What data we gather

We may collect the following information to enable us to work with you safely and effectively, and to efficiently provide appointment reminders and invoicing:

• Name and address (postal and email)

• Telephone number

• Date of birth

• GP details

• Next of kin

• Details of private health insurance policies (where relevant)

• Details of the issue that led you to contact us

During initial contact and then subsequent therapy, we will inevitably also collect a significant amount of other personal data relevant to assessing and treating your presenting psychological difficulties i.e., to enable us to offer you the service you have sought from us.

Certain types of information are known as “special categories” under data protection law, and receive additional protection due to their sensitivity, for example information that reveals your race or ethnicity, your political views or your religious beliefs. We only use these types of data with your explicit consent, or to protect your vital interests or when it is necessary to meet a lawful purpose under the current legislation.

How we collect your data

At the outset you will be asked to complete a Client Information Form, so that we can collect the initial data necessary to be able to work with you, for example your name, address, GP details etc. This data is collected via our Practice Management Software (Cliniko). Should you wish to send us further details of a sensitive nature (for example, copies of reports), we can accept them from your normal email account, but we must advise you to use a secure, encrypted platform instead.

Your allocated psychologist may use an AI medical scribe (Heidi) to listen to your session and produce a client note, which is then added to our Practice Management Software (Cliniko).

You can also contact us via our ‘contact us’ page on the website.  We ask that you provide us with your name, email address and a very brief description of the support you are looking for.  We will respond to this enquiry as quickly as is possible.

How we use this data

Collecting this data helps us:

• Contact you to set up an initial assessment appointment and subsequent therapy.

• Respond to any enquiries about our services.

• Link you up with one of our psychologists.

• Conduct a thorough psychological assessment.

• Devise and implement an effective treatment plan.

• To listen to a clinical session and produce a clinical note.

• Invoice for the services rendered.

• Communicate (when necessary and agreed with you) with relevant third parties to support your treatment and manage risks.

How we store this data

Clinical records: We use the practice management software Cliniko (who state they are GDPR compliant) to store your information in the UK, including clinical notes and personal data. You can read more about their security measures here:  https://www.cliniko.com/security/ . During the course of therapy, your therapist may also keep process notes – these will not contain any identifiable information (e.g., your name, address, date of birth). Any written notes will be kept in a locked filing cabinet during the course of therapy and shredded at the end of your sessions. Where we use a Heidi (the AI medical scribe), the session note will be stored electronically on UK servers. You can read more about their compliance here: https://www.heidihealth.com/uk/compliance/uk.   Documents (e.g., reports and/or formulations) may also be stored on encrypted computers.

Accounts: We use a cloud-based accounts package known as Xero, that has stated they are committed to GDPR compliance (https://central.xero.com/s/article/Privacy-at-Xero). Our accountant’s firm is called JT Accounting (Juliette Tompson Accounting Limited). They keep no physical storage of personal data records and have stated their processes are GDPR compliant.

Management of information in the event of the incapacitation or death of a psychologist

In the event of the incapacitation or death of the psychologist working with you, another allocated professional may be asked to access and manage information related to our work with you with a view to informing you of such an event, supporting you in the transition to another psychologist or service and ensuring continued safe storage and management of records. This psychologist will also adhere to the GDPR principles, and your data will only be shared when there is a legitimate need for them to access the information.

The lawful ways we collect your data

We use your information for the following lawful reasons:

* To enter into or to perform a contract, for example, to provide you with a thorough psychological assessment.

* With your consent to contact you to set up assessments and therapy.

* To comply with a legal obligation, for example the rules set out by the

General Medical Council and Secretary of State.

* For our legitimate interests, for example to monitor and improve our

business and our services, demonstrate compliance with applicable laws and regulations. Where we rely upon this lawful reason, we assess out business needs to ensure they are proportionate and do not affect your rights.

“Special category data” is more sensitive personal information that requires higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information. We may process special categories of personal information in the following circumstances:

1. in limited circumstances, with your explicit written consent.

2. where it is needed to assess your medical diagnosis, subject to appropriate confidentiality safeguards; and/or

3. where it is necessary for establishing, exercising, or defending legal claims.

What are your rights?

Under the Data Protection Legislation, you have the following rights, which we will always work to uphold:

1. The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.

2. The right to access the personal data we hold about you.

3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us to find out more.

4. The right to be forgotten, i.e., the right to ask us to delete or otherwise dispose of any of your personal data that we hold. Please contact to find out more.

5. The right to restrict (i.e., prevent) the processing of your personal data.

6. The right to object to us using your personal data for a particular purpose or purposes.

7. The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time.

8. The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.

9. Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

Accessing the information we hold about you

All individuals who are the subject of personal data held by Oak Grove Psychology are entitled to:

• Ask what information the company holds about them and why.

• Ask how to gain access to it.

• Be informed how to keep it up to date.

• Be informed how the company is meeting its data protection obligations.

You can make a subject access request to us. This does not need to be in writing and may be made over the telephone. We may require further additional verification that you are who you say you are to process this request. We may withhold personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

We will aim to provide the relevant data within one month. We will always verify the identity of anyone making a subject access request before handing over any information. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

Data accuracy

Should, during your contact with us, any personal data be subject to change e.g., if you move, change GPs, change your name etc., we would be grateful if you could notify us at the earliest opportunity so we can ensure our records are up to date.

Controlling Information about you

Any personal information we hold about you is stored and processed under our data protection policy, in line with the Data Protection Act 2018 and the UK GDPR (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Your data will be kept for the lifetime of your status as a client with us. When you cease to be a client with us, your data will keep for a minimum period of five years, and a maximum period of ten years in accordance with General Medical Council guidelines. You have the right to ask for your data to be destroyed after the minimum period of five years, but not before then. Oak Grove Psychology has the right to retain your data for the five-year period so that it can respond effectively to any questions or complaints that may later be raised by you and/or your representatives.

We will not share any of your personal data with any third parties for any purposes, subject to the following exception(s).

• In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

• Carrying out a legal duty or as authorised by the Secretary of State

• Protecting vital interests of a Data Subject or other person

• If the data subject has already made the information public

• Monitoring for equal opportunities purposes – i.e., race, disability, or religion

• Providing a confidential service where the data subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g., where we would wish to avoid forcing stressed or ill data subjects to provide consent signatures.

• Conducting any legal proceedings, obtaining legal advice, or defending any legal rights

Under these circumstances Oak Grove Psychology will disclose relevant data. However, we will take all reasonable steps to notify the individual whose data is being disclosed about the disclosure. We will also ensure that any such data request is legitimate, reasonable, and necessary.

We will only send information necessary to achieve business purposes. We send invoices and reports to health insurance companies and other professionals as required professionally.

As previously stated, cloud storage providers will have information shared with them in compliance with GDPR. Information is shared to the degree necessary for accounting and tax purposes.

How and Where Do You Store or Transfer My Personal Data?

All clinical records are stored on cloud-based systems hosted in the UK.  We store some of your personal data in countries outside of the UK, such as the initial contact form is stored on servers within Europe; all finance records are stored in our accounting software whose servers are hosted in the United States. These are known as “third countries”. We will take additional steps to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection Legislation as follows:

• We will only store or transfer personal data in or to countries that are deemed to provide an adequate level of protection for personal data. For further information about adequacy decisions and adequacy regulations, please refer to the Information Commissioner’s Office.

• We will use specific approved contracts which ensure the same levels of personal data protection that apply under the Data Protection Legislation. For further information, please refer to the Information Commissioner’s Office.

How do we keep your data secure?

We will always hold your information securely and take several important measures, including the following:

• Any client paper files and therapy notes are kept secure in a locked filing cabinet.

• All client electronic files and therapy notes are stored in secure cloud-based software systems.

• When clinical information is to be sent via email, we use end-to-end encrypted email accounts (i.e., ProtonMail, Egress Switch).

• Any information you send us via email is immediately uploaded onto a secure, password-protected database.

• We use two-factor authentication on all our devices and cloud-based software systems.

• Limiting access to your personal data to those employees with a legitimate ‘need to know’ (i.e., those concerned directly with your care and with your account) and ensuring that they are subject to duties of confidentiality.

• Data is backed up daily to the Cloud.

To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards. In the unlikely event of a data protection breach we will notify the Information Commissioner’s Office (ICO) so that their procedures can be followed. We will also notify all individuals whose data may have been accessed to alert them to the breach and any potential risks..