About our Privacy Notice
Rachel Hampson Nutrition is committed to protecting your privacy and legal rights when dealing with your personal information. This Privacy Notice intends to provide clear and understandable details about the information we collect about you (or anyone you have provided us with information about, e.g. your child), how we use and protect it. It also provides information about your rights that relate to the data we process.
If you have any queries about this Privacy Notice, if you are not sure what something means, or if you wish to contact us about personal information we hold, please email us at:
Rachel Hampson Nutrition is registered with the Information Commissioners Office, registration number ZA804699.
Information about Rachel Hampson Nutrition
[trading as a sole trader]
Principal activity Healthcare services as defined below.
The right to object
You have the right to object to processing of your data, if processing of your data is based on legitimate interests, or if processing is being used for direct marketing. The definition of ‘legitimate interests’ is discussed within this Privacy Notice. Please contact us in the first instance if you wish to object.
Definitions of terms within this Privacy Notice
‘we’, our’, ‘us’, ‘Company’ is a direct reference to Rachel Hampson Nutrition.
‘services’ means health care related services provided by us, as defined in ‘Scope Of Healthcare Services’.
UK UK-GDPR means the United Kingdom General Data Protection Regulations that come into force on 1st January 2021, and are tailored by the Data Protection Act 2018.
ICO means the Information Commissioner’s Office and will also refer to any successor to it as the UK data protection authority.
Data Protection Laws means the Act, UK UK-GDPR, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the ICO or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction.
Data Controller, Data Processor, Data Subject and Personal Data all have the meaning given to them in the Act and UK-GDPR.
Website or site means the website at https://www.rachelhampson.com/
‘client’ or ‘clients’ means people who attend our clinic or intend to use our services
‘client or client’s data” means either Personal Data or Special Category data, as defined by the UK-GDPR.
‘personal information’ means either Personal Data or Special Category data, as defined by the UK-GDPR.
Securing your personal information
The level of technical safeguarding of data should be appropriate to the nature of information in question, and the harm that might result from its improper use, or from its accidental deletion or destruction.
The following list shows some of the technical and organisational measures we put in place to ensure the safety and integrity of your data.
- Our clinicians and administrative staff are trained in the appropriate handing of personal information and how to respond to a data breach
- We practice common sense cybersecurity requirements, such as locking screens when away from them, ensuring Windows / Mac OS updates are installed on release
- Where possible, we use two factor authentication for key systems
- We ensure passwords are changed regularly on our systems
- We don’t use systems aimed purely at consumers, such as Gmail personal, Dropbox personal and Hotmail
- We communicate with clients using the secure messaging platform within our Client Management System, https://www.penocch.io/
- We ensure we encrypt all our hardware that will store personal information, using industry standard encryption methods
- We backup our data securely to onsite and cloud based storage
- Our third party providers of systems used to process your personal data are compliant with data protection laws and requirements, and also have effective data restore capabilities to ensure your data can be recovered
Scope of Health Care Services
- Nutritional Therapy
Categories of personal information that we proces
Standard personal information which can include (but not limited to)
- email address(es)
- telephone number(s)
- date of birth
- next of kin or similar contact details
- details of any complaints or grievances raised that relate to the provision of our services
- financial details that relate to payments for our services (note we do not store card details)
- account details relating to your private medical insurance provider
Special Category personal information This is personal information specifically relating to your:
- health, both physical and mental
- sex life
Special Category personal information relating to health can include (but is not limited to) clinical notes, examination findings, medical imaging data related to your care, diagnostic test results, correspondence and communications from other clinical professionals which relates to your current or past clinical care.
How we collect personal information from you
If you provide us with personal information about other people, please ensure that they have seen this Privacy Notice and understand it, before you provide this information to us.
- We will collect Standard and Special Category personal information from you, or other third parties. We will collect the information from the following sources:
- Your parent or guardian, if you are under 18 years of age
- A family member, or someone else acting on your behalf
- Your interpreter, acting on your behalf
- From yourself, either in face to face consultations, or via electronic communications such as email, via the telephone, or via postal communications
- When you have given explicit consent to subscribe to educational or marketing email correspondence
- Manually, when you fill in referral, assessment, registration and other forms
- Via postal communications, via electronic or postal communications, or records completed by clinicians involved in your care, and their administrators
- When given directly by social services, carers, relatives and friends – over the phone or in person
- From providers of medical imaging and diagnostic testing involved in your care
- From your private medical insurance provider or referring country’s Embassy
- In emergency situations by the social services, police or ambulance service staff
What we use your personal information for
These two types of personal information are discussed above in the section “Categories of personal information that we process”
Standard personal information
We process Standard personal information about you if it is determined:
- It is in our Legitimate Interests. Details of what constitutes Legitimate Interests are detailed below.
- We have your Explicit Consent
- Processing is necessary for the establishment, exercise or defence of legal claims (for example, to process a legal claim against us, including your personal information provided to our regulatory body if lawfully requested)
Standard personal information – Explicit Consent
This applies when you’ve subscribed and opted in to receive our email newsletters, blogs and marketing offers, or you’ve provided consent to receive email newsletters, blog and marketing offers via our marketing consent form via an opt in checkbox. We will ensure you can easily opt out of any marketing material you have opted into.
Additionally, with your express consent, we may need to share your personal information with other healthcare providers such as your GP. These other third party providers may provide us with sensitive information regarding you. Without this express consent, we will not be coordinate the healthcare we provide you, with other healthcare providers. This would likely mean a less effective provision of healthcare by us.
Please be assured that when we need to share your personal information with other healthcare providers, we will always explain in detail why this is needed, and answer any questions you may have before sharing any information.
We may also, with your explicit consent, share your contact information with biochemical testing companies to order tests as part of your healthcare, some of which maybe from outside of the European Union. If we do not receive this consent from you, we will review alternative tests from providers based within the European Union.
We seek to continuously improve our practice through professional development, a key part of which (with your explicit consent) is sharing case histories with our peers through clinical supervision, online forums and discussion groups. Your name, address and contact details will never be shared.
With your explicit consent we may share your case history with peers for educational purposes. This could be through conferences, lectures, online forums, and publishing in medical journals, trade magazines or online professional sites. Your name, address and contact details will never be shared.
If we believe that your life is in danger then we may pass your information onto concerned UK public authorities, such as legal and crime prevention agencies or your GP. If we believe that a child is at risk, we may additionally pass information to Social Services.
Standard personal information – Legitimate Interests
The law requires us to our balance the processing of your Standard personal information against your interests, rights and freedoms. We conduct a Legitimate Interests Assessment to ensure the Standard personal information we process does not override your interests, rights or freedom that relate to your information.
The Legitimate Interests we have identified that allow us to process your Standard personal information are:
- To enable us to take sufficient information in order to record who you are when booking appointments
- To ensure we can email you with basic information about your appointments
- To manage our personal relationship with you, with respect to discussing invoices and requesting insurer authorisation codes
- To communicate with you if we need to cancel or rearrange appointments
- Provision of direct healthcare, including recording information that relates to consultations we undertake with you
- We may obtain sensitive medical information in the form of test results from biochemical testing companies. We use this information in order to provide you with direct healthcare.
If you book into our clinic as a potential client and we hold no previous clinical records that relate to your direct care, and then you cancel the booking, we will no longer have a legitimate interest in processing your data. In most instances, we would delete any personal information that was used to make the booking.
Please note, that if you are a client currently undergoing treatment or have appointments booked, we will use your email address to inform you of any changes that relate to our clinic. Examples include changes to fees and change of clinic address. Even if you ask us to not send you marketing or educational emails, we will still use your email address to communicate with you regarding this clinic related information.
Special Category personal information
As we are a provider of health care services to you, we have several reasons for processing your Special Category personal information. We would not be able to provide health care services to you unless we can process this information.
We undertake to process this information in line with Data Protection Laws as defined in the section “Definitions of terms within this Privacy Notice” within this document.
We process Special Category personal information about you, using the following lawful basis as defined by the UK-GDPR. Highlighted in red text are the parts of the lawful basis that allow us to co
necessary for the establishment, exercise or defence of legal claims
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
When those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under domestic law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under domestic law or rules established by national competent bodies.
Special Category information – provision of health care or treatment as required by our regulatory body, BANT
We are also required by our Regulatory body, British Association For Nutrition And Lifestyle Medicine (BANT) to take and process records that relate to clinical treatment we provide to you. These records are required to support safe and effective care.
Sharing your personal information
We sometimes need to share your information with other people or organisations for the purposes set out in this Privacy Notice. We will, where required, share the minimal amount of your personal data as appropriate with the other people or organisations we are communicating with:
- doctors, surgeons, clinicians and other health-care professionals, hospitals, clinics and other health-care providers;
- Their administrative staff such as secretaries;
- Any other contractors or companies that provide a service to us in order to facilitate your healthcare that we provide you with. Any information shared would be stated as confidential and not to be shared any further, unless a valid reason is provided.
- People or organisations that we are required by law or our regulatory body to share your personal information with;
- The police or other law enforcement agencies, where we are either required by law or a court order;
- Our own legal team in the event of a legal claim against us;
- A parent or legal guardian if you are a minor;
- Any person that you have authorised us to share information with, for example, a solicitor
How long do we keep your personal information for
We will usually store information related to therapy for seven years from the date of the last time we saw you.
We will also store information to ensure we can deal with any legal claims that arise from you using our services, and the data will be stored for as long as is required and advised by our legal counsel.
Your rights on us processing your personal information versus us storing your personal information are discussed in the section ‘Your rights’, below.
Any personal information that is used for marketing purposes, that has been provided using explicit consent, will be held for erased in accordance with your rights if requested.
Any personal information that is used for other purposes, such as sharing case histories (that has been provided using explicit consent) will be held for erased in accordance with your rights if requested.
Transferring information outside the boundaries of the EEA (European Economic Area)
Generally, we store your personal information on secure systems that reside within the EEA. Where we store systems that are outside of the EEA, we will ensure that there are suitable contractual or other safeguards in place to protect your data. Such an example might be the US Privacy Shield, which safeguards your data if stored on systems that reside in the USA.
These measures may include Data Controller (us) to Data Processor contracts who we have checked have the required data protection law compliance, or ensuring your data is transmitted from the EEA to other global areas in a highly encrypted format, that is then stored on secure systems using “zero knowledge” encryption. In this instance, this means your data cannot be decrypted by a Data Processor.
Please do contact us if you are unsure about your rights as detailed below. We will always endeavour to help explain how your rights apply to the personal information we process, for our specified lawful reasons.
The right to be informed
We need to inform you the name and contact details of our organisation, which is at the top of this document.
You have the right to be informed about how we collect and use your personal data. We are obliged to provide this right to be informed in a clear and concise manner.
This Privacy Notice you are reading is designed to inform you how we collect and use your personal data.
The right of access
You have the right to confirmation that your data is being processed and to view this information. This is known as a Subject Access Request or ‘SAR’ , but you do not have to specify this term when requesting your personal information from us. You also have the right to request a copy of your personal data that we process.
We will need to identify you using reasonable means before we will start the process of collating your personal information.
Once we have identified you, we will reply to any requests for your personal information (SARs) within 30 days, unless we deem the request to be complex, or repetitive, where we will notify you that we may take an additional two months to provide your personal information.
We will not charge you to request information from us. However, we will charge a reasonable fee if the request for information is repetitive. If we’ve provided information to you and you wish to request it again, we ask that you contact us beforehand to discuss what our reasonable fee is.
If the request is manifestly unfounded or excessive, particular because if the request becomes repetitive, we might decide to:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where we refuse to respond to a request, we will explain why to you, informing you of your right to complain to the ICO without undue delay and at the latest within one month of our refusal.
The right to rectification
You have the right to request rectification of your personal information. However, we only consider requests to correct factual information. Any clinical opinions will remain valid as they were the opinion at the time of being recorded. If it is later determined that a clinical opinion or diagnosis was then found to have changed, we will update your personal information to reflect this, but we will not change or remove the original clinical opinion.
The right to erasure
You have the right to request erasure of personal information.
If you have subscribed to any of our email educational or marketing correspondence, you have the right to request erasure from our email list, or you can click on the ‘unsubscribe’ link that appears in all emails we send. We will only use your personal information to send you marketing or educational material if you have given us your explicit permission.
For any other data that you have provided explicit consent for us to process, you have the right to deletion of this data.
For all other data that we hold and process regarding you, you may request deletion. We would consider this request, taking into consideration:
- Our governing body data retention time requirements
- Whether there are or could likely be any legal claims bought against us
- If there was any reason in UK law that we were obliged to retain data
If we determine we can delete your personal data, we will then not be able to see you as a client once the data has been deleted. We would notify you of the data deletion details.
If we determine we cannot actually delete data, you still have the right to ask us to restrict any further processing of your personal data. We will then not be able to see you as a client going forward.
The right to restrict processing
You can request that we restrict processing of personal information. This means that we will stop actively processing it, and it will just be stored. Stopping processing will mean that we will not add any additional information to your existing information.
The right to data portability
As we do not process personal information using a lawful basis of either a) consent or b) for the performance of a contract, the right to data portability is not applicable. You still have to right to request this, however.
The right to object
You have the right to object if processing is based on legitimate interests, or if processing is being used for direct marketing.
Rights in relation to automated decision making and profiling
We do not make any kinds of automated decisions or perform any profiling with your personal information.
The right to lodge a complaint with a supervisory authority
We ask that you first contact us if you feel you wish to make a complaint. Please see the template letter and guidelines listed on the ICO website.
You can also contact the ICO directly:
They can also be contacted at the following address:
This Privacy Notice has been created for Rachel Hampson, t/a Rachel Hampson Nutrition, by Private Practice Ninja Limited.
Rachel Hampson Nutrition has the right to edit the text contained within this notice as they require, as long as it remains solely for the use of Rachel Hampson Nutrition.
Any redistribution or reproduction of part or all of the contents in any form is prohibited, including by Rachel Hampson Nutrition, who limited use of this Privacy Notice is licenced to.
Rachel Hampson Nutrition may however publish a copy on their website which currently is https://www.rachelhampson.com/
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.