Privacy Notice (updated 2024)
Gloucestershire Psychology Services Ltd is a company offering clinical psychological services. This privacy policy explains how we use any personal information we collect about you, as a past, present, future employee or associate, a service user (client or patient) or when you use our website.
Gloucestershire Psychology Services Ltd provides psychological services at different physical locations in Gloucestershire and remote services to individuals and organisations within the United Kingdom. This includes but is not limited to: psychological assessment, individual and group-based psychological therapies, training and consultation, staff wellbeing services, professional supervision and expert-witness court services. This privacy notice provides information about the personal information we process about you as a data controller, in compliance with the General Data Protection Regulation (GDPR) and good practice guidelines [1].
Gloucestershire Psychology Services Ltd and the independent affiliate therapists listed on their website are required by law to be registered with the Information Commissioners Office (ICO). Our ICO registration number is ZB689365. This register is an online public register of Data Controllers and visible for anyone to check. https://ico.org.uk
Please contact Dr Andrew Iles at [email protected] with any questions or requests about the personal information we process for clients and patients seen within Gloucestershire Psychology Services Ltd.
For any queries relating to data use for by our independent affiliate psychologists/therapists listed on our website, please contact them directly who will have their own data privacy policy and procedures.
1. What are your rights?
We are committed to protecting your rights to privacy. They include:
- Right to be informed about what we do with your personal data
- Right to have a copy of all the personal information we process about you
- Right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete
- Right to be forgotten and your personal data destroyed
- Right to restrict the processing of your personal data
- Right to object to the processing we carry out based on our legitimate interest
2. Why do we collect information about you?
We may collect information about you because you are a patient or client of ours. You may be an associate or employee. You might be a claimant who is part of a legal or litigation claim.
We process the data because it is in our legitimate interests as a clinical psychologist/psychological therapist or expert witness to do so. We need to see and analyse documents containing this information in order to provide our clinical services to you, to carry out an assessment or to deliver psychological intervention or to provide expert witness services.
Another lawful reason for us processing your data may be Legal Obligation. If we are processing “special category data” about you, this is our second lawful reason to do so. This is likely to apply if you are being assessed as part of a litigation claim.
As a client or patient of Gloucestershire Psychology Services Ltd, our lawful reason for processing “special category data” is that it is necessary for the purposes of the provision of health or social care or treatment.
If you are an employee or associate of Gloucestershire Psychology Services Ltd, we will have a contract with you, which will be our lawful reason to process your data.
Marketing
Our lawful grounds of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).
Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications (such as requesting a brochure and joining our mailing list) and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However you can still opt out of receiving marketing emails from us at any time. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by contacting us.
3. What information do we collect about you?
We collect information about you that may include personal or sensitive information, such as:
- First name or given name
- Family name or surname
- Address
- Telephone numbers/SMS
- Email address
- Date of birth
- Age
- Gender (or preferred identity)
- Relationships & children
- Occupation
- Next of kin/ Emergency contact details (name, address, relationship to you, e-mail/telephone number)
- Video conference ID (if online therapy)
- GP contact details
- If you are referred by your health insurance provider, solicitor, rehabilitation company or other health-related agency, then your therapist will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment.
To make sure that you are assessed and/or treated safely and appropriately, we record your personal information, such as your name, address, as well as all contacts you have with the company such as appointments and the results of assessments and letters relating to your care/report. Your data is kept confidential within the company at all times and is only shared with staff when they need it to carry out their job – such as our administrative staff.
We also process personal data pursuant to our legitimate interests in running our business such as:
• Invoices and receipts
• Accounts, VAT and tax returns
Patients/Clients (Therapy or private assessment)
When you are a patient or client of Gloucestershire Psychology Services Ltd, we record all your treatment and details of your appointment so that your clinician can plan your treatment correctly. In addition to the personal information above, we may also collect information regarding:
- Medical conditions (if relevant)
- Prescribed medication
- Psychological history and current difficulties
- Sexuality
- Offences (including alleged offences)
- Financial information, including bank account details (if you are a private patient/client of Gloucestershire Psychology Services Ltd.)
We may collect some of this information from your insurance company if you have one, and some of this information will be collected directly from you.
Clients undertaking Court Reports
In the case of a court report we retain the information as required by the courts or your solicitor.
In addition to the personal information above, we may also collect information regarding:
- Medical conditions (if relevant)
- Prescribed medication.
- Psychological history and current difficulties.
- Sexuality
- Offences (including alleged offences)
We may be given some of this information from your solicitor or the party instructing us for the purposes of litigation, and some of this information will be collected directly from you.
In many cases, an individual has consented to the transfer of their personal data to us. Where an individual has consented, they may easily withdraw it by notifying Dr Andrew Iles at [email protected]
Job applicants, current and former employees and associates
When individuals apply to work at Gloucestershire Psychology Services Ltd, we will only use the information you supply to us to process your application and to monitor recruitment statistics. Data that we collect about you, in addition to the above, may include:
- Pay and bank details, pay slips
- Curricula vitae, contracts of employment, references and appraisals
- Health information ( in reliance on the occupational health exemption contained in the Data Protection Act 2018)
Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service we will not do so without informing you beforehand unless the disclosure is required by law.
Web access collection of information
We collect information about you when you register with us or place any order for services. We also collect information when you voluntarily complete contact forms. Gloucestershire Psychology Services Ltd always tries to minimise the amount of personal information that we require in order to provide a specific service or feature.
Use of CCTV
Your therapist may offer appointments at sites which use CCTV. This is to provide a safe and secure environment for clients, staff and to safeguard property. CCTV images may be used to assist in the prevention and detection of crime. Images may be shared with the Police for the investigation of crimes.
4. How do we store the information about you?
We take your privacy very seriously.
We are committed to taking reasonable steps to protect any individual identifying information that you provide to us. Once we receive your data, we make best efforts to ensure its security on our systems.
All personal information provided is stored in compliance with EU General Data Protection Regulations (GDPR) rules.
Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients using e-mail services which are GDPR compliant (which means that the content of emails is encrypted from user to user). Any sensitive data attached in an email attachment will be password protected. Email applications use private (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. Your therapist will never use open or unsecure Wi-Fi networks to send any personal data.
Where possible, all personal information is stored in a secure cloud service offering high levels of security which is GDPR compliant with two-factor authentication security. Personal information may be stored on an office computer. These are password protected (entry password). Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode/thumbprint scanner, mobile security and antivirus software.
5. How long do we keep your information for?
We do not keep your data for longer than is necessary.
Administrative data is retained for up to six years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible. After this time, this data is carefully disposed of at the end of each calendar year. Some records may be held indefinitely if there were any issues of concern that could lead to police investigation in the future.
Patients/Clients (therapy or private assessment)
Mental health records are subject to special legislation e.g. adult records are kept for 6 years after the last contact with the service. This benchmark will be applied to all clinical records made in the process of engagement with our therapy. For any children we treat we are obliged to retain medical information until 7 years after the child’s 18th birthday. After this time, this data is carefully disposed of at the end of each calendar year.
Clients undertaking Court Reports
Personal data in legal cases is retained, where necessary, for 6 years in compliance with our professional indemnity obligations. Where this is not necessary, it is destroyed on the conclusion of the case. After this time, this data is carefully disposed of at the end of each calendar year.
Job applicants, current and former employees and associates
Personal information about unsuccessful job candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. Once a person has taken up employment with Gloucestershire Psychology Services Ltd, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment.
Personal data relating to employees who have left our employment is retained for up to six years as necessary. This is the time limit for bringing a breach of contract claim. In some case we destroy it as soon as the employee leaves. After this time, this data is carefully disposed of at the end of each calendar year.
6. Who do we share your personal information with?
Your information is kept confidential within the Company at all times and is only shared with staff when they need it to carry out their job. All staff are required to work to strict professional and contractual codes of confidentiality and where possible we will anonymise information so that individual patients cannot be identified.
If we become aware of your intent to cause harm to another person/organisation (e.g. terrorism), the law may require that we inform an authority without seeking your permission. In such a situation, the law may require that we share your personal information without your knowledge.
By contacting the Information Security Officer, by email and/or using the address below you can also get more details on:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
- our instructions to staff on how to collect, use and delete personal data; and
- how we check that the information we hold is accurate and up to date
Special category data and personnel files held electronically are encrypted with restricted access. We do not collect or store special category or other personal data other than electronically – we do not hold this information as hard copies.
Patients/Clients (Therapy or private assessment)
In many circumstances we will not disclose personal data without consent.
Your information may be shared with outside organisations if they are directly involved in your care/case, for instance, your insurer if they are funding your treatment, your GP, or others involved in your care. We will discuss with you who we would discuss your care with, and what details we would share with them.
If you are referred by your health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then your therapist will share appointment schedules with that organisation for the purposes of billing. They may also share information with that organisation to provide treatment updates.
In cases where treatment has been instructed by a solicitor/rehabilitation company, relevant clinical information from therapy records will be shared with legal services as required and with your written consent. Your therapist will share appointment schedules with that organisation for the purposes of billing. They may also share information with that organisation to provide treatment updates
If your health is in jeopardy (with your agreement) we may share your contact information with an emergency healthcare service (e.g. GP or Mental Health Crisis Team).
However, when we investigate a complaint we may need to share personal information with other relevant bodies.
If we do need to share your information, we will always try and ask for your permission for this. We may not be able to ask your permission under special circumstances where we are legally required to do so.
In exceptional circumstances, your therapist might need to share personal information with relevant authorities:
- When there is need-to-know information for another health provider, such as your GP.
- When disclosure is in the public interest, to prevent a miscarriage of justice, to prevent or detect a serious crime, or where there is a legal duty, for example to comply with a Court Order.
- When the information concerns risk of harm to the client, or risk of harm to another adult or a child (safeguarding concerns). Your therapist will discuss such a proposed disclosure with you unless they believe that to do so could increase the level of risk to you or to someone else.
- Your therapist will never use your personal information for marketing purposes or send you marketing materials without your explicit consent.
Clients undertaking Court Reports
We share personal data internally strictly on a need to know basis.
We do not share personal data with anyone external to the organisation, other than with:
- Those who have instructed us as an expert witness
- Outsourced service providers such as photocopying companies and digital dictation services, pursuant to GDPR compliant written contracts where required
- With others pursuant to a court order
7. How you can access your information and correct it, if necessary?
Gloucestershire Psychology Services Ltd tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ or ‘Right of Access’ under the Data Protection Act and the General Data Protection Regulation. We will then supply to you:
- A description of all data we hold about you
- Inform you how it was obtained (if not supplied by you)
- Inform you why, what purposes, we are holding it
- What categories of personal data is concerned
- Inform you who it could be disclosed to
- Inform you of the retention periods of the data
- Inform you around any automated decision making including profiling
- Let you have a copy of the information in an intelligible electronic form unless otherwise requested.
To make a request to Gloucestershire Psychology Services Ltd for any personal information we may hold you need to put the request in writing. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate, please address these changes to the Information Security office, via “How to contact us”.
- Your therapist will usually respond to your request for information with you within 30 days of receiving a request.
- Your therapist may request further evidence from you to check your identity.
- A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy).
- You have a right to get your personal information corrected if it is inaccurate.
- You can complain to a regulator. If you think that your therapist has not complied with data protection laws, you have a right to lodge a complaint with the Information Commissioner’s Office.
- In the event of death or incapacity of the therapist, arrangements have been made for records to be held by a named professional colleague who will continue with the above obligations
- Your therapist reserves the right to refuse a request to delete a client’s personal information where this is therapy records. Therapy records are retained for a period of 6 years in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000)[1] and The Health and Care Professions Council (HCPC; 2017)[2].
- Occasionally it could take longer than 30-days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Clients undertaking Court Reports
If your concern is related to a case with a solicitor that we are working for, please refer the queries through them. We may not be able to comply with a request to correct information we hold about you where it pertains to a litigation claim – this would need to be discussed with your solicitor.
8. Complaints or Queries
Gloucestershire Psychology Services Ltd tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. If you do have a complaint, contact the Data Protection Officer who will investigate the matter on your behalf.
For any queries relating to data use for by our independent affiliate therapists listed on our website, please contact them directly who will have their own data privacy policy and procedures.
If you are not satisfied with the response from Gloucestershire Psychology Services Ltd or believe we are not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO):
Contact information for ICO:
Website: https://ico.org.uk/concerns/
Email: [email protected]
Telephone: +44 (0) 303 123 1113
9. Who we are and how to contact us
Gloucestershire Psychology Services Ltd is the company that you are supplying your personal information to. The company Chief Information Security Officer (Dr Andrew Iles) is the Data Protection Officer and can be contacted by:
Post:
Information Security Officer
Gloucestershire Psychology Services Ltd, Southgate House, Southgate St, Gloucester, GL1 1UB
Email: [email protected]
[1]The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.
[2]Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.