The Edinburgh Practice Privacy Policy
Updated December
2021
The
Edinburgh Practice is committed to the protection of client data. We are
registered with the ICO and all handling of client’s personal data is done so
in line with the terms of the General Data Protection Regulation, known as
GDPR. This recently revised Privacy Policy aims to give you more information on
the data we hold on you, what we do with that data, whom we share your data
with and your rights under GDPR.
The
Edinburgh Practice uses the information we collect in accordance with all
laws concerning the protection of personal data, including the Data Protection
Act 1998 and the GDPR 2018. As per these laws, The Edinburgh Practice is the data
controller; if another party has access to your data, we will tell you if they
are acting as a data controller or a data processor, who they are, what they
are doing with your data and why we need to provide them with the information.
Introduction
The
Edinburgh Practice needs to gather and use certain information about clients
and prospective clients in line with the information contained in our referral
forms. This policy describes how this personal data is collected, handled and
stored to meet the company’s data protection standards – and to comply with the
law.
What data we gather
We may collect
the following information to enable us to work with you safely and effectively,
and to enable the efficient dissemination of appointment reminders and invoicing:
- Name and address (postal and email)
- Date of birth
- Phone number
- Email correspondence
- GP details
- Details of private health insurance
policies (where relevant)
- Bank details
During
the course of initial contact and then subsequent treatment and therapy, we
will inevitably also collect a significant amount of other personal data
relevant to assessing and treating your presenting psychological and
psychiatric difficulties. This is to enable us to offer you the service you
have sought from us.
How we
use this data
Collecting
this data helps us:
- Contact
you to set up assessment and therapy appointments
- Link
you up with an appropriate clinician
- Conduct
a thorough psychological or psychiatric assessment
- Devise
and implement an effective treatment plan (therapy)
- Invoice
for the services rendered
- Communicate
(when necessary and agreed with you) with relevant third parties to
support your treatment and manage risks
Controlling
information about you
Any
personal information we hold about you is stored and processed under our data
protection policy, in line with The Data Protection Act 1998 (in force on the
date this statement became operational) and the General Data Protection
Regulation (Regulation (EU) 2016/679) adopted on 27th April 2016 and
enforceable from the 25th May 2018.
Your
data will be kept for the lifetime of your status as a client with us. When you
cease to be a client with us, your data will be kept for a minimum period of
seven years, and a maximum period of ten years in accordance with General
Medical Council guidelines. If you are a child, your data will be retained
until 7 years after your 18th birthday.
You
have the right to ask for your data to be deleted but The Edinburgh Practice
does not have to comply with this request if there is a legitimate reason for
continuing to retain this data, for example possible future legal
requests.
The
Edinburgh Practice has the right to retain your data for the minimum seven-year
period so that it can respond effectively to any questions or complaints that
may later be raised by you and/or your representatives. This is in line with
best practice guidance.
The Edinburgh
Practice keep electronic invoices for seven years as this is the required
length to comply with HMRC requirements. After seven years we delete the
invoices. Our accountant is based in the UK and all their computer systems are
in the UK.
Security
We will always
hold your information securely:
- All client files and therapy notes
are uploaded and kept securely in our practice management software systems.
- Access to your personal information
is restricted on a ‘need-to-know’ basis only i.e. for those concerned
directly with your care and with your account. A non-disclosure agreement
is in place with our accountants who have access to The Clarify Group Ltd
Bank Statements and therefore bank account details and personally
identifiable information.
- Data is backed up daily
- We
use personal computers that are located on our business premises. The
computers are password protected and the hard drives are encrypted.
Passwords are changed every 90 days and it is company policy that
passwords are not shared.
To prevent
unauthorised disclosure or access to your information, we have implemented
strong physical and electronic security safeguards. In the unlikely event of a
data protection breach we will notify the Information Commissioner’s Office (ICO)
so that their procedures can be followed. We will also notify
all individuals whose data may have been accessed to alert them to the
breach and any potential risks.
Data
accuracy
Should,
during the course of your contact with us, any personal data be subject to
change for example if you move, change GP practice, change your name, we would
be grateful if you could notify us at the earliest opportunity so we can ensure
our records are up to date.
Please contact
our Data Protection Officer, Dr Fiona Wilson, if you wish to update the
accuracy of the personal data we hold about you. We may require additional
verification that you are who you say you are to process this request. If you
wish to have your information corrected, you must provide us with the correct
data and after we have corrected the data in our systems we will send you a
copy of the updated information.
Subject
access requests
All
individuals who are the subject of personal data held by The Edinburgh Practice
are entitled to:
- Ask
what information the company holds about them and why.
- Ask
how to gain access to it.
- Be
informed of how to keep their data up to date.
- Be
informed of how the company is meeting its data protection obligations.
If
you would like to request a copy of the data we hold about you, this is called
a subject access request. Subject access requests should be made in writing or
email to the Data Protection Lead, Dr Fiona Wilson. We will aim to provide the
relevant data within 30 days. We will always verify the identity of anyone
making a subject access request before handing over any information. We
may withhold such personal information to the extent permitted by law. In
practice, this means that we may not provide information if we consider that
providing the information will violate your vital interests.
Disclosing
data for other reasons
In
certain circumstances the Data Protection Act allows The Edinburgh Practice to
disclose data (including sensitive data) without the data subject’s consent.
These
circumstances include:
- Carrying
out a legal duty
- Protecting
vital interests (for example safety) of a Data Subject or other person
- If the
data subject has already made the information public
- Conducting
any legal proceedings, obtaining legal advice or defending any legal
rights
- Providing
a confidential service where the data subject’s consent cannot be obtained
or where it is reasonable to proceed without consent: e.g. where we would
wish to avoid forcing stressed or ill data subjects to provide consent
signatures.
Under
these circumstances, The Edinburgh Practice will disclose relevant data.
However, we will take all reasonable steps to notify the individual
whose data is being disclosed about the disclosure. We will also ensure
that any such data request is legitimate, reasonable and necessary.
Risk
Issues
Anything
discussed during a consultation is strictly confidential and will not be passed
on to third parties without the explicit permission of the client. Please note
that due to the nature of psychological and psychiatric assessment, therapy,
and treatment, there are two exceptions to this rule: (1) under the
professional’s Duty of Care we are obliged to contact the relevant services if
we believe that the client is an immediate danger of harming themselves or
others (the clinician will aim to inform the client of this prior to the
disclosure); (2) mental health professionals are required by their accrediting
bodies to undertake regular professional supervision. This involves the
discussion of the professional’s caseload with a supervisor and ensures
standards and best practice are being met.
Receiving
communications from The Edinburgh Practice
The Edinburgh
Practice will not send you any marketing emails. We will only contact you for
administrative or clinical reasons relating to the care which you are receiving
or have received at the practice.
When
submitting your completed referral form to access our services, you will be
asked on the form to indicate your preference for contact which will be duly
noted and you have the opportunity when completing this form to opt in to
receive appointment reminders via email.
Inbound
related Correspondence
The Edinburgh
Practice has a strict policy of maintaining confidentiality for all inbound
information received via email, telephone or writing from third parties.
Communication between The Edinburgh Practice employees or self-employed
clinicians to third parties is held in accordance with GDPR guidelines. More
information on how we hold this information can be found here.
For Further Information
If your
questions are not fully answered by this policy, please contact our Data
Protection Officer (Dr Fiona Wilson). If you are not satisfied with the answers
from the Data Protection Officer, you can contact the Information
Commissioner’s Office (ICO) https://ico.org.uk.
This
statement is updated annually and was last updated on the 6th of December 2021.
If
you have any questions about this policy, please email [email protected]