Privacy and Data Protection Policy
Beyond Psychology Ltd takes the issue of your privacy seriously. Beyond Psychology Ltd aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that we collect when you contact us or use our services, how we manage your information and when we contact you. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent UK Data Protection Bill that is expected to be enacted in 2018].
Beyond Psychology Ltd uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, the directors of Beyond Psychology Ltd (Dr Kirsty Hughes and Hannah Waugh) are the Data Controllers; if another party has access to your data, we will tell you if they are acting as a Data Controller or a Data Processor; also who they are, what they are doing with your data and why we need to provide them with the information. Dr Kirsty Hughes is the appointed Data Protection Officer.
Email : email@example.com
Telephone: 07715218975. (If we can’t answer your call do leave a message and we will get back to you as soon as we can).
Information we collect and use
www.beyond-psychology.co.uk collects the information you provide us, including your name, contact details and email address. You would have been asked to provide your consent when you signed up to receive emails from us or to attend one of our workshops, training sessions, assessment sessions or therapeutic input.
What personal information do we collect?
For us to provide you with services, we need to collect the following information:
- Your name
- Your contact details including telephone number(s) and electronic contact such as email address
- For assessment and therapeutic work we also need your postal address and GP contact
When we collect personal information
We collect this information directly from you when we begin to organise workshops or therapeutic services for you, or in the case of staff and associates, when you begin to supply services on behalf of Beyond Psychology Ltd. Consent is always asked for when we do this.
We may also collect information about you from third parties; for example, if we need to gather information from other professionals (such as your GP or school) to provide a complete health assessment.
Why we need to collect information about you.
So that we:
- Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest; more information about the criteria for this can be found on the ICO website.
- Can deliver services to you. The legal basis for this is the contract we have in order to engage with you; more information about the criteria for this can be found on the ICO website here.
- Can process your payment for the services we provide. We use your banking details to process payments for our services. The legal basis for this is the contract we have with you.
- Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest.
- Optimise your experience on our website. The legal basis for this is a legitimate interest.
- Provide you with details about future events with us, our newsletter and useful and relevant websites or resources. The legal basis for this is legitimate interest.
How we use the information we collect
- To communicate with you so that we can inform you about your appointments with us we use your name and the contact details provided by either yourself or a third party such as a social worker;
- To send reports and letters to you and the relevant professionals involved we use your name and email address;
- To create your invoice for payment for our services, we use your name and email address
Where do we keep the information?
We keep your information in the stores described below:
On our company computers and laptops: all the computers and laptops we use are password-protected and the hard drives are encrypted.
Your customer record and report: We use Microsoft Office 365 to store our customer records, notes and reports. This system is password-protected. Passwords are changed every 90 days and it is company policy that passwords are not shared. This system stores information in a data centre within the EU, and is GDPR compliant. We back up our electronic data weekly using an encrypted external hard drive that is kept in a locked filing cabinet away from our main business premises.
As a paper copy: We take hand written notes when we meet you. These notes are used to create reports which are stored with any printed personal information or reports within a locked filing cabinet. Paper copies of documents are scanned and uploaded onto Office 365. Most paper copies are then shredded; those which have to be kept are held in a locked filing cabinet at our business premises. If papers have to be carried to client meetings, they are never out of sight of the therapist who is carrying them.
Email opt in/opt out
We may use your email address to send periodic email newsletters regarding our service and upcoming workshops and events. However, we will only do so if you have given us your permission. We keep your data until you inform us that you no longer wish to receive news from us. If you change your mind at a later date simply click on the word ‘Unsubscribe’ on the email newsletter.
Correcting, updating or removing personal information
Anybody attending Beyond Psychology Ltd may modify or remove any of their personal information at any time by contacting us directly using the contact details shown above. You can also request that we give you a copy of the data we hold on you.
Sharing and disclosure of information we collect
We only send your information to anyone involved in your care, or anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are password protected. Audio files may be sent by secure electronic means. Third parties receiving your information will be aware of the requirement for confidentiality and data protection, and will have processes in place similar to our own. We will never sell or trade your personal data or disclose your personal information to any third party unless we believe that disclosure is necessary in order to:
- Conform to legal requirements;
- Protect our rights;
- Protect the safety of members of the public or those using our services
We also send the details about your access to our website to our web analytics provider. They are based in the EU and are GDPR compliant.
How long do we keep your information?
We keep electronic invoices for seven years as this is the required length to comply with HMRC requirements. After seven years we delete the invoices from our electronic storage system.
We keep personal details for seven years after the end of assessment and/or therapy, as required by the British Psychological Society, the regulatory body for Psychologists.
How can you see all the information we have about you?
You can make a subject access request (SAR) by contacting the Data Protection Officer. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.
How can you have your information removed from our system?
If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records or for safeguarding reasons. If we decide that we should delete the data, we will do so without undue delay.
What happens in case of a breach of privacy?
In the unlikely event of a breach in our privacy system, we will first act to stop the breach, and will then inform you if your information has been affected. If it is possible that your information has allowed someone to identify you, we will inform the Information Commissioner’s Office (ICO).
If your questions are not fully answered by this policy, please contact our Data Protection Officer (firstname.lastname@example.org). If you are not satisfied with the answers you receive, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.