How we use, store and transmit personal data
This notice provides information
about how we collect, store and communicate personal data relevant to the
assessment and treatment of our clients. The following details explain how your
data is securely managed and your rights when your data is being processed by
us.
Our Privacy Standards
Our privacy standards are compliant
with the principles of the UK General Data Protection Regulation (GDPR). We are
registered with the Information Commissioner’s Office (ICO) under the Data
Protection Register, our ICO registration number is ZB500539.
Data Control
Sevenoaks CBT Ltd. Is the
data controller for all information it holds about its clients, associates and
staff. This includes the registered company domains of www.sevenoakscbt.com, www.goodcbt.com and www.eiretherapy.com.
You can contact the Data
Protection Officer (DPO) by emailing
Glossary of Terms
The following list of terms
are used to describe what data we hold and how this data is processed:
Therapy Notes; anonymised
notes securely kept by your therapist to support continuity and progress
through the therapeutic process.
Consent; Freely given,
specific, informed and explicit consent by statement or action by the patient,
staff member or any person signifying agreement to the processing of their
personal data.
Controller; The Natural or
legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal
data.
Processor; A natural or legal
person, public authority, agency or other body which processes personal data on
behalf of the controller.
Data Subject; Any individual
we deal with such as a client, patient, therapist or Doctor whom the particular
personal data is about.
Data Protection Officer
(DPO); A named individual who takes responsibility for the policies and
procedures set forth in the GDPR.
Personal Data; Any
information relating to an identifiable person who can be directly or
indirectly identified in particular by reference to an identifier.
Processing; Any operation
performed on personal data, whether or not by automated means, including
collection, use, recording, etc.
Right to be Forgotten (RTBF);
Also known as 'right to erasure'. Entitles the data subject to have the clinic
erase his/her personal data, cease further dissemination of the data, and
potentially have third parties cease processing of the data.
Why We Maintain Personal Data
We collect and maintain a
record of data submitted by our clients to:
Book appointments, usually by phone, text
or email.
Provide written information about
assessment and treatment to clients and their authorised representatives.
Ensure that professionals involved in the
provision of treatment have accurate and up-to-date information.
Investigate concerns or formal complaints.
Your Data Record
We have a duty to:
Maintain accurate records of the therapy
we provide to you.
Ensure that your records are confidentially
and securely stored.
Provide a copy at your request in an
accessible format.
Your record may include some
or all of the following:
Your name, email, contact number, postal
address and date of birth.
Contact we have had with you, such as
enquiries made via a website or confirmed appointments.
Therapy notes, test results and reports
kept by the relevant therapist.
Relevant information from referrers such
as health professionals or relatives.
Identifying You as an
Individual
We sometimes have patients
with similar names so it is important for all patients to be properly
identified as individuals. In order to be sure that you have been correctly
identified we may ask you for a number of pieces of information. Relevant data
items include:
Full name.
Date of birth.
Permanent address.
Email address.
Contact number.
Presenting problem or reason for
treatment.
How Sevenoaks CBT Ltd.
Uses Your Contact Details
Contact information is
normally collected at the assessment stage or submitted directly by clients via
our website. We take your privacy seriously so please let us know if you have
any specific contact instructions.
Telephone:
If you provide a mobile phone
number: we may call, leave messages or text. inform us if you do not want us to
do so. If you provide a landline: we may leave a message, please inform us if
you do not want us to do so.
Email:
If you provide us with your
email address, we may use it to send confidential information, unless you have
instructed us not to do so. Please read the following before providing us with
your email address.
Email
Encryption
For the purpose of sending
sensitive and confidential information such as referrals, appointment
confirmations and test results we use industry standard SSL encryption. Written
assessment reports are also sent via the Egress platform to provide additional
data security.
Important Information
About Email Usage
Email contact provides a
quick and convenient means of communication. Whilst information sent by email
or submitted by clients using our website contact forms is encrypted to
industry standards, email is not a completely secure method of communication.
Whilst
you can use email to contact our main office or your designated therapist, you
should not:
Provide more personal information than we
need to process your request.
Ask us to send you personal details that
you would not want seen by other people.
Share highly confidential or sensitive
data that could be intercepted or viewed by other people.
If you have an urgent question or feel at
risk after going home after treatment contact an emergency service e.g.
111 NHS emergency service or 999 for life threatening conditions by
telephone, do NOT email Sevenoaks CBT Ltd. in an emergency.
How Your Records are
Kept
Our guiding principle is that
we hold your records in strict confidence. We use appropriate technical and
organisational measures to ensure this. Sevenoaks CBT Ltd. is registered under
the Data Protection Act 2018. It abides by the law and observes good practice
in maintaining confidentiality and appropriate information security. We will
fulfil our obligations to the fullest extent, including ensuring that the following
8 principles governing the processing of personal data are observed:
Personal data shall be processed fairly
and lawfully.
Personal data shall be obtained only for
specified and lawful purposes and shall not be processed in any manner
incompatible with those purposes.
Personal data shall be adequate, relevant
and not excessive in relation to the purposes for which it is processed.
Personal data shall be accurate and where
necessary, kept up to date.
Personal data shall be kept for no longer
than is necessary for the purposes for which it is processed.
Personal data shall be processed in
accordance with the rights of data subjects under the Act.
Personal data shall be subject to
appropriate technical and organisational measures to protect against
unauthorised or unlawful processing and accidental loss, destruction or
damage.
Personal data shall not be transferred to
a country or territory outside the European Economic Area unless that
country or territory ensures an adequate level of data protection.
How Long Your Data May Be Retained
Information about you and the
services you receive may be held in written and electronic formats and will be
kept for the specific retention periods outlined by the relevant professional
bodies. Data held on paper or disk will be processed in accordance with the
Data Protection Act and destroyed using secure documented procedures after the
time periods set out by the Department of Health.
How Your Records are
Used
We use your records to:
Ensure that any treatment or advisory
services we provide to you are based on accurate information.
Send a letter about your care to your GP
or other health professional unless you tell us not to do so.
Work effectively with other services
providing you with treatment or advice.
Monitor the quality of our care and help
us to understand the outcomes of therapy.
Investigate any relevant concerns or
complaints you or your family have.
Provide information that is needed for
financial transactions in relation to payment for treatment, such as
billing. For private patients this may include details shared with your
insurance company. If you have any concerns about this, please contact your
insurance provider.
Passing Your Intake
Information to a relevant Designated Therapist
Associate therapists are
members of our wider team and are checked for relevant training, experience,
qualifications, accreditation status and professional indemnity. Our associate
therapists are self-employed, however they are required to strictly comply with
our service conditions and practice standards.
When your personal intake
data is passed to your designated therapist, direct responsibility for the
secure maintenance of your personal information is transferred to this
therapist. Once your data has been transferred, your therapist takes direct
responsibility for all data control matters relating to your treatment and
communication with you. This helps to ensure that your information is not
shared more widely within our team and that only your designated therapist has
access to your personal data.
We may retain your contact
information to assist in future enquiries, however any personal or sensitive
data will be deleted or redacted from our records within four weeks of your
transfer to a member of our associate therapist team.
The designated associate
therapist is required to comply with the standards laid out in the GDPR and
maintain the principles outlined in this privacy statement.
We may also share information
that identifies you where:
You ask us to do so.
We ask for specific permission and you
agree to this.
We are required to do this by law.
We have special permission because we
believe that the reasons for sharing are so important that they override
our obligation of confidentiality (e.g. to prevent someone from being
seriously harmed).
Sevenoaks CBT Ltd. will not
provide client information to other organisations except under the
circumstances described in this privacy notice.
Sharing information
with Other Healthcare Professionals and Family
You must specifically name
other people, with whom you would like us to share information about you. We
make best efforts to ensure that information provided over the telephone is
restricted to those you have named and we share on a need-to-know basis.
Sometimes this means refusing to disclose information about you to someone who
feels they should know about your treatment and progress. Please make your
family and friends aware of this.
Special Situations
Sometimes we have a legal
duty to provide information about people;, e.g. where personal risk is a factor
and when a court order instructs us to do so. Records may also be shared
without the patient's consent in exceptional situations, such as to safeguard
adults or children.
Sharing Your Records
Outside the UK and European Economic Area:
If your permanent address is
outside the UK / EU, or your treatment is continuing outside the EU, we may
send details of your treatment to individuals based outside the UK or EU
specifically to promote your ongoing care. This would normally be the doctor
who referred you to us for treatment. If you wish, we can give you the
documents so that you have physical control over this information.
In the usual course of our
business, we may use third parties to process and store your data on our
behalf. We normally store your data on secure servers in the European Economic
Area (EEA). Such processing is subject to contractual restrictions with regard
to confidentiality and security in addition to the obligations imposed by the
Data Protection Act 2018.
Exceptionally we may use
suppliers who are based outside the EEA for transmitting or storing data such
as emails. We have strict controls over how and why your data can be accessed.
By submitting your personal data, you agree to this.
How Can I Stop My
Information From Being Shared?
If you do not want us to
share your information with your GP, other healthcare providers or carers,
please tell your designated therapist. But please note that not sharing your
information may affect the care that can be provided for you.
You have the right to request
that your confidential information is not used beyond your own care and
treatment and to have your objections considered. Where your wishes cannot be
followed you will be told the reasons including the legal basis. You may at any
time withdraw any consent you have previously given Sevenoaks CBT to process
information about you.
If you wish to exercise your
right to opt-out, withdraw consent to use your information, or to speak to
somebody to understand what impact this may have, please discuss your concerns
with your therapist.
Your Legal Rights
You have the right to
confidentiality under the Data Protection Act 2018 (DPA), the Human Rights Act
1998 and the Common Law Duty of Confidentiality. The Equality Act 2010 may also
apply.
Where your data is processed
on the basis of your consent, you have the right to request the erasing of your
data under the policy Right to Erasure (‘right to be forgotten’).
You have the right to know
what information we hold about you, what we use it for and if the information
is to be shared, who it will be shared with.
You have the right to apply
for access to the information we hold about you. Other people can also apply to
access your health records on your behalf. These include anyone authorised by
you in writing (such as a solicitor), or any person appointed by a court to
manage your affairs where you cannot manage them yourself.
Access covers:
The right to obtain a copy of your records
in permanent form;
The right to have the information provided
to you in a way you can understand and explained where necessary, for
example where abbreviations have been used.
You would not be entitled to
see information that:
Has been provided about you by someone
else if they haven’t given permission for you to see it.
Identifies another person who has not
given permission for you to see the information about them.
Relates to criminal offences.
Is being used to detect or prevent crime.
Could cause physical or mental harm to
you or someone else. If you are currently receiving services from us and
wish to view the record without obtaining a copy, discuss your request
with the therapist providing your care.
Obtaining a Copy of
Your Record
If you wish to apply for
access to the information we hold about you. Please note:
You should send your request in writing to
the Sevenoaks CBT DPO via
You should provide enough information to
enable us to correctly identify your records, for example include your
full name, address, date of birth.
We will take every reasonable step to
respond to you within 40 days of receiving your request.
You may be required to provide a form of
ID before any information is released to you. Once you receive your
records, if you believe any information is inaccurate or incorrect, please
inform us.
Whilst we appreciate that the
information provided in this privacy statement is detailed and complex, we wish
to reassure all of our clients that we will not share Personal Data with third
parties for commercial or marketing purposes. We undertake that our systems are
managed on a secure and confidential basis and we always work in the service of
our clients needs.
This site was created with the Nicepage