That being said, I do collect clients’ information in the course of operating my massage therapy business. Here are some of the guidelines that I follow as a member of Associated Bodywork & Massage Professionals:
…I will conduct a thorough health history intake process for each client and evaluate the health history to rule out contraindications or determine appropriate session adaptations.
…I will fully inform my clients of choices relating to their care, and disclose policies and limitations that may affect their care. I will not provide massage without obtaining a client’s informed consent (or that of the guardian or advocate for the client) to the session plan.
…I will keep client communication and information confidential and will not share client information without the client’s written consent, within the limits of the law. I will ensure every effort is made to respect a client’s right to privacy and provide an environment where personal health-related details cannot be overheard or seen by others.¹
More details as follows:
Who is collecting the data:
Linda Boyer, LMT
What data is being collected:
- At the time of an appointment: Clients’ name, contact information, informed consent for massage therapy, opt-in/opt-out for email contact, health questionnaire
- When someone books a massage: Clients’ name, contact information
- When someone signs up for my email list in person at an event: Clients’ name, email address, opt-in consent is noted on the paper signup form
- When someone signs up for my email list online: Clients’ name, contact information, opt-in consent is noted by the program (MailChimp or Constant Contact)
- When someone books a massage online through Schedulicity: The scheduling program requires a client’s contact information, and may accept the client’s pre-payment. If a prepayment is made through Schedulicity at the time of booking a service, I do not have access to the client’s credit card or other payment account numbers.
- When someone buys a gift certificate online through Gift Card Cafe: The gift certificate program requires a client’s contact information, and accepts their payment. I do not have access to the client’s credit card or other payment account numbers.
- When a client pays for their massage at the time of the service: If the client pays with a credit card, I use a Square reader (or just the Square app on my phone) to take payment. I do not retain the clients’ credit card info after the payment is completed.
What is the legal basis for collecting/processing data:
- The person subscribed to my email list (opted in) on a certain date
- The person came in for a massage and provided their information on my intake form
- The person contacted me in the course of doing business as described above (e.g., buying a gift certificate)
- If a client comes in for a massage, they must give their name, contact info, and answer the health questionnaire, as noted in my code of ethics
Will data be shared with a third party:
How will data be used:
Clients’ information is necessary to give them a safe and appropriate massage therapy session. Some information (health details) can be described as special category personal data. Again, this information is to help the massage therapist (me) rule out contraindications and determine how to adapt the massage to make it most beneficial and safe for my clients.
How long will data be stored:
I retain clients’ information for a minimum of seven years.
What rights does the data subject have:
- A person may opt-in or opt-out of email contact by clicking the Unsubscribe link on a newsletter. MailChimp and Constant Contact provide secure subscription/unsubscription functions in their programs. If the subscribe/unsubscribe function doesn’t work properly, please contact me and I will check on it for you.
- A person may choose to pay with a credit card or with cash. I accept credit cards without adding a surcharge for processing.
How can a data subject raise a complaint:
Contact me directly by phone, email, or messaging.
How is clients’ information stored:
- Client intake forms are on paper and are stored in a locked file cabinet. I am the only person who sees these forms.
- Clients’ names, addresses, email addresses (if opted in), phone, birthday, & a note of first appointment are typed (by me) into a spreadsheet that is stored on my drive and is not made shareable to anyone else. I print this out for writing holiday cards, etc., and it is for my eyes only.
- If a client books on Schedulicity, I believe that their system retains client contact info. The system may send appointment confirmation emails or other reminders if the client has opted in for them. Since I’m a one-person business, I do not give other people permission to view my Schedulicity account.
- Clients or other persons may choose to “Like” or “Follow” my business on Facebook. If a person Likes or comments on a post from my page, I may invite them to “Like” or “Follow” my business page.
- If a person chooses to review, comment on, like, follow, check-in to, share, tag, or otherwise interact with my business on Facebook or other social media, they do so willingly (and I appreciate it!)
- I may sometimes share, tag, or otherwise interact with my friends as my business on Facebook or other social media. I won’t post naming a friend (or other person) to say that they have come in for a massage. This is to uphold our profession’s standard for client confidentiality.
¹ABMP Code of Ethics, accessed August 27, 2018. www.abmp.com
²A Hungarian Horntail may provide an additional layer of security for my file cabinet.