Bath & Bristol Psychologists Privacy Notice
1. INTRODUCTION
The General Data Protection Regulation (GDPR) is concerned with the personal information about you
that is collected, stored and shared. This privacy notice details our GDPR policy so that you can feel
confident about how your information is looked after. GDPR is a law and it is about ensuring you feel
safe and knowledgeable about information held about you. If anything does not make sense or isn’t
clear, please do ask questions. Bath and Bristol Psychologists (BBP) is made up of Dr Meyrem Musa, Dr
Lucy Davis and Dr Marianne Roberts. We operate as soul traders but collectively operate under the
name BBP. We collectively take joint responsibility for the control of data that is shared or viewed
between us for the purposes of managing referrals and enquiries. At the initial point of contact BBP is
known as the ‘Controller’ of the personal information you provide and we take collective responsibility
for your data. Once you are allocated to a specific Clinical Psychologist in the team they will become
the Controller of your data and you are welcome to request their privacy policy to find out how your
data will be managed by them.
Contact Details
If you are not happy with any aspect of how we collect and use data, you have the right to complain to
the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues
(www.ico.org.uk). We would be grateful if you contact us first so that we can try to resolve it for you.
It is very important that the information we hold about you is accurate and up to date. Please let us
know if, at any time, your personal information changes by emailing us.
2. WHAT PERSONAL INFORMATION DO WE COLLECT ABOUT YOU
Personal information means any information capable of identifying an individual. It does not include
anonymised information. We may collect the following types of personal information about you
including:
● Identity - may include your full name, location and date of birth.
● Contact - may include your address, email address and telephone numbers (including permission to
send text messages and leave voice messages).
● Financial - may include your bank account and payment card details.
● Transaction - may include details about payments made to me.
We also need to collect the following sensitive information about you in order to deliver our services:
● Information about your health and reason for obtaining therapy [including GP name and address and
any other health professionals with whom you may be involved, health history and current health
situation].
● Summary of sessions.
● Emails you send me.
● Letters or reports written about you that we have provided each other.
We require explicit consent for processing sensitive information, so when you submit details, we will
send you a further communication asking for you to confirm consent to this processing.
Where we are required to collect personal information by law, or under the terms of the contract
between us and you, if you do not provide us with that information when requested, we
may not be able to perform the contract (for example, to deliver goods or services to you). For example,
sometimes it may be important for us to be able to contact other professionals who are supporting you
(e.g GP), if we do not have this information we may not be able to continue to offer you a service.
Should this happen we would always talk to you about this first. We will not collect any personal
information from you that we do not need to provide our service to you.
3. HOW WE COLLECT PERSONAL INFORMATION
We collect information about you through a variety of different methods including:
Direct interactions: You may provide information by filling in forms on our website or by
communicating with us by post, phone, email or otherwise, including when you:
● order our services
● give us feedback or updates
Automated technologies or interactions: If you use our website we may automatically collect Technical
Data about how our website is working, your browsing actions and patterns. We collect this data by
using cookies, server logs and similar technologies.
4. HOW WE USE PERSONAL INFORMATION
We will only use personal information when legally permitted. The most common uses of personal data
are: 1) to provide the service agreed with us where it is necessary 2)for legitimate interests and your
interests and fundamental rights do not override those interests and (3) where we need to comply with
a legal or regulatory obligation.
Purposes for processing personal information
Set out below is a description of the ways we intend to use personal information and the legal grounds
on which we will process such information. We have also explained what our legitimate interests are
where relevant. We may process personal information for more than one lawful ground, depending on
the specific purpose for which we are using it. Please email us if you need details about the specific legal
ground we are relying on to process our personal information where more than one ground has
been set out in the table below:
|
Purpose/Activity |
Type of information |
Lawful basis for processing |
|---|---|---|
|
To register you as a new customer and to hold you on a waiting list |
(a) Identity (b) Contact e.g. email address/phone number ] (c) Sensitive (e.g. why you want therapy) |
Performance of a contract with you |
|
To process and deliver our services including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us |
(a) Identity (b) Contact (c) Financial (d) Transaction |
(a) Performance of a contract with you (b) Necessary for our legitimate interests to recover debts owed to us |
|
To manage our relationship with you, which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave feedback |
(a) Identity (b) Contact (c) Profile |
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests to keep our records updated and to study how customers use the service |
|
To administer and protect our business and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
(a) Identity (b) Contact (c) Technical |
(a) Necessary for our legitimate interests for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation (b) Necessary to comply with a legal obligation |
Marketing communications
You will not receive marketing communications from us unless we have asked your permission or it is a
direct and obvious extension of the help we were contracted to provide.
Change of purpose
We will only use personal data for the purposes for which we collected it, unless we reasonably
consider that we need to use it for another reason which is compatible with the original purpose. If you
wish to find out more about how the processing for the new purpose is compatible with the original
purpose, please email us. If we need to use personal information for a purpose unrelated to the
purpose for which we collected it, we will notify you and we will explain the legal grounds of processing.
We may process personal information without your knowledge or consent where this is required or
permitted by law.
5. DISCLOSURES OF PERSONAL INFORMATION
We may have to share personal information with the parties set out below for the purposes set out in
the table in paragraph 4 above:
● Service providers who provide IT and system administration services.
● Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy,
banking, legal, insurance and accounting services.
● HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other
relevant jurisdictions who require reporting of processing activities in certain circumstances.
we require all third parties to whom we transfer our information to respect the security of personal
information and to treat it in accordance with the law. We only allow such third parties to process
personal information for specified purposes and in accordance with our instructions
Consultation and Supervision
We receive monthly supervision with other Clinical Psychologists. The supervision is to ensure high
quality clinical practice and is a standard part of being a Clinical Psychologist. In order to protect
privacy, the supervisor will not know you personally or professionally and you will be referred to by first
names only. Information may be referred to verbally when it is helpful to professional processes.
Emergencies
If you are thought to be at risk in any way, information may be shared with an emergency healthcare
service (eg GP, Mental healthcare crisis team) or with a Social Worker. If we become aware of any
intent by you or someone else to cause harm to another person or organisation (e.g. terrorism), the
law may require that we inform an authority without seeking permission. In such a situation, the law
may require that personal information is shared without your knowledge.
Therapeutic Will
When you become a client of any of one of us, your name and contact details may be shared with our
Therapeutic Executor. This is so that you can be contacted in the event of our death should you be
receiving therapy at that time.
6. INTERNATIONAL TRANSFERS
Countries outside of the European Economic Area (EEA) do not always offer the same levels of
protection to personal information, so European law has prohibited transfers of personal information
outside of the EEA unless the transfer meets certain criteria. Whenever we transfer personal
information out of the EEA, we do our best to ensure a similar degree of security by ensuring at least
one of the following safeguards is implemented:
● we will only transfer personal information to countries that have been deemed to provide an
adequate level of protection for personal information by the European Commission; or
● Where we use certain service providers, we may use specific contracts or codes of conduct or
certification mechanisms approved by the European Commission which give the same protection as in
Europe; or
● Where we use providers based in the United States, we may transfer information to them if they are
part of the EU Privacy Shield which requires them to provide similar protection to personal information.7. DATA SECURITY
We have put in place appropriate security measures to prevent personal information from being
accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit
access to personal information to those employees, agents, contractors and other third parties who
have a business need to know. They will only process personal information on our instructions and they
are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected
personal information breach and will notify you and any applicable regulator of a breach where we are
legally required to do so.
8. DATA RETENTION
We will only retain personal information for as long as necessary to fulfil the purposes we collected it
for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We will
hold onto written information for 7 years past the end of us working together, or until you are aged 25
if you are under 18 years of age. This is so that we have a reference of our work in situations such as
you returning to therapy in the future. After this time has passed, written information will be shredded
or deleted. We are required by UK tax law to keep basic personal information (including name, address,
contact and financial details) for a minimum of six years, after which time it will be destroyed. In some
circumstances you can ask us to delete data: see below for further information.
9. LEGAL RIGHTS
You have rights under data protection laws in relation to personal information. These include the right
to:
● Be informed about what information is held about you (i.e. this document)
● Request access to personal information – to see what information is held about you (free of charge
for the initial request).
● Request correction of personal information – rectify any inaccuracies or incomplete personal
information
● Request personal information be erased (although we can decline whilst the information is needed to
practice lawfully and competently).
● Object to processing of personal information.
● Request restriction of processing personal information.
● Request transfer of personal information.
● Right to withdraw consent for us to use your personal information
You can see more about these rights at: https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation/gdpr/individual-rights/ If you wish to exercise any of the rights set out above,
please email us. You will not have to pay a fee to access personal data (or to exercise any of the other
rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or
excessive. Alternatively, we may refuse to comply with the request in these circumstances. We may
need to request specific information from you to help us confirm your identity and ensure your right to
access personal information (or to exercise any of our other rights). This is a security measure to
ensure that personal information is not disclosed to any person who has no right to receive it. We may
also contact you to ask you for further information in relation to the request, to speed up our
response.We try to respond to all legitimate requests within one month. Occasionally it may take us
longer than a month if the request is particularly complex or you have made a number of requests. In
this case, we will notify you and keep you updated.
10. THIRD-PARTY LINKS
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links
or enabling those connections may allow third parties to collect or share information about you. We do
not control these third-party websites and are not responsible for their privacy statements. When you
leave our website, we encourage you to read the privacy notice of the website you visit.
11. COOKIES
You can set your browser to refuse all or some of our browser cookies, or to alert you when websites
set or access cookies. If you disable or refuse cookies, please note that some parts of the website may
become inaccessible or not function properly.
12. FINAL NOTES
If you agree to us working together you will sign a contract to say you have read and agreed to the
conditions outlined in this privacy notice. You are welcome to request the privacy policy of the Clinical
Psychologist you are assigned to and begin working with. Once they are assigned to you they will be
the Controller of your personal information.