Who we are and what we do
The Norfolk Psychological Therapy Partnership (“us”, “we”, or “our”) operates the Norfolk Psychological Therapy Partnership website (the “Service”). Our Service specialises in providing psychological assessment and NICE recommended treatments to clients for a range of common psychological issues. Although, we need to collect and hold certain personally identifiable information in order to deliver our services to you, we are committed to protecting and respecting the privacy and security of your personal data. This policy provides you with an overview of how we comply with the General Data Protection Regulation (GDPR) in regards to the collection, use and disclosure of Personal Information when you use our services.
Information Collection and Use
If you contact us by telephone, email, website, or others means, we may hold a record of that communication. Further to this, when you choose to use our Service, we may ask you to provide us with certain personally identifiable information (“personal Information”) that can be used to contact or identify you. Your personal information is collected in accordance with the GDPR and clinical confidentiality guidelines set out by our governing bodies BPS, HPC and BABCP, and may include, but is not limited, to the following:
- Full name and title
- Phone number
- Online ID number for use of Skype/Zoom
- Date of birth
- GP name and contact details
- Next of kin
- Significant physical or mental health details you have made us aware of, including medication
- Record of appointment dates and attendance
- Your reasons for contacting us
- General correspondence from or to you about your case
- Completed questionnaires and scores
- Session notes
- Therapy diagrams
- Correspondence from third parties about your care e.g. healthcare professionals, insurance company if they referred you to our service
- Mobile communications from or to you as well as from you or others about your care
- Audio or video recordings of sessions
- Consent forms
- Amount and date of payments for our financial records
- We collect information that your browser sends whenever you visit our website. This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.
- Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive. We use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
By providing us with this information you are giving your consent to use this data in order to contact you following your enquiry; respond to any questions, issues or complaints you may have; provide and tailor our services to your needs; enable us to carry out our contractual obligations to you; enhance our security measures; payments and refunds; improve our service by gaining your feedback on the service you have received.
How long we keep your information for
We will always retain your personal information in accordance with the GDPR. We are required by law to keep your clinical records for a period of 7 years after our last contact with you at which point they will be securely deleted/ shredded.
Who we may share your data with
We may share your personal Information with others in the following circumstances, but we will make sure you are aware of this:
- Healthcare [professionals involved in your case.
- Your GP provided you give us consent to do so.
- Where required to do so by law, or subpoena. We will always attempt to inform you if we are under legal obligation to share information. Under rare circumstances we have a statutory obligation to break confidentiality, namely if we believe that a client is in danger to themselves or others under the Mental Health Act 2007, if we believe that a child is at risk of significant harm under the Children’s Act section 47, 1989, or if required to do so for the prevention, detection or prosecution of a crime. In these instances we will contact your GP and/ or relevant authorities.
- Professionals are required to participate in formal supervision as part of their commitment to good practice operating under the duty of confidentiality. This duty extends to their supervisor/s. Formal supervision involves discussing client details with the supervisor, however this will always be done anonymously. Further to this, notes taken in supervision sessions are confidential and full names will not be used.
- We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analysing how our Service is used. These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. We will not pass your information onto others for commercial purposes, unless you have given us your written consent to do so.
Your Rights Over Your Personal Information
A summary of the rights you can exercise over your personal information under GDPR can be seen below:
- The right to be informed if your personal data is being used
We must inform you if we are using your personal data.
- The right to get copies of your data
You have the right to ask us whether or not we are using or storing your personal information. You can also ask us for copies of your personal information. This is called the right of access and is commonly known as making a subject access request or SAR. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will aim to do so free of charge within 30 days from when your identity has been confirmed.
- The right to get your data corrected
You can challenge the accuracy of personal data held about you by us, and ask for it to be corrected or deleted. This is known as the ‘right to rectification’. If your data is incomplete, you can ask us to complete it by adding more details.
- The right to get your data deleted
The right to get your data deleted is also known as the ‘right to erasure’. You can ask us to delete the data we hold for you.
- The right to limit how organisations use your data
You can limit the way we use your personal data if you are concerned about the accuracy of the data or how it is being used.
- The right to data portability
You have the right to get your personal data from us in a way that is accessible and machine-readable. You also have the right to ask us to transfer your data to another organisation. We must do this if the transfer is, as the regulation says, “technically feasible”.
- The right to object to the use of your data
In certain circumstances, you have the right to object to us processing (using) your personal data.
- Rights in relation to automated decision making and profiling.
When decisions are made about you without people being involved, this is called ‘automated individual decision-making and profiling’ or ‘automated processing’, for short. In many circumstances, you have a right to prevent automated processing.
- Your right to raise a concern
You have the right to be confident that we handle your personal information responsibly and in line with good practice. If you have a concern about how we have handled your information please let us know.
For more information about your privacy rights please visit The Information Commissioner’s Office (ICO), which regulates data protection and privacy matters in the UK https://ico.org.uk/for-the-public
The security measures we have taken to protect your personal information include:
- Ensuring that written consent for sharing information is always obtained.
- Access to personal data of clients is restricted only to those that are required to access it.
- Computers, phones and portable data storage devices are password protected.
- Computers are fitted with malicious software, including firewalls and anti-virus protection.
- The personal information we hold on you physically is secured in a locked storage when not in use.
- The personal data we hold for you electronically is password protected and where possible by an encryption.
- Ensuring that personal data shall not be transferred to a country or territory outside of the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection in accordance with Data Protection Laws.
- Securely destroying confidential information once the time period for retention has lapsed.
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. In the unlikely event of data being lost or compromised we will tell you what has happened, unless you have stated that you do not wish to be contacted by us
Links To Other Sites
We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.