Privacy Notice and GDPR statement

Alongside Psychology aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected.

Alongside Psychology takes the collection and storage of your information very seriously and complies with both the Data Protection Act 1998 and the European General Data Protection Regulations 2018. Dr Kathryn Whyte is registered as the Data Controller with the Information Commissioner’s Office.

Some of the words and terms used in this document are technical and might be unfamiliar to many people. If there is anything in this document that you would like support to understand, please contact Kathryn Whyte. You can also contact the Information Commissioners Office (ICO) for more information https://ico.org.uk/for-the-public/ They can also support with making a Subject Access Request (SAR) to see the information we or another organisation holds about you, and making a complaint about how your data has been stored or used.

Aim and purpose of this policy

This policy describes the information that Alongside Psychology collects when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2018.

The policy also describes how we manage your information when you use our website, our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Instagram). In respect of cookies, the policy includes information about the type of cookies that we use and your right to disable these.

Privacy Notice and GDPR statement

What data do we collect and why?

For us to provide you with services, we need to collect the following information:

  • Basic personal information and contact information including; your name, a postal address, telephone number(s) and electronic contact such as email address. We may also communicate via Instagram or Facebook, if you choose to engage with our posts and comments on these platforms, in which case we will need to know your Facebook /Instagram username.

  • Details of your/your child’s health and life experiences, including what is known as ‘sensitive information’ (details of your mental and physical health, your racial or ethnic origin, your religious beliefs, your gender and sexuality identities. We will collect this at various stages as it is relevant to your/your child’s care. Specifically, at enquiry, assessment and therapy or if we are conducting a consultation with parents and/or professionals about a child. This may include audio and/or video recordings and/or digital photographs. We will ask your consent about audio and video and various ways you would like us to use it.

We may also collect information about you from third parties; for example, if we need to gather information from another health professional (such as your child’s GP or Occupational Therapist) to provide a complete health assessment.

We need to collect information about you so that we can:

  • Know who you are so that we can communicate with you in a personal way.

  • Deliver goods and services to you or the person you refer to us.

  • Provide you/your child with the care you have asked us to provide.

  • Process your payment via invoices for the work. We do not store information relating to bank details etc.

  • Monitor our service delivery and optimise your care. To do this, we may use audio and/or video recordings or take digital photographs.

  • Verify your identity so that we can be sure we are dealing with right person.

  • Optimise your experience on our website.

  • Send you information about changes in our service.

  • Offer you information and advice.

  • Provide you with a useful and relevant website.

Under GDPR we need to evidence a legitimate reason for collecting and storing your information. The legal basis for this is your consent via our contract with you to provide health services in the case of clients and their parents/guardians and ‘legitimate interest’ in the case of referrers, commissioners and other relevant parties. Where information is deemed ‘sensitive’ by law, the legal basis for this is the contract with you and as this is a special category of data for the provision of health and social care, it is processed under Article 9.2 (h).

How do we use the information that we collect?

We use the data we collect from you in the following ways:

  • To communicate with you so that we can inform you about your or your child’s (or the child you have referred to us) appointments with us we use your name, your contact details such as your telephone number, email address or postal address.

  • To deliver the correct service to you we use your name, your contact details and clinical details.

  • To conduct assessments, therapy, consultation, training and research.

  • To produce reports about our work together.

  • To monitor the quality of our work via supervision.

  • To create your invoice, we use your or the commissioner’s name and email address.

  • To optimise our website so that users can find the information they need.

  • To make you aware of any significant service changes or updates.

Using our website

Details about how you access our website such as the IP address, the browser you use, and which pages you access is collected directly from you via the infrastructure of our website. Our website is not intended for children and we do not knowingly collect data relating to children via our website.

On our website, we use cookies to gather information about visitors which we use only to enhance your online experience. We do not identify you or any other individuals from this information (see section below for more information on how we use cookies). Similarly, the IP address of any user visiting the website is logged by the IT system; again, this is not used to develop a personal profile of you, it is used to ensure our website is providing useful and relevant information to anyone who uses it.

Our website (including this policy) includes links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Where do we keep the information?

We keep your information in the stores described below:

  • On our laptop - We use a laptop that is located at the registered business address. If used outside of that premises the laptop is stored securely when it is transported. The laptop is password protected and the password is not shared with anyone else. Data is saved to password protected files and backed up to an encrypted One Drive Cloud Storage file.

  • Invoice tracker and invoices - The former is an Excel spreadsheet including all invoices. Invoices themselves are saved electronically as PDF files.

  • Enquiry and referral documents - These are Word or PDF documents for each enquiry we receive. They contain contact and clinical details.

  • Quotations/signed terms and conditions - A PDF document sent to referrers/commissioners to legally contract the work. These are prepared on our personal computers and/or external hard drive and transferred to the relevant client file if/when the work is commissioned.

  • Safeguarding log - We keep a separate table of all safeguarding concerns to ensure that safeguarding communication is optimal and to keep track of safeguarding referrals.

  • Emails - Emails including web contact forms are viewed via our personal computers. But moved to the client file as appropriate.

  • Reports - We create assessment, interim and closure report documents that contain all the information that we gather and our findings and conclusions. These are written on the laptop and saved to the One Drive storage system as password protected files.

  • Video/audio recordings -Together we may decide to record in person or online sessions these are transferred from the camera SD card to the laptop asap (within a maximum of 2 weeks) after the clinical session.

  • Digital photos - Together we may decide to take photos these are transferred from the camera SD card to our personal computers asap (within a maximum of 2 weeks) after the clinical session.

  • Transcriptions - Transcriptions of assessment sessions and research interviews can sometimes be made in order to provide the best quality work. In the event that a transcription service is used a specific data sharing agreement will be made.

  • Mobile devices - Dr Kathryn Whyte uses a dedicated work mobile phone which may be used in relation to some of your clinical data. This may include the following:

    • Voicemails

    • Text messages

    • WhatsApp – preferred method of contact as messages are encrypted offering additional security

    • Digital photos

  • Mobile data storage - SD cards and USB storage may be used. They will be transported in line with our data

    protection policy and encrypted to optimise data security.

How long do we keep the information?

The following data retention schedule has been devised in line with the following documents:

  • The British Psychological Society (BPS) Guidelines on the use of Electronic Health Records. 2011.

  • The British Psychological Society (BPS) Practice Guidelines (Third Edition). 2017.

  • The Information Governance Alliance. Records Management Code of Practice for Health and Social Care. 2016.

Information Retention period (from date of last contact or end of contract unless otherwise stated):

(Type of information / Time information is retained)

  • Referral tracker / 2 years

  • Invoices Tracker and paper invoices / 2 years

  • Electronic invoices / 7 years

  • Enquiry forms Pre-commissioning/contract / 12 months

  • Post-commissioning Child / Until age 26

  • Quotations Pre-commissioning / 2 years

  • Emails / 1 year

  • Clinical Notes and Reports Child / On laptop and backed up to One Drive until age 26

  • Clinical Notes and Reports Adult / 7 years

  • Digital photos on SD card/Mobile device / Maximum of 2 weeks

  • Digital photos in cloud storage / As clinical notes for adults/children

  • Transcriptions / 12 months

  • Voicemails, WhatsApps, text messages / Transferred to client notes within 2 weeks of receipt and stored as client notes

  • Supervision records / 6 years

  • Safeguarding log / 5 years

Who do we send the information to?

We send your report to you and anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are password protected.

The details about your access to our website is sent to our website hosting provider based in the USA. Our website settings are configured to be compliant with GDPR regulations.

We will get your consent to send any of your information to anyone else e.g. schools, GP, commissioners unless safeguarding or clinical risk reasons dictate otherwise.

For services funded by the ASGSF or other commissioners, we are required to send information about your use of the service and outcomes of your work with the service. Some of this information will identify you. All information shared with these 3rd parties is stored and sent in compliance with this privacy notice and in line with GDPR and confidentiality procedures.

Marketing

Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our goods or services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However, you can still opt out of receiving marketing emails from us at any time.

How can I see all the information you have about me?

You can make a subject access request (SAR) by contacting Dr Kathryn Whyte. We may require additional verification that you are who you say you are to process this request.

We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

We aim to respond to all legitimate Subject Access Requests within 1 month of receipt and will keep you informed of any delays which can result through factors outside of our control.

What if my information is incorrect?

Please contact Dr. Kathryn Whyte. We may require additional verification that you are who you say you are to process this request.

If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems, we will send you a copy of the updated information in the same format as the subject access request in section 8.

How can I have my information removed?

If you want to have your data removed, we have to determine if we need to keep the data. For example in case it is in your child’s vital interests for it to be kept or if HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.

Will we send emails and text messages to you?

As part of providing our service to you we will send your report to you via email. The report will be password protected. Also, as part of this service, between us we may decide that it is useful to contact each other via text message. To protect your information, we prefer to use an end-to- end encrypted messaging service (WhatsApp). If you are not able to use such a service, we may use SMS (text messages); however, this does increase the risk of someone intercepting the message.

We will send emails and text messages to you about marketing and additional services that we provide only if we have your consent to do so.

How do I opt out of receiving emails and/or text/WhatsApp messages from Alongside Psychology?

If you are receiving text messages from us, you may opt out at any time by contacting Dr Kathryn Whyte who will update your consent on the system. Similarly, if you are receiving emails from us, you may opt out at any time using the same process. There may be limits to the service we can offer you if you opt out of electronic communication and these will be explained in full to support your final decision.

APPENDIX 1: COOKIES

What is a cookie?

A cookie is a small amount of data stored on a computer that contains information about the internet pages that have been viewed from that computer. They are commonplace on the internet and are used by websites to improve the user’s online experience by storing information about how the user navigated around and interacted with it. This information is then read by the website on the next occasion that the user visits.

Cookies are sent automatically by websites as they are viewed, but in order to protect a user’s privacy, a computer will only permit a website to access the cookies it has sent, and not the cookies sent by other sites. Furthermore, users can adjust the settings on their computer to restrict the number of cookies that it accepts, or notify them each time a cookie is sent. This should improve privacy and security but will generally mean that certain personalised services cannot be provided, and it may therefore prevent the user from taking full advantage of a website's features.

For further information on cookies, please visit www.aboutcookies.org

What sort of cookies do we use and how do we use them on our website?

We use two types of cookies: session cookies and stored cookies:

  • Session cookies expire at the end of the user's browser session and can also expire after the session has been inactive for a specified length of time, usually 20 minutes. Session cookies are stored in the computer's memory and are automatically deleted from the user's computer when the browser is closed. The session cookies we use are a kind of electronic ‘bookmark’ so that your browser remembers what you looked at on our site previously. This can help you navigate the pages more efficiently.

  • Stored cookies are stored on the user's computer and are not deleted when the browser is closed. Stored cookies can retain user preferences for a particular website, allowing those preferences to be used in future browsing sessions.

We do not use third party cookies – no other websites have access to our website.

Can I browse your website without receiving any cookies?

Yes. If you have set your computer to reject cookies, you can still browse our website. However, certain functions may not be available to you unless you enable cookies.

Please note we only use cookies for the purpose of enhancing your online experience and no personal data is collected from you through this process.

How can I find and control cookies?

You can usually adjust for yourself the number of cookies that your computer (or other device, such as a mobile phone) receives. How this is done, however, varies according to which device and what browser software you are using.