Eating Therapy Ltd provides counselling services to the public for psychological issues relating specifically to eating disorders. It acts and is registered with the Information Commissioner’s Office (ICO) as a Data Controller (which means it determines the purposes in which and the manner in which any personal data is, or is to be, processed), in order to use your personal data to provide the Service you have requested. This means that the regulations set out by the ICO are followed to ensure data is fairly and lawfully processed. Personal data, sometimes called personal information, includes your name, address, date of birth and anything else someone could use to identify you as an individual, such as medical details or other key personal characteristics. Privacy, as distinct from confidentiality, refers to information about any individual attending counselling, and Eating Therapy Ltd acts as custodian for all of its’ personal data relating to clients. Eating Therapy Ltd also acts as a controller and processor for processing your data to and/or from other healthcare or educational providers, such as a GP, only where this is necessary for your care and with your consent. Eating Therapy Ltd does not store or transfer any personal information outside of the European Economic Area (EEA).
Under the May 2018 General Data Protection Regulation (GDPR) rules and regulations, you have more control over how and where your personal information is used. Consequently, you have the right, with regard to any personal data held by Eating Therapy Ltd: (i) to be informed; (ii) of access; (iii) to rectification; (iv) to erasure; (v) to restrict processing; (vi) to data portability; (vii) to object; and (viii) not to be subject to automated decision-making including profiling. GDPR is designed to give you confidence that the personal information Eating Therapy Ltd holds about you is accurate, up to date and well managed, and to give you easier access to that data if you wish to check or change it. Additionally, at least one of the following six legal reasons must apply whenever Eating Therapy Ltd processes your personal data: consent; contract; legal obligation; vital interests; public task; and legitimate interests.
Eating Therapy Ltd may collect contact details and process information you provide through its’ website (www.eatingtherapy.co.uk), by telephone (07551 736856) and via email correspondence (email@example.com) – including communications plus reports prepared at your request with regard to your ongoing care – the latter communications which are periodically deleted if you are not a client, and which are stored in Outlook folders if you are a client. Eating Therapy Ltd uses anonymised data for any personal notes or records, so that it is not possible to identify individuals from these. Personal information is not disclosed either verbally or in writing, or otherwise, to any unauthorised third party.
Eating Therapy Ltd works hard to keep your personal data secure, including regularly reviewing its’ Privacy Notice, this last being May 2018 in order to coincide with the new GDPR coming into effect on 25th May 2018 (replacing the Data Protection Act 1998). This new regulation supports your right to have your privacy respected and your data protected. It is a really positive step towards you having more control over how your data is used and how you are contacted, as well as better protecting your personal information. You may request any additional explanation by email from Eating Therapy Ltd at any time.
Eating Therapy Ltd uses only the data you have provided in order to deliver the Service you have requested. This means that the legal basis of holding your personal data is for legitimate interest. Any additional information kept would only be with your express consent (freely given, specific, informed and unambiguous), in which case the legal basis of holding this information is consent. Consent will not be inferred as a result of silence or inactivity. Retaining your data allows any complaints you make to be processed, in which case the legal basis of holding your personal data is for contract administration.
Communications between Eating Therapy Ltd and clients are retained for no longer than is necessary, and thus for seven years according to the rules of the Regulatory Authority, the British Psychological Society (BPS), allowing also for the time limit of six years in terms of bringing legal action for breach of contract. At the end of the period of seven years following the ending of the requested Service, your personal data and notes will be securely destroyed. All paper data records will be destroyed on site or through the contracted secure service (via their own Data Security Scheme), and all electronic data held will be irretrievably deleted from devises.
Eating Therapy Ltd ensures that personal data held, either in paper or electronic format, is kept in a secure location with restricted access to authorised personnel only. Suitable physical, electronic, managerial and reasonable security procedures are in place to safeguard and secure any stored information. External data processors that are used are legally and contractually bound to operate and prove security arrangements where processing data could or does identify a person. Your personal and confidential information held on equipment, such as laptops or handheld devices, is protected with encryption and/or secure passwords.
The security of the Eating Therapy Ltd website and computer systems are of utmost importance. The website uses software to provide high level encryption technology, including any back-ups. Although advanced security measures are in place to protect your information against loss, misuse and alteration, as is the case with all computer networks linked to the internet, including for cloud data storage such as Dropbox, Eating Therapy Ltd cannot make absolute guarantees over the security of these Processors, and as such cannot be held responsible for it.
Every Eating Therapy Ltd client has the right to see, and have a copy of, personal data that can identify them individually. A “Data Subject Access Request” needs to be made in writing, and for which there is no charge. A response will be provided within one month from the date the written request is received, and it will include the details of the personal data held, including how the information was acquired; how it has been processed; why it has been kept; for how long it has been retained; and with whom it has been shared if this was subject to your consent. You have the right to ask to have your information corrected or updated where it is no longer accurate. You also have the right to ask for any processing of your personal data to be limited or to be ceased, provided it is not required to be kept by law or in accordance with the Professional Regulatory Guidelines. Eating Therapy Ltd can refuse or charge for requests that are manifestly unfounded or excessive, and it will then advise the individual of the reasons for this course of action.
Within the Mental Health sector, Eating Therapy Ltd follows the common law duty of confidence, which means that where identifiable information about you has been given, it is treated as confidential and only shared for the purpose of providing direct care. There is a commitment to ensuring that your information is secure and not disclosed to third parties, in accordance with the requirements of GDPR. Your data is therefore only shared with your consent, except in the event of a complaint when information may be required by a Registrant Body. Your express consent will be confirmed before sharing your information with a GP or other healthcare provider. If your life is believed to be in danger, your information may be passed onto an appropriate authority (such as Social Services in the case of a child or vulnerable adult, or a GP in the case of self-injury), using the legal basis of vital interests. Data may be shared with other agencies if, as an example, there presents an immediate risk of substantial harm to the self or to others; or under a legal requirement, such as terrorism or drug money laundering; or via court order for disclosure.
Eating Therapy Ltd does not collect, share and use your personal data for personalisation of marketing, advertising, profiling or other services. Information that may identify you is used in accordance with GDPR. Consequently, your personal data is processed only if there is a legitimate basis for doing so, and any processing must be fair and lawful. If, at any time, Eating Therapy Ltd wanted to use your data for marketing purposes, such as newsletters or research, this would be subject to your express consent. Your information is protected, and only you can decide if and how this may be shared, if we inform you of how your personal data may be used.
Data breaches may occur if there is a deliberate attack which compromises the integrity of Eating Therapy Ltd, or if there is unauthorised access or an accidental loss of integrity. The ICO only have to be notified if a breach is likely to result in a risk to the rights and freedoms of individuals – if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Eating Therapy Ltd will notify any individual if it is made aware of any such breach. All possible data breaches will be recorded and by law must be reported to the ICO within 72 hours of the breach being identified. Information on how to report a breach is available at www.ico.org.uk. No breach should be reported without first advising and consulting Eating Therapy Ltd. If there is no harm caused, or if there is only a minimal effect resulting, this will not qualify as a breach – however, a review of security measures will still be undertaken by Eating Therapy Ltd, the results of which will be clearly documented to the relevant parties concerned.
If you have a complaint regarding the use of your personal data by Eating Therapy Ltd, you can email firstname.lastname@example.org in the first instance. If your complaint is not resolved to your satisfaction, you can contact the ICO on 01625 545745 or on 0303 1231113.