Our Privacy Notice - How we use, store and transmit personal data
This notice provides information about how we collect, store and communicate personal data relevant to the assessment and treatment of our clients. The following details explains how your data is securely managed and your rights when your data is being processed by us.
Think CBT Ltd. (“Think CBT”) is the data controller for all information it holds about its clients, associates and staff. You can contact the Data Protection Officer (DPO) by emailing email@example.com.
Glossary of Terms
Therapy Notes; anonymised notes securely kept by your therapist to support continuity and progress through the therapeutic process.
Consent; Freely given, specific, informed and explicit consent by statement or action by the patient, staff member or any person signifying agreement to the processing of their personal data.
Controller; The Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor; A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Subject; Any individual we deal with such as a client, patient, therapist or Doctor whom the particular personal data is about.
Data Protection Officer (DPO); An expert on data privacy who works independently to ensure the business is adhering to the policies and procedures set forth in the GDPR.
Personal Data; Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Processing; Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Right to be Forgotten (RTBF); Also known as 'right to erasure'. Entitles the data subject to have the clinic erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
Why We Maintain Personal Data
We collect and maintain a record of data submitted by our clients to:
- Book appointments, usually by phone, text or email.
- Provide written information about assessment and treatment to clients and their authorised representatives.
- Ensure that professionals involved in the provision of treatment have accurate and up-to-date information.
- Investigate concerns or formal complaints.
- Provide accurate information if clients transfer to another therapy provider or request a referral to an allied health professional.
We have a duty to:
- Maintain full and accurate records of the therapy we provide to you.
- Ensure that your records are confidential, secure and accurate.
- Provide a copy at your request in an accessible format.
Your record may include some or all of the following:
- Your name, email, contact number, postal address and date of birth.
- Contact we have had with you, such as enquiries made via a website or confirmed appointments.
- Therapy notes, test results and reports kept on our database and by the relevant therapist.
- Relevant information from referrers such as health professionals or relatives.
Identifying You as an Individual
We have many patients with similar names so it is important for all patients to be properly identified as individuals. In order to be sure that you have been correctly identified we may ask you for a number of pieces of information. Relevant data items include:
- Full name.
- Date of birth.
- Permanent address.
- Email address.
- Contact number.
- Presenting problem or reason for treatment.
How Think CBT uses Your Contact Details
Contact information is normally collected at the assessment stage or submitted directly by clients via our website. We take your privacy seriously so please let us know if you have any specific contact instructions.
If you provide a mobile phone number: we may call, leave messages or text. inform us if you do not want us to do so. If you provide a landline: we may leave a message, please inform us if you do not want us to do so.
If you provide us with your email address, we may use it to send confidential information, unless you have instructed us not to do so. Please read the following before providing us with your email address.
For the purpose of sending sensitive and confidential information such as referrals, appointment confirmations and test results we use industry standard SSL encryption. Written assessment reports are also password protected to provide additional data security.
Important Information About Email Usage
Email contact provides a quick and convenient means of communication. Whilst information sent by email or submitted by clients using our website contact forms is encrypted to industry standards, email is not a completely secure method of communication. Whilst you can use email to contact our main office or your designated therapist, you should not:
- Provide more personal information than we need to process your request.
- Ask us to send you personal details that you would not want seen by other people.
- Share highly confidential or sensitive data that could be intercepted or viewed by other people.
- If you have an urgent question or feel at risk after going home after treatment contact an emergency service e.g. 111 NHS emergency service or 999 for life threatening conditions by telephone, do NOT email Think CBT Ltd. in an emergency.
How Your Records are Kept
Our guiding principle is that we hold your records in strict confidence. We use appropriate technical and organisational measures to ensure this. Think CBT is registered under the Data Protection Act 2018. It abides by the law and observes good practice in maintaining confidentiality and appropriate information security. We will fulfil our obligations to the fullest extent, including ensuring that the following 8 principles governing the processing of personal data are observed:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.
- Personal data shall be accurate and where necessary, kept up to date.
- Personal data shall be kept for no longer than is necessary for the purposes for which it is processed.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection.
Information about you and the services you receive may be held in written and electronic formats and will be kept for the specific retention periods outlined by the relevant professional bodies. Data held on paper or disk will be processed in accordance with the Data Protection Act and destroyed using secure documented procedures after the time periods set out by the Department of Health.
How Your Records are Used
We use your records to:
- Ensure that any treatment or advisory services we provide to you are based on accurate information.
- Send a letter about your care to your GP or other health professional unless you tell us not to do so.
- Work effectively with other services providing you with treatment or advice.
- Monitor the quality of our care and help us to understand the outcomes of therapy.
- Investigate any relevant concerns or complaints you or your family have.
- Provide information that is needed for financial transactions in relation to payment for treatment, such as billing. For private patients this may include details shared with your insurance company. If you have any concerns about this, please contact your insurance provider.
Passing Your Intake Information to Your Designated Therapist
Think CBT associate therapists are members of our wider team and are checked for relevant training, experience, qualifications, accreditation status and professional indemnity. Our associate therapists are self-employed, however they are required to strictly comply with our service conditions and practice standards.
When your personal intake data is passed to your designated therapist, direct responsibility for the secure maintenance of your personal information is transferred to this therapist. Once your data has been transferred, your therapist takes direct responsibility for all data control matters relating to your treatment and communication with you. This helps to ensure that your information is not shared more widely within our team and that only your designated therapist has access to your personal data.
We may retain your contact information to assist in future enquiries, however any personal or sensitive data will be deleted or redacted from our database within four weeks of your transfer to a member of our associate therapist team.
The designated associate therapist is required to comply with the standards laid out in the GDPR and maintain the principles outlined in this privacy statement.
We may also share information that identifies you where:
- You ask us to do so.
- We ask for specific permission and you agree to this.
- We are required to do this by law.
- We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality (e.g. to prevent someone from being seriously harmed).
Think CBT will not provide client information to other organisations except under the circumstances described in this privacy notice.
Sharing information with Other Healthcare Professionals and Family
You must specifically name other people, with whom you would like us to share information about you. We make best efforts to ensure that information provided over the telephone is restricted to those you have named and we share on a need-to-know basis. Sometimes this means refusing to disclose information about you to someone who feels they should know about your treatment and progress. Please make your family and friends aware of this.
Sometimes we have a legal duty to provide information about people;, e.g. where personal risk is a factor and when a court order instructs us to do so. Records may also be shared without the patient's consent in exceptional situations, such as to safeguard adults or children.
Sharing Your Records Outside the European Economic Area:
If your permanent address is outside the EU, or your treatment is continuing outside the EU, we may send details of your treatment to individuals based outside the EU specifically to promote your ongoing care. This would normally be the doctor who referred you to us for treatment. If you wish, we can give you the documents so that you have physical control over this information.
In the usual course of our business, we may use third parties to process and store your data on our behalf. We normally store your data on secure servers in the European Economic Area (EEA). Such processing is subject to contractual restrictions with regard to confidentiality and security in addition to the obligations imposed by the Data Protection Act 2018.
Exceptionally we may use suppliers who are based outside the EEA for processing and storing your data. We have strict controls over how and why your data can be accessed. By submitting your personal data, you agree to this.
How Can I Stop My Information From Being Shared?
If you do not want us to share your information with your GP, other healthcare providers or carers, please tell your designated therapist. But please note that not sharing your information may affect the care that can be provided for you.
You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Where your wishes cannot be followed you will be told the reasons including the legal basis. You may at any time withdraw any consent you have previously given Think CBT to process information about you.
If you wish to exercise your right to opt-out, withdraw consent to use your information, or to speak to somebody to understand what impact this may have, please discuss your concerns with your therapist.
Your Legal Rights
You have the right to confidentiality under the Data Protection Act 2018 (DPA), the Human Rights Act 1998 and the Common Law Duty of Confidentiality. The Equality Act 2010 may also apply.
Where your data is processed on the basis of your consent, you have the right to request the erasing of your data under the policy Right to Erasure (‘right to be forgotten’).
You have the right to know what information we hold about you, what we use it for and if the information is to be shared, who it will be shared with.
You have the right to apply for access to the information we hold about you. Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs where you cannot manage them yourself. Access covers:
- The right to obtain a copy of your records in permanent form;
- The right to have the information provided to you in a way you can understand and explained where necessary, for example where abbreviations have been used. You would not be entitled to see information that:
- Has been provided about you by someone else if they haven’t given permission for you to see it.
- Identifies another person who has not given permission for you to see the information about them.
- Relates to criminal offences.
- Is being used to detect or prevent crime.
- Could cause physical or mental harm to you or someone else. If you are currently receiving services from us and wish to view the record without obtaining a copy, discuss your request with the therapist providing your care.
Obtaining a Copy of Your Record
If you wish to apply for access to the information we hold about you. Please note:
- You should send your request in writing to the Think CBT – firstname.lastname@example.org. You should provide enough information to enable us to correctly identify your records, for example include your full name, address, date of birth.
- We will take every reasonable step to respond to you within 40 days of receiving your request.
- You may be required to provide a form of ID before any information is released to you. Once you receive your records, if you believe any information is inaccurate or incorrect, please inform us.
Whilst we appreciate that the information provided in this privacy statement is detailed and complex, we wish to reassure all of our clients that we will not share Personal Data with third parties for commercial or marketing purposes. We undertake that our systems are managed on a secure and confidential basis.
Think CBT is committed to providing access to affordable independent Cognitive Behavioural Therapy. Our aim is to support tangible improvements in the psychological health and well being of our clients, contributing to better lives worth changing for.
There are many psychotherapists and counsellors offering cognitive behavioural therapy. Always ensure that your therapist is professionally accredited with the British Association of Behavioural and Cognitive Psychotherapy (BABCP).