TRUST PSYCHOLOGY LTD.
Trust Psychology aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that we collect when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 (and the subsequent UK Data Protection Bill that is expected to be enacted in 2018).
The policy describes how we manage your information when you use our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies). In respect of cookies the policy includes information about the type of cookies that we use and how you may disable those cookies.
Trust Psychology uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Dr Melanie Lee is the Data Controller; if another party has access to your data we will tell you if they are acting as a Data Controller or a Data Processor, who they are, what they are doing with your data and why we need to provide them with the information.
1. Why do we need to collect your personal data?
We need to collect information about you so that we can:
· Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest.
· Deliver services to you. The legal basis for this is the contract with you.
· Process your payment for the services. The legal basis for this is the contract with you.
· Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest.
· Optimise your experience on our website. The legal basis for this is a legitimate interest.
· Provide you with a useful and relevant website. The legal basis for this is legitimate interest.
2. What personal information do we collect and when do we collect it?
For us to provide you with services, we need to collect the following information:
· Your name
· Your contact details including telephone number(s) and electronic contact such as email address.
We collect this information directly from you when we begin to organise therapeutic services for you, or in the case of staff and associates, when you begin to supply services on behalf of TP.
We may also collect information about you from third parties; for example, if we need to gather information from another health professional (such as your Doctor) to provide a complete health assessment.
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
· To communicate with you so that we can inform you about your appointments with us we use your name, your contact details such as your telephone number or email address
· To create your invoice using our accounting package we use your name and email address
4. Where do we keep the information?
We keep your information in the stores described below.
4.1. On our company computers
We use personal computers that are located on our business premises. The computers are password-protected and the hard drives are encrypted. Passwords are changed every 90 days and it is company policy that passwords are not shared.
Your customer record
We use an electronic Practice Management System, WriteUpp. This system is password-protected and stores information in a data centre in the EU, and is GDPR compliant.
We create reports and notes that contain information that we gather, and our findings and conclusions. These are also stored on our WriteUpp Practice Management System. We also use Tresorit, a cloud-based system, to securely store information. Tresorit stores information in data centres in the EU, and is GDPR compliant.
Your therapy delivery
With patients who are based in other parts of the country we may use Zoom, an online video conferencing facility based in the US.
4.2. In our accounts package
We use an online accounts package which is password-protected and stores the information in a data centre in the US. The company that provides the accounts software has stated that they are compliant with GDPR.
4.3. As a paper copy
We take hand written notes when we meet you. These notes are used to create reports. Paper copies of documents are scanned and uploaded onto our electronic Practice Management System. Most paper copies are then shredded; those which have to be kept are held in a locked filing cabinet at our business premises. If papers have to be carried to client meetings, they are never out of sight of the therapist who is carrying them.
5. How long do we keep the information?
We keep electronic invoices for seven years as this is the required length to comply with the HMRC requirements. After seven years we delete the invoices using the Xero delete function.
We keep your personal details for six years after the end of therapy, as required by the British Psychological Society, the regulatory body for Psychologists.
6. Who do we send the information to?
We only send your information to anyone involved in your care, or anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are encrypted and password protected. Audio files may be sent by secure electronic means. Third parties receiving your information will be aware of the requirement for confidentiality and data protection, and will have processes in place similar to our own.
Your invoice information can be seen electronically by our accountant. The accountant is based in the UK and all their computer systems are in the UK.
We send the details about your access to our website to our web analytics provider. They are based in European Union and are GDPR compliant.
7. How can you see all the information we have about you?
You can make a subject access request (SAR) by contacting the Data Protection Officer. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests
8. What if your information is incorrect or you wish to be removed from our system?
Please contact the Data Protection Officer. We may require additional verification that you are who you say you are to process this request.
If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format as the subject access request in section 7.
9. How can you have your information removed?
If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.
10. Will we send emails and text messages to you?
As part of this service, we may need to send details of your appointments and other information to you by email or text message. To protect your information, we prefer to use an end-to-end encrypted messaging service. If you are not able to use such a service we may use SMS (text messages); however, this does increase the risk of someone intercepting the message.
11. How do you opt out of receiving emails and/or text messages from us?
If you are receiving text messages from us, you may unsubscribe at any time by following the instructions included within the text message. Similarly, if you are receiving emails from us, you may unsubscribe at any time by following the instructions included within the email. When you unsubscribe (i.e. opt out) from either text message and/or email communications, we will suppress your details on our systems to ensure we have a record of your decision not to be contacted in that particular manner. We will not use the email address or mobile phone number for such messages again unless you opt back in. When unsubscribing from either email or text communications, you should always follow the specific instructions given in the particular email or text that you wish to discontinue receiving.
12. What happens in case of a breach of privacy?
In the unlikely event of a breach in our privacy system, we will first act to stop the breach, and will then inform you if your information has been affected. If it is possible that your information has allowed someone to identify you, we will inform the Information Commissioner’s Office (ICO).
If your questions are not fully answered by this policy, please contact our Data Protection Officer (provide contact details here). If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner's Office (ICO)
Updated May 2018