What type of information we have
We collect both personal and sensitive information as described below.
Personal data – Full name, address, date of birth, gender, email address, telephone number and GP contact information. We will also collect your business name, address and job title, this data will only be collected for those booking or attending business training.
Sensitive personal data – Clinical session notes or business one to one follow up session notes
Therapy sessions / business follow up consultations – We will not, under any circumstances, record any sessions without explicit prior agreement from you. The online video platform we use is provided by an external provider based in the US. The service uses end to end encryption for all meetings. The notes we store are created by the Clinical Psychologist during and after the session and are stored securely.
What we do with the information we have
We will use your information to contact you regarding services we believe may be of interest to you, in accordance with General Data Protection Regulations. We will also use this information to provide the services you have requested from us. If you do not provide the information requested then we will be unable to provide services to you, as stated in our Terms and Conditions. We will not share the information without your consent.
Online payment processing: when you make an online payment with us, your card details are collected and processed by Stripe. Stripe is SSL protected, meaning information is securely transmitted throughout the payment process and all redit and debit card numbers are encrypted. They are also PCI compliant to Level 1, meaning they offer the highest possible level of payment processing security.
Lawful basis for processing this information
Under the General Data Protection Regulation (GDPR), we have a contractual obligation to process your data when you book a therapy session or purchase a business programme with us.
We also have a legitimate interest in using your personal and sensitive information. This is a requirement of the regulatory body, the Health and Care Professions Council. This ensures best practice care and is necessary for our Clinical Psychologists to provide the knowledge and support provided to you.
How we store your information
All information is stored in compliance with EU General Data Protection Regulations. We are committed to taking reasonable steps to protect the the information we store, making best efforts to ensure its security on our systems.
We will store your information for as long as it is required. The sensitive personal data defined above will be stored for a period of 7 years after any programmes or one-to-one sessions you attend. After this time, data is deleted at the end of each calendar year.
Sharing of data
All information is held in confidence and will not normally be shared with anyone. However, if you would like us to share any information with any outside organisations, for example your GP, we will require your written consent. We may need to share information with relevant authorities, for example in the case of need-to-know information for another health provider, such as your GP, or when disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, such as a Court Order. We are also required to share information where there are concerns of risk of harm to you or to someone else. We will discuss this disclosure with you, unless we believe doing so could increase the risk to you or someone else.
Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us at Brain Brolly Ltd, 101 Rose Street South Lane, Edinburgh, EH2 3JG or email firstname.lastname@example.org if you wish to make a request.
How to complain
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline number: 0303 123 1113