How do you use my data? GDPR & Forward Thinking

“GDPR (General Data Protection Regulation) is the most significant piece of privacy and data protection in twenty years. It took effect on 25th May 2018 and from that date we are required to ensure that we gain a new data protection and privacy consent from all clients.

We are committed to complying with GDPR and take you and your child’s personal data seriously.

The following will tell you about how we use your data, and your rights regarding your personal information:

1. What kinds of personal information about you do we process?

We process both general data and what is known as “Special category data”. Special category data is information about you / your child that GDPR states as being more sensitive, such as information about physical and mental health.

2. What is the source of your personal information?

We get personal information about you and your child from you, or the person/agency who referred you.

3. What do we use your personal data for?

We only ever use your personal data and that of your child for matters relating to their care/assessment/treatment, or relating to the arranging of our appointments.  If we to ever need to use your data for any other purpose, your consent would be sought in advance.

4. Where do you store my data?

We store your data in two places:

– Electronic records (contact details; electronic therapy notes, letters and reports) are stored within our Practice Management system (WriteUpp).  This is a secure, UK-based, GDPR compliant system, used by many NHS trusts and other health organisations in the UK. 

– Paper records (therapy notes; psychometric measures etc) are stored in a secure filing cabinet at Woodmill.

5. What are the legal grounds for our processing of your personal information (including when we share it with others)?

The conditions for processing Special Category Data are listed in Article 9(2) of the GDPR:. 

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

6. When do we share your personal information with other organisations?

We will only share information with other organisations, such as school; CAMHS; G.P. with your consent. Where you have been referred by an outside organisation (e.g. GP; Psychiatrist etc) we would usually share information relevant to your child’s treatment with them.  We would discuss this with you in advance.

The only time we would potentially need to share personal information without consent is in the case of Safeguarding concerns, where we need to share information with another agency (e.g. Health; Social Care; the Police) in order to keep your child, or another person, safe from harm. We would inform you if this were to happen.  This would only happen if it were absolutely necessary and woudl be guided by our duties under the Children Act (1989).

If you have been referred to our service as part of your care from NHS CAMHS, we will need to share the information we hold about you and your child with them, including, but not limited to: therapy notes, appointments dates and times and psychometric data. 

7. How and when can you withdraw your consent?

You can withdraw consent at any time – please inform your Psychologist if you want to do this.  Please note, we are obligated to retain some personal data for a certain time period (please see below).

8. Is your personal information transferred outside the UK or the EEA?

Your personal information is stored in the UK (on WriteUpp) and within the EEA.  

9. What should you do if you or your child’s personal information changes?

Please inform your Psychologist who can update the system.

10. Do you have to provide your personal information to us?

You do not have to provide personal data, however, we will be unable to provide your child with a service without relevant personal information.

11. Do we do any monitoring involving processing of your personal information?

No.  Your data is only used for the purposes of arranging appointments or providing your child’s care.

12. For how long is your personal information retained by us?

We are obliged to retain some data for 5 years (or for 5 years after your child’s 18th birthday if they are under 18).  This would include their name; date of birth; a brief description of the reason for referral; service provided and outcome at discharge,

13. What are your rights under data protection laws?

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

14.  Accessing your data

If you want to access the data that we hold about you or your child, you can make a request in writing to your Psychologist.  They will comply with the request within 30 days.  Please note that we may have to redact some information provided by your child due to our professional code of conduct around confidentiality.  Please talk to your Psychologist if you have any concerns about this.

14. Your right to object

If you object to our storing / using you or your child’s personal information, please discuss it with your Psychologist.  You can withdraw your consent at any time, but it may mean that we cannot continue to provide a service, and we may be duty bound to hold some information for a period of time.

15. Marketing?

We will never use your data for marketing purposes.  Your data will never been passed on to third parties without your knowledge and consent.

16. What happens if there is a breach of your data under Data Protection?

In the unlikely event this should happen, we would inform you as soon as possible after we have been made aware of the breach, and inform the Information Commissioner’s Office (ICO) within 72 hours.

17. Who can I talk to about Data Protection?

You can talk to your Psychologist if you have any questions.  If they cannot answer them for you, you can email Dr Xav Brooke, who is the lead for Data Protection at Forward Thinking here:

18. What can I do if I am not happy about the way my data is handled by my clinician?

Please talk to your clinician in the first instance.  If you are still unhappy, you can contact Dr Xav Brooke, one of the Partners in the Practice, or make a complaint to the ICO.