Forth Psychological Services takes your privacy seriously and only uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) 2016. As per these laws. Dr Kathryn Quinn and Dr Eimear Coyle are known as the data controllers for Forth Psychological Services.
Forth Psychological Services aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected.
This policy describes the information that Forth Psychological Services collects and how we manage information when you use our services or you contact us. This information includes personal and financial information as defined in the General Data Protection Regulation (GDPR) 2016.
1. Why do we need to collect your personal data?
We need to collect information about you for the purposes outlined below. We will only collect information about you for reasons of legitimate interest, or where there is a legal basis for doing so:
- To know who you are so that we can communicate with you in a personal way.
- Deliver a service to you under the terms of an agreed clinical contract.
- Verify your identity so that we can be sure we are dealing with right person.
- Contact you, should we need to share information. As outlined in our terms and conditions, we would only do this where there is a concern regarding a risk of harm to you or others or under other specific circumstances as outlined in this policy.
2. What personal information do we collect and when do we collect it?
Your name and your contact details including a postal address, telephone number(s) and electronic contact such as email address.
- Information required to deliver a clinical service to you under the terms of an agreed clinical contract (for example, background history).
- We may also collect information about you from third parties; if we need to gather information from another health professional (such as your GP or Psychiatrist) to provide a complete health assessment. We would only do this with your consent.
3. Use of your personal information.
We use the data we collect from you in the following ways:
- To communicate with you so that we can inform you about your appointments with us we use your name, your contact details such as your telephone number, email address or postal address.
- To deliver the correct service to you we use your name, your contact details and the details gathered at your initial assessment appointment.
- Like most websites, our website uses Google Analytics (GA) to track user interaction.
- We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to track their journey through the website.
- Although GA records data such as your approximate geographical location, device, internet browser and operating system, none of this information personally identifies you to us.
- Google Analytics also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this nor do we seek to gain access to this information. We consider Google to be a third party data processor.
4. Where do we keep your personal information?
Data in transit (this is when files are being uploaded to the cloud).
- All electronic information we collect is uploaded to a secure cloud storage service that uses 256 bit encryption.
- Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of customer content. While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Further, every update to every file is encrypted using its own encryption key. Before they’re stored, the keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across a number of containers throughout the datacenter, and each container has unique credentials. These credentials are stored in a separate physical location from either the content or the content keys. File-level encryption at rest takes advantage of blob storage to provide for virtually unlimited storage growth and to enable unprecedented protection.
- We do not hold any files or personal information on you on any personal computer hard drives.
- A locked filing cabinet in a secure office: During therapy appointments we are required to record relevant information that you provide to us. We do this by taking handwritten notes during sessions which are stored in a physical file. We may use this information to create a report, should you or your insurance provider request it. Your psychology therapy notes/file are securely stored in a locked filing cabinet.
5. How long do we keep your personal information?
- We retain your psychology file/notes for 6 years in accordance with guidance issued by our professional body, The British Psychological Society. After this time, we shred your file/notes and delete any electronic copies of reports relating to you.
6. Who do we send your personal information to?
- We send your report to you or to anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are password protected.
- We send reports to other health care providers when requested by and authorised by you or in other specific circumstances as detailed in our Clinical Contract.
- Our website is hosted in data centres in the United States. The website platform we use complies with the EU-US Privacy Shield Framework and the Swiss-US privacy shield framework as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union to the United States, and therefore adheres to the Privacy Shield Principles. The website platform we use will therefore be compliant with GDPR from May 2018.
- All traffic (transfer of files) between our website and your browser is encrypted and delivered securely using HTTPS protocol.
- We use Gmail as our email client. Gmail is a secure and encrypted email service and is fully GPDR compliant. We will always ask you to email us at your initial contact so we have the correct email address for us to correspond with you.
- We use Skype for some of our therapy sessions. Skype is a Microsoft application and complies with the EU-US Privacy Shield Framework and the Swiss-US privacy shield framework as set forth by the U.S. Department of Commerce. For more information regarding Microsoft's specific GDPR policy please visit https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
8. Payments and payment related information.
- PayPal process payments for most of the services we provide. We do not retain any financial information you may submit as part of the payment process. PayPal state ‘We monitor every transaction, 24/7 to prevent fraud, email phishing and identity theft. Every transaction is heavily guarded behind our advanced encryption. If something seems fishy, our dedicated team of security specialists will identify suspicious activity and help protect you from fraudulent transactions. Remember, we will never ask for any sensitive information.’
- Paypal also state ‘Every transaction is encrypted using our latest advanced technology.’
- Our website provides the Customer Engagement platform we use to manage and fulfil our contract to you. PayPal processes your payments directly and therefore no financial account details are ever taken or stored on our system.
- For more information on PayPal’s security policy you can visit: https://www.paypal.com/uk/webapps/mpp/paypal-safety-and-security
9. Record of payments and retention of payment information.
- We keep records of invoices, payments and receipts for accounting purposes. We are required to retain this information for 6 years in line with HMRC requirements. After six years we delete and/or shred this information.
10. Your rights.
How can I see all the information you have about me?
- You can make a subject access request (SAR) by contacting us. We may require additional verification that you are who you say you are to process this request. We will aim to provide you with this information within one month of your written request.
- We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.
- Please contact us. We may require additional verification that you are who you say you are to process this request.
- If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format as the subject access request.
- If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.
- If you wish to raise a complaint on how we have handled your data, you can contact us to have the matter investigated [firstname.lastname@example.org].
If you are not satisfied with our response or believe we are not processing your data in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk