Bath & Bristol Psychologists Privacy Notice

1. INTRODUCTION

The General Data Protection Regulation (GDPR) is concerned with the personal information about you

that is collected, stored and shared. This privacy notice details our GDPR policy so that you can feel

confident about how your information is looked after. GDPR is a law and it is about ensuring you feel

safe and knowledgeable about information held about you. If anything does not make sense or isn’t

clear, please do ask questions. Bath and Bristol Psychologists (BBP) is made up of Dr Meyrem Musa, Dr

Lucy Davis and Dr Marianne Roberts. We operate as soul traders but collectively operate under the

name BBP. We collectively take joint responsibility for the control of data that is shared or viewed

between us for the purposes of managing referrals and enquiries. At the initial point of contact BBP is

known as the ‘Controller’ of the personal information you provide and we take collective responsibility

for your data. Once you are allocated to a specific Clinical Psychologist in the team they will become

the Controller of your data and you are welcome to request their privacy policy to find out how your

data will be managed by them.

Contact Details

If you are not happy with any aspect of how we collect and use data, you have the right to complain to

the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues

(www.ico.org.uk). We would be grateful if you contact us first so that we can try to resolve it for you.

It is very important that the information we hold about you is accurate and up to date. Please let us

know if, at any time, your personal information changes by emailing us.

2. WHAT PERSONAL INFORMATION DO WE COLLECT ABOUT YOU

Personal information means any information capable of identifying an individual. It does not include

anonymised information. We may collect the following types of personal information about you

including:

● Identity - may include your full name, location and date of birth.

● Contact - may include your address, email address and telephone numbers (including permission to

send text messages and leave voice messages).

● Financial - may include your bank account and payment card details.

● Transaction - may include details about payments made to me.

We also need to collect the following sensitive information about you in order to deliver our services:

● Information about your health and reason for obtaining therapy [including GP name and address and

any other health professionals with whom you may be involved, health history and current health

situation].

● Summary of sessions.

● Emails you send me.

● Letters or reports written about you that we have provided each other.

We require explicit consent for processing sensitive information, so when you submit details, we will

send you a further communication asking for you to confirm consent to this processing.

Where we are required to collect personal information by law, or under the terms of the contract

between us and you, if you do not provide us with that information when requested, we

may not be able to perform the contract (for example, to deliver goods or services to you). For example,

sometimes it may be important for us to be able to contact other professionals who are supporting you

(e.g GP), if we do not have this information we may not be able to continue to offer you a service.

Should this happen we would always talk to you about this first. We will not collect any personal

information from you that we do not need to provide our service to you.

3. HOW WE COLLECT PERSONAL INFORMATION

We collect information about you through a variety of different methods including:

Direct interactions: You may provide information by filling in forms on our website or by

communicating with us by post, phone, email or otherwise, including when you:

● order our services

● give us feedback or updates

Automated technologies or interactions: If you use our website we may automatically collect Technical

Data about how our website is working, your browsing actions and patterns. We collect this data by

using cookies, server logs and similar technologies.

4. HOW WE USE PERSONAL INFORMATION

We will only use personal information when legally permitted. The most common uses of personal data

are: 1) to provide the service agreed with us where it is necessary 2)for legitimate interests and your

interests and fundamental rights do not override those interests and (3) where we need to comply with

a legal or regulatory obligation.

Purposes for processing personal information

Set out below is a description of the ways we intend to use personal information and the legal grounds

on which we will process such information. We have also explained what our legitimate interests are

where relevant. We may process personal information for more than one lawful ground, depending on

the specific purpose for which we are using it. Please email us if you need details about the specific legal

ground we are relying on to process our personal information where more than one ground has

been set out in the table below:

Table 1

Purpose/Activity 

Type of information

Lawful basis for processing

To register you as a new

customer and to hold you on a

waiting list

(a) Identity

(b) Contact e.g. email

address/phone number ]

(c) Sensitive (e.g. why you want

therapy)

Performance of a contract with

you

To process and deliver our

services including:

(a) Manage payments, fees and

charges

(b) Collect and recover money

owed to us

(a) Identity

(b) Contact

(c) Financial

(d) Transaction

(a) Performance of a contract

with you

(b) Necessary for our legitimate

interests to recover debts owed

to us

To manage our relationship with

you, which will include:

(a) Notifying you about changes

to our terms or privacy policy

(b) Asking you to leave feedback

(a) Identity

(b) Contact

(c) Profile

(a) Performance of a contract

with you

(b) Necessary to comply with a

legal obligation

(c) Necessary for our legitimate

interests to keep our records

updated and to study how

customers use the service

To administer and protect our

business and our site (including

troubleshooting, data analysis,

testing, system maintenance,

support, reporting and hosting

of data)

(a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate

interests for running our

business, provision of

administration and IT services,

network security, to prevent

fraud and in the

context of a business

reorganisation

(b) Necessary to comply with a

legal obligation

Marketing communications

You will not receive marketing communications from us unless we have asked your permission or it is a

direct and obvious extension of the help we were contracted to provide.

Change of purpose

We will only use personal data for the purposes for which we collected it, unless we reasonably

consider that we need to use it for another reason which is compatible with the original purpose. If you

wish to find out more about how the processing for the new purpose is compatible with the original

purpose, please email us. If we need to use personal information for a purpose unrelated to the

purpose for which we collected it, we will notify you and we will explain the legal grounds of processing.

We may process personal information without your knowledge or consent where this is required or

permitted by law.

5. DISCLOSURES OF PERSONAL INFORMATION

We may have to share personal information with the parties set out below for the purposes set out in

the table in paragraph 4 above:

● Service providers who provide IT and system administration services.

● Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy,

banking, legal, insurance and accounting services.

● HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other

relevant jurisdictions who require reporting of processing activities in certain circumstances.

we require all third parties to whom we transfer our information to respect the security of personal

information and to treat it in accordance with the law. We only allow such third parties to process

personal information for specified purposes and in accordance with our instructions

Consultation and Supervision

We receive monthly supervision with other Clinical Psychologists. The supervision is to ensure high

quality clinical practice and is a standard part of being a Clinical Psychologist. In order to protect

privacy, the supervisor will not know you personally or professionally and you will be referred to by first

names only. Information may be referred to verbally when it is helpful to professional processes.

Emergencies

If you are thought to be at risk in any way, information may be shared with an emergency healthcare

service (eg GP, Mental healthcare crisis team) or with a Social Worker. If we become aware of any

intent by you or someone else to cause harm to another person or organisation (e.g. terrorism), the

law may require that we inform an authority without seeking permission. In such a situation, the law

may require that personal information is shared without your knowledge.

Therapeutic Will

When you become a client of any of one of us, your name and contact details may be shared with our

Therapeutic Executor. This is so that you can be contacted in the event of our death should you be

receiving therapy at that time.

6. INTERNATIONAL TRANSFERS

Countries outside of the European Economic Area (EEA) do not always offer the same levels of

protection to personal information, so European law has prohibited transfers of personal information

outside of the EEA unless the transfer meets certain criteria. Whenever we transfer personal

information out of the EEA, we do our best to ensure a similar degree of security by ensuring at least

one of the following safeguards is implemented:

● we will only transfer personal information to countries that have been deemed to provide an

adequate level of protection for personal information by the European Commission; or

● Where we use certain service providers, we may use specific contracts or codes of conduct or

certification mechanisms approved by the European Commission which give the same protection as in

Europe; or

● Where we use providers based in the United States, we may transfer information to them if they are

part of the EU Privacy Shield which requires them to provide similar protection to personal information.7. DATA SECURITY

We have put in place appropriate security measures to prevent personal information from being

accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit

access to personal information to those employees, agents, contractors and other third parties who

have a business need to know. They will only process personal information on our instructions and they

are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected

personal information breach and will notify you and any applicable regulator of a breach where we are

legally required to do so.

8. DATA RETENTION

We will only retain personal information for as long as necessary to fulfil the purposes we collected it

for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We will

hold onto written information for 7 years past the end of us working together, or until you are aged 25

if you are under 18 years of age. This is so that we have a reference of our work in situations such as

you returning to therapy in the future. After this time has passed, written information will be shredded

or deleted. We are required by UK tax law to keep basic personal information (including name, address,

contact and financial details) for a minimum of six years, after which time it will be destroyed. In some

circumstances you can ask us to delete data: see below for further information.

9. LEGAL RIGHTS

You have rights under data protection laws in relation to personal information. These include the right

to:

● Be informed about what information is held about you (i.e. this document)

● Request access to personal information – to see what information is held about you (free of charge

for the initial request).

● Request correction of personal information – rectify any inaccuracies or incomplete personal

information

● Request personal information be erased (although we can decline whilst the information is needed to

practice lawfully and competently).

● Object to processing of personal information.

● Request restriction of processing personal information.

● Request transfer of personal information.

● Right to withdraw consent for us to use your personal information

You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-

protection-regulation/gdpr/individual-rights/ If you wish to exercise any of the rights set out above,

please email us. You will not have to pay a fee to access personal data (or to exercise any of the other

rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or

excessive. Alternatively, we may refuse to comply with the request in these circumstances. We may

need to request specific information from you to help us confirm your identity and ensure your right to

access personal information (or to exercise any of our other rights). This is a security measure to

ensure that personal information is not disclosed to any person who has no right to receive it. We may

also contact you to ask you for further information in relation to the request, to speed up our

response.We try to respond to all legitimate requests within one month. Occasionally it may take us

longer than a month if the request is particularly complex or you have made a number of requests. In

this case, we will notify you and keep you updated.

10. THIRD-PARTY LINKS

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links

or enabling those connections may allow third parties to collect or share information about you. We do

not control these third-party websites and are not responsible for their privacy statements. When you

leave our website, we encourage you to read the privacy notice of the website you visit.

11. COOKIES

You can set your browser to refuse all or some of our browser cookies, or to alert you when websites

set or access cookies. If you disable or refuse cookies, please note that some parts of the website may

become inaccessible or not function properly.

12. FINAL NOTES

If you agree to us working together you will sign a contract to say you have read and agreed to the

conditions outlined in this privacy notice. You are welcome to request the privacy policy of the Clinical

Psychologist you are assigned to and begin working with. Once they are assigned to you they will be

the Controller of your personal information.