Last updated: 28th April 2024

At Beyond the Mountains Virtual Assistant Services ("the Company"), we are committed to protecting the privacy and security of our website visitors, clients, and their patients. We are registered with the Information Commissioner's Office (ICO Registration Number: ZB615247) and fully comply with UK data protection regulations.

1. Professional Credentials

We maintain:

• Current Enhanced DBS certification
• Up-to-date safeguarding training (renewed every 3 years)
• ICO registration (Number: ZB615247)
• Enterprise-level password security through LastPass
• Regular professional development and training
• Compliance with UK Data Protection Act 2018
• Structured onboarding and offboarding processes

2. Information Collection and Processing

2.1 Professional Client Information

We collect and process:

• Contact details
• Professional credentials
• Business information
• Service preferences
• Communication records

2.2 Patient-Related Information

When providing services to medical practitioners:

• We process only the minimum necessary patient information
• All processing is done under strict confidentiality agreements
• We maintain detailed processing records as required by GDPR
• We implement specific safeguards for children's data

3. Legal Basis for Processing

We process information under the following legal bases:

• Contract fulfilment
• Legal obligations
• Legitimate business interests
• Explicit consent where required
• Special category data processing for medical purposes

4. Enhanced Data Security Measures

We implement comprehensive security measures including:

• End-to-end encryption
• Multi-factor authentication
• Regular security audits
• Secure cloud storage
• Access controls and monitoring
• Staff security training
• Incident response procedures
• Enterprise-level password management through LastPass
• Secure credential storage and sharing

5. Special Provisions for Medical Data

5.1 Medical Practice Support

• Strict confidentiality protocols
• Compliance with medical practice standards
• Regular staff training
• Secure data transmission methods
• Audit trails of all processing activities
• Enhanced DBS checks for all staff
• Regular safeguarding training (renewed every 3 years)

5.2 Children's Data Protection

• Enhanced security measures
• Strict access controls
• Special handling procedures
• Regular compliance reviews
• Additional staff training
• Adherence to current safeguarding guidelines

6. Data Sharing and Third Parties

We maintain strict control over data sharing:

• No data selling or unauthorised sharing
• Vetted third-party service providers only
• Detailed data processing agreements
• Regular provider audits
• Strict confidentiality requirements

7. International Data Transfers

When required:

• Only to countries with adequate protection
• Using approved transfer mechanisms
• With appropriate safeguards
• Following UK GDPR requirements

8. Data Retention and Management

8.1 Retention Policies

We maintain clear retention policies in compliance with ICO guidelines and the UK Data Protection Act 2018:

• Professional records: 7 years
• Medical data: As required by law/medical practice
• Financial records: 7 years
• Website data: 2 years
• Client passwords and access credentials: Maximum 6 weeks post-contract
• Regular secure deletion procedures

8.2 Client Onboarding and Offboarding

In accordance with ICO requirements and UK Data Protection Act 2018:

• Structured onboarding process for all new clients
• Systematic documentation of all shared credentials
• Comprehensive offboarding procedure
• Verified deletion of all access credentials
• Documented removal from all systems
• Confirmation of deletion within 6 weeks of contract end
• Compliance verification and documentation

8.3 Compliance Framework

Our data retention and deletion processes are:

• ICO registered (Number: ZB615247)
• Compliant with UK Data Protection Act 2018 requirements
• Regularly audited for compliance
• Documented according to regulatory requirements
• Updated in line with legislative changes

9. Your Enhanced Rights

In addition to standard GDPR rights, we provide:

• Expedited access to medical information
• Enhanced data portability
• Strict breach notification procedures
• Detailed processing records
• Right to restrict processing

10. Cookies and Tracking

We use essential cookies only:

• For website functionality
• For security purposes
• No marketing tracking
• Regular cookie audits

11. Information Security

Our security infrastructure includes:

• Enterprise-grade password management (LastPass)
• Multi-factor authentication
• Regular security assessments
• End-to-end encryption
• Secure cloud storage
• Regular staff training
• Incident response procedures

12. Professional Standards

We maintain:

• ICO registration (Number: ZB615247)
• Regular compliance audits
• Staff training records
• Information security certifications
• Professional insurance coverage
• Enhanced DBS certificates
• Up-to-date safeguarding qualifications
• Secure password management systems

13. Changes to this Policy

• Regular policy reviews
• Update notifications
• Version control
• Change logs maintained

14. Contact Information

For privacy matters:

Data Protection Officer
Email: [email protected]
Response time: Within 24 hours for urgent matters

This policy is regularly reviewed and updated to ensure continued compliance with data protection regulations and best practices in medical data protection.

Effective Date: 28th April 2024