24-hour minimum. This is classified as a late cancellation.
  • Group classes are booked in eight-week blocks to cover Exercise Tutor costs. No refunds can, therefore, be given for a missed class in a block booking.

We appreciate that on occasion, non-attendance is unavoidable at short notice, and in these individual circumstances, a refund may be made at the discretion of the Operations Manager. Where there is evidence of repeated or frequent short notice cancellations, the Operations Manager will discuss and re-evaluate the individual client’s Personal Therapy Plan and/or booking arrangements.

Bookings can be made by calling 0131 554 5384 or by emailing administrator@mstc-lothian.org.uk.  Payment can be made by: Cash, Credit or Debit Card or Cheque. Regular attenders should discuss Personal Therapy Plans (monthly Standing Order Payments) with a staff member.

 

Privacy Policy

At the Multiple Sclerosis Therapy Centre (MSTC) Lothian, we’re committed to protecting and respecting your privacy. This Policy explains when and why we collect personal and sensitive (where necessary) information about people who use our services, therapies and treatments; who become members; who make payments; donate and fundraise for us, and how we use it, and also the conditions under which we may disclose it to others and how we keep it secure.

Our legal basis for processing personal and sensitive data is by Legitimate Interest: Article 6(1)(f) and special category (sensitive data) Article under 9(2) (d) of General Data Protection Regulation

Any questions regarding this Policy and our privacy practices should be sent by email to nancy@mstc-lothian.org.uk or in writing to Nancy Campbell, MS Therapy Centre Lothian, 40c Swanfield, Edinburgh EH6 5RX. Alternatively, you can telephone 0131 554 5384.

Section 1: Who are we?

We’re an independent charity specialising in providing practical self-management support, therapies, treatments and activities for people living with multiple sclerosis and other neurological and long-term health conditions. The MS Therapy Centre Lothian is a registered Scottish charity (no. SC014991) and company limited by guarantee (no.SC122837). The registered address is 40c Swanfield, Edinburgh, EH6 5RX.

Notification

Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:

The Information Commissioner's Office – Scotland, 45 Melville Street Edinburgh, EH3 7HL. Telephone: 0303 123 1115.

Email: Scotland@ico.org.uk

https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/

Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register. Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO.

Section 2: Personal and Sensitive Data

All data (information) within the MS Therapy Centre Lothian’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.

The definitions of personal and sensitive data shall be as those published by the ICO for guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/keydefinitions/

The principles of the General Data Protection Regulation (GDPR) shall be applied to all data processed:

  • processed fairly and lawfully;
  • obtained only for lawful purposes, and is not further used in any manner incompatible with those original purposes;
  • accurate and, where necessary, kept up to date;
  • adequate, relevant and not excessive in relation to the purposes for which it is processed;
  • not kept for longer than is necessary for those purposes; processed in accordance with the rights of data subjects under the GDPR;
  • protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage;
  • not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the personal information

Fair Processing / Privacy Notice

We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, volunteers and clients prior to the processing of an individual’s data.

Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation. https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-noticestransparency-and-control/

The intention to share data relating to individuals to an organisation outside of our organisation, shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.

Any proposed change to the processing of an individual’s data shall first be notified to them.

How do we collect information from you?

We obtain information about you when you register to access and use our services, therapies and treatments by completing our client registration form, and/or making a donation (Gift Aid Form), become a member (Membership Form) or doing a fundraising event (Sponsorship Form) for us.

Why we collect information

Information collected on Client Registration Form

We need you to provide us with some personal, health and medical related information as this enables us to assess your individual needs and provide you with the most appropriate and suitable therapies.

Information collected for donating and/or fundraising

We need you to provide information for HMRC Gift Aid and Fundraising standards purposes.

Information collected on Membership forms

To keep you up to date with developments, send you our quarterly Newsletter and/or to advise of our AGM. This also applies to registered clients and donors.

Section 3: Your Rights

You should ensure that the information we collect and hold in relation to you is accurate and kept up to date; this includes personal, health, medical and pharmaceutical. If you would like to review the information we have collected on you at any time, please see contact below.

You also have the right to have the information erased if we do not have a legitimate reason for retaining same. We will accede to any such valid requests within 30 calendar days of the receipt of a valid request in writing. Please note In order to adhere to our legal requirements and the recommended minimum retention periods for health records, your information will be anonymised and archived but retained for a maximum period of 6 years.

You have the right to be given a copy of information held by us about you. We will provide the requested information to you within 30 calendar days of the receipt of a valid request in writing. We might request that you to provide additional information to enable us to identify your personal data and/or to verify your identity. Please send all requests to contact person below.

Section 4: What type of information is collected from you?

The personal information we collect will include your name, address, date of birth, telephone number (landline & mobile), email address, next of kin and gender. The health and medical information will include your GP details, Consultant details (if applicable), diagnosis and symptom information, specific information about your care arrangements (if applicable), health condition/s, mobility issues and medications, prescribed and herbal. Payment and/or donation information is collected by us, and electronic payments (Card Payments) is collected by our third-party payment processors, who specialise in the secure processing of credit/debit card transactions.

How is your information used?

We may use your information to:

  • assist in providing you with access to our services, therapies and treatments;
  • assist you in making bookings for services, therapies and treatments;
  • process a donation that you make;
  • process a payment for services, therapies and treatments;
  • seek your views or comments on the services we provide;
  • notify you of changes to our services;
  • send you communications which you have requested and that may be of interest, this may include information about campaigns, appeals, other fundraising
  • report processing and/or a grant or job application.

We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations (for example HMRC on the collection of Gift Aid, and the retention of health-related records). We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant consent you hold with us.

Section 5: Who has access to your information?

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes.

Third-Party Service Providers working with us

We only pass your information to other service providers with your CONSENT, such as NHS medical, clinical professionals, and/or Health & Social agencies, and other associated organisations for the purposes of providing specialised health related services, advice and/or information. However, when we use other service providers, we disclose only the personal and/or health information that is necessary to deliver the service and we ensure that they have in place secure data processing and retention processes and policies. Please be reassured that we will not release your information to third parties beyond the MS Therapy Centre Lothian Network for them to use for their own direct marketing purposes, unless we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

Section 6: Security

We endeavour to use industry standard data security measures to protect your information and to prevent the loss, misuse or alteration of any information in our control. However, the transmission of information via the internet is not completely secure and we cannot guarantee that all of your private communications and other personally identifiable information will never be disclosed. However, we will use our reasonable endeavours to ensure that such information is kept as secure as possible.

How you can update your information

The accuracy of your information is important to us. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change your address, GP, medications and/or email address, or any of the other information we hold is inaccurate or out of date, please email us at: administrator@mstc-lothian.org.uk or write to us at: MS Therapy Centre Lothian, 40c Swanfield, Edinburgh EH6 5RX

Security precautions in place to protect the loss, misuse or alteration of your information

In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.

Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.

The security arrangements of any organisation with which data is shared shall also be considered and these organisations shall provide evidence of the competence in the security of shared data.

When you give us personal and or sensitive information, we take steps to ensure that it’s processed and retained securely. All personal and sensitive information is stored securely on MSTC client database. Appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal and sensitive data and against accidental loss or destruction of, or damage to personal and sensitive data. Only authorised MSTC staff can access, alter, disclose or destroy personal and sensitive data

Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.

Photographs and Video

Images of staff, volunteers and clients may be captured at appropriate times and as part of centre activities for use in the MS Therapy Centre’s promotional and marketing material for use on our website, reports and publications. Unless prior consent is provided from clients, volunteers and staff has been given, the MS Therapy Centre Lothian shall not utilise such images for publications or communications.

Data Disposal

The MS Therapy Centre Lothian recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.

  • All data held in any form of media (paper, tape, electronic) shall be disposed of using secure disposal procedures.
  • All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
  • Disposal of IT assets holding data shall be in compliance with ICO guidance: https://ico.org.uk/media/fororganisations/documents/1570/it_asset_disposal_for_organisations.pdf .

Children

We are concerned to protect the privacy of children. Children aged under 13 , where appropriate, and dependent upon the child’s cognitive/health capacity, parents/guardians must complete client registrations and consent forms on behalf of the child. We obtain parental consent to the processing for children who are under the age of 13, and make reasonable efforts (taking into account the available technology and risks inherent in the processing) to verify that the person providing consent holds parental responsibility for the child.

As a matter of good practice, when relying upon parental consent we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one a separate policy statement aimed at the child. We design the processes by which a child can exercise their data protection rights with the child in mind, make them easy for children to access and understand.

Transferring your information outside of Europe

As part of the services offered to you through this website, the information which you provide to us may be transferred to countries outside the European Union (“EU”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy. If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.

Review of this Policy. We keep this Policy under regular review. This Policy was last updated on 10/10/2020