GDPR (General Data Protection Regulation) Compliance Policy, for patient data held by Kate Alden-Smith

Kate Alden-Smith as an acupuncture practitioner is committed to protecting and respecting your privacy. Please read this GDPR & privacy policy carefully, so that you can understand why and how she stores and uses your data.

Why we store your personal data and what we do with it

When you register with Kate Alden-Smith your details are stored and processed for the following reasons;

  • We need your personal information in order to provide you with the treatments that you have requested.
  • This request and our agreement to provide acupuncture and associated services constitutes an agreement and we will therefore require the ability to process your data in order to fulfil this and provide the services to the standards expected by The British Acupuncture Council.
  • We record, store and process this information based upon a ‘Legitimate & Medical Interest’ because without it we would be unable to provide you with the acupuncture services to the standards required.
  • We may very occasionally send you a newsletter, or information that we feel would benefit your health and wellbeing and could be of interest to you. You may withdraw this consent at any time, by clicking the unsubscribe option which can be found at the top and bottom of each marketing email, or by emailing

Personal data may be provided to Kate Alden-Smith in a number of ways including directly from you (email, post, in person viawebsite), recommendations or forwarding of relevant information from associated parties.

Retention Period:
The record keeping requirements for acupuncture practitioners is seven years. After which time you can ask that we delete your records if you so wish. You may do this by contacting any member of our team by phone, email Should we not be requested to delete your records, these may be retained indefinitely in order for us to provide a better service at a later date without having to collect personal data again.

Your records are only stored in paper form and in a locked facility.

Third-Parties / Outsourced Providers:
We will never share your data with any third party without your prior written or verbal consent. Only the following people/agencies will/could have access to your data;
• Members of the acupuncture team, to provide you with services
• Government agencies should this be required for fulfilment of contract

Data Access Requests:
Although you do not own your clinical records, you have the right to access information and you can do this by contacting any member of the team or emailing and submitting a “Subject Access Request”. We will respond to this request within one calendar month.

Data Rectification:
In addition to this, you also have the right to request that we update any information that you believe to be incorrect. It is likely that this request will be dealt with immediately, however we will respond to this request within one calendar month. This can be done by contacting any member of our team by email, phone or website contact form or emailing

Other rights:
If you decide that you don’t want us to contact you anymore, you are welcome to email us at to ask us to stop. This request will be reviewed and we will respond to you within one calendar month. If you are asking us to stop sending marketing information, we will do so immediately. You are also able to click on the unsubscribe link at the bottom of any marketing communications. If you would like us to erase all of the data we store and process for you, or you would like us to update or amend data held, please email us at We will respond to your request within one calendar month but hopefully sooner.

Complaints process:
If you feel that we have mishandled or breached our responsibilities in handling your personal data, please contact our Data Controller at We are strongly committed to protecting your personal data. Should you be unsatisfied with our response, you have the right to raise your concern directly with the Information Commissioner’s Office, the UK Data Protection Supervisory Authority.