General Privacy Information
EPS(UK)Ltd, (to be referred to as ‘we’ in this document) are registered with the Information Commissioner’s Office (ICO) as required under the Data Protection Laws in the UK, and as such are committed to compliance with data protection legislation, privacy and electronic communications, medical confidentiality and NHS information guidelines.
We manage all information we collect from you with great concern for privacy and confidentiality and in accordance with current professional and legal standards. The security of your personal data has continuously been addressed by reference to the British Psychological Society’s (BPS) Code of Conduct and the Health & Care Professionals (HPCP) Standards of Conduct, but the way we handle personal information has been strengthened more recently and made more transparent by the provisions of the General Data Protection Regulation (GDPR) requirements, effective from 25th May 2018.
Our services fall within the Special Category Data Protection 9.2 Health and Social Care.
The GDPR requires us to identify the legal basis upon which we collect and use/manage/process your personal data and this Policy describes why and how we do this as well as providing you with information about individuals’ rights.
Personal data is any information relating to an identified or identifiable living person.
We process personal data on the basis of:
Our Contract with you
Our ‘legitimate interest’ to hold and process your personal data
Contract - you will have agreed for us to undertake a commission which may involve a psychological assessment and we therefore need to process your personal data in order to fulfil our contractual obligations to you. We will process this personal data in a fair, lawful and transparent way.
Legitimate Interests – psychological assessments inevitably involve psychometric profiling, which means that we will need to process special category personal data. Such data may include information about your health, cognitive functioning, educational achievements, interests, personality and relationships and family history. Depending upon the agreed nature of the Contract with you, we have a legitimate interest to collect such personal data for the purpose of forming a professional opinion or diagnosis.
Collection of Personal Data
1. By Visiting our Website
What information do we collect?
When an individual uses our ‘Contact Us’ form on the website the individual is responsible for the personal data shared with us and we will only use that data in order to respond to the contact. We may collect the following information:
Name and age of proposed client/child
Contact information including e mail address
Brief information relevant to the individuals’ concerns and the service we offer
What do we do with the information we gather from you?
We need this brief information to understand your needs and to provide an appropriate response by e mail or telephone. This may eventually lead to a commission or alternatively, we may be able to provide advice on where to access more appropriate professional support. If we agree a commission this data will be securely kept in line with our record keeping and to inform our service to you.
We do not forward or share any personal information to a third party unless legally obliged to do so. We do not use information for promotional offers, market research or any other reason.
How long do we hold information about you?
We will only keep information about you for as long as is necessary to fulfil any Contract with you. Electronic information is not saved as a paper/hard copy unless it forms part of necessary record keeping and any hard copies are securely destroyed when our Contract with you has entirely ended. Contacts from the website where you provide an e mail address will not be stored on the website. E mail addresses are automatically saved on password protected devices but are deleted from all devices if a Contract is not agreed. Paper notes made during telephone calls are securely destroyed as soon as any relevant information is incorporated into an electronic Report, or immediately following a communication which goes no further.
In order to prevent unauthorised access to personal data we have suitable physical, electronic and managerial procedures in place.
Information about Cookies
This website does not collect or store information about you based on your internet browsing for the purposes of marketing or targeting you with specific content or messages.
Cookies are used here to allow your web browser to ‘remember’ that you have visited the site before. You can select the option in your own web browser to ‘clear history’ which will remove all evidence of having visited the site if you wish.
Links from our Website
You are welcome to click on links within our website to look at the services we provide but this site contains no links to other websites. Only the ‘Contact Us’ link will send your inquiry to a password protected device where we can respond by e mail, phone or by post depending on the data you provide to us.
2. From our clients
Personal and Special Category data may be collected which includes, but is not limited to, information relating to family circumstances, lifestyle, disciplinarily records, employment and education details, racial or ethnic origin, genetic data, sexual orientation, religious beliefs and mental health. Information concerning criminal convictions is also given the same level of protection within this policy and such data may be collected and used where relevant with consent.
The following section provides information relating to how EPS(UK)Ltd manages any information provided to us when we work with clients. When we refer to ‘clients’ we mean children and young people, families, clients and other people/service users, who are directly affected by the psychological services that we provide.
When we work through organisations such as a school, the school is the data controller and we are the data processor. When we work directly or privately with a child, young person or client, we are the data controller.
Our data controller is Sally Bingham, Information Commissioner’s Office (ICO) Reference ZA414873. The registered address is - 2 Chestnut Drive, Desborough, NN14 2TP.
Use of Personal Data
Reasons and Purposes for processing information
We process personal information to enable us to communicate and provide psychological services to our clients, to educational organisations, to support training, to provide welfare, healthcare and educational support for individuals and organisations. We develop as a service by using personal data to inform planning and research to enable us to maintain flexibility and adaptability to the needs of our clients.
We also use personal information in order to maintain financial accounts and to maintain records in relation to the services we provide and the business we run.
Consent, for the purposes of confidentiality, means that the client or service user understands and does not object to:
The information being disclosed or shared
The reason for the disclosure
The people or organisations the information will be disclosed or shared with
How the information will be used
In most cases relating to our professional services, such personal information will be used to communicate with and be included in a written Report in line with an agreed Contract.
For consent to be valid it must be voluntary and informed and the person giving it must have capacity to make the decision. However, if a child or young person is thought to be at risk or a client has disclosed something which must be legally reported, or they are at risk of severe harm, then consent may not be required before we share information with a third party such as a GP or the emergency services.
In some cases, it may be that personal information is requested by a court of law, coroner’s office or professional body. In such cases, our clients may have limited or no rights of refusal.
When information is shared we will make sure that:
It is necessary to provide the information
We only disclose the information that is relevant
The professional receiving the information understands why we are sharing it and that they have a duty to keep it confidential
Consent for children under the age of 16 years must be sought from someone with parental responsibility and this may be a Parent, Guardian, Local Authority or person with an emergency protection order for a child.
‘Gillick Competence’ is where a child under 16 years is deemed to understand and be able to consent to sharing or disclosing information in line with the above. As professionals we need to balance the best interests of the child or young person against other duties.
Consent for our psychological services can be withdrawn at any time by a responsible person, in which case all personal data including electronic Reports will be destroyed or deleted. If a school is our client and a Child or Young Person is named, then they may keep a record of any conversations between EPS(UK)Ltd and their School Contact on that CYP’s file.
As a small company with just two employees who are also the Directors, with its office and work space incorporated within our home address, physical security is easily maintained. Any necessary paper based personal data is stored within a locked cabinet which is in a lockable office, integral to the house. Handwritten notes, test materials or examples are destroyed or returned (if applicable) as soon as they are no longer necessary to inform the final Report. We use an approved (EU Security DIN 66399) cross cut shredding machine at security level 4, protection class 2 as advised, for highly sensitive data destruction.
Electronic Reports, personal contact details including e mail addresses, financial, legal, educational and health records and some psychometric test and questionnaire results, are saved on two office-based computers that are password or biometrically secured and do not leave the building. All other electronic devices used to access personal data from OneDrive are password or biometrically protected. Electronic data is backed up in ‘Onedrive’ (cloud storage) and can only be accessed by the data controller, Sally Bingham and Paul Bingham, Independent Psychologist. Care is taken when electronic versions of Reports are temporarily taken out of the house on memory devices that they are deleted from that memory device on return.
Additional security is purchased to ensure that all devices are reasonably secure. Any security threats are investigated.
As agreed at the outset of any Contract with you, as part of our service we will send your Report to you by e mail. We securely protect specific sensitive e mail messages and attachments with additional end to end encryption at a military level of security. In order to view, save and download these secure messages, or to send us your sensitive information securely, this system will require you to accept an invitation via a link, to register and create your own password. There's no software required, and you can use your existing email address. Most importantly, the site does not store encryption keys - only you as a recipient have the ability to decrypt your messages. There are no ‘ads’ or links to other sites as e mails are simply relayed through a secure server.
If you are not able to take advantage of this online service then we will discuss the best and most secure way to provide your Report to you.
Most of our communications with you regarding appointments, further relevant information and notifications will be done via e mail (not necessarily through the extremely secure method explained above) or telephone.
If it is established that personal data has been breached at any point, the ICO will be informed and any client likely to be affected will be contacted.
In the event of the untimely death of Paul Bingham then the Company will be closed by Sally Bingham. Recent clients from within one year of this date will be contacted as far as possible and all paper and electronic personal data will be destroyed and deleted. If the Company ceases to trade for any other reason the same will apply. In the event that both Sally and Paul Bingham unfortunately die together, then secure instructions are left for close family members to close the Company and carry out secure destruction and deletion of all personal data in a way which ensures confidentiality and security is maintained.
Retention and Storage of Information
The British Psychological Society (BPS) state that psychologists’ records should be held securely for as long as they are required for the psychological work. Personal data may be held for longer periods where extended retention periods are required by law and/or in order to establish, exercise or defend our legal rights. BPS guidelines state that adult data be stored for 7 years but data relating to children should be kept until they reach 26 years of age (NHS Guidelines).
EPS(UK)Ltd maintains both paper and electronic files. However, following guidance from GDPR we have decided to maintain paper records, which include test materials, completed questionnaires, examples of handwritten assessments and examiner’s notes, only until the final Report/Commission has been completed and we are certain that reference to such materials is no longer necessary. While considered necessary, all paper or hard files are kept secure as detailed earlier in this Policy Document.
GDPR highlights that data or information held that is not incorporated or used for the intended purpose at the outset, serves no purpose and therefore, such data will be destroyed as outlined above. All appropriate and necessary information, data and scores will be incorporated into the Final Report, which renders the notes and materials used surplus to actual need and will therefore, also be destroyed.
All electronically stored data, such as Invoices to clients, Final Reports, some psychometric assessments, e mail addresses of clients (not e mail inquiries, as stated in the website section above) will be stored securely and until the Company ceases trading. It is in our legitimate interests to do so. For example, a person may mislay their Report arising from an assessment 7 years ago, but they may now need a copy to support their request for reasonable adjustments in the workplace under the terms of the Equality Act, 2010. We might also want to retain data to support our decision making if ever that is challenged or there is a follow-up assessment in the future. Financial records may also be required if any challenge is made to our accounting at any point.
As outlined above, security is taken very seriously, and all reasonable steps are taken to ensure that electronic data is stored securely.
At the point where the Company ceases to trade, all clients from 1 year previous will be notified and informed that all personal data will soon be destroyed or deleted.
All records are destroyed under confidential conditions either using a destruction service (certificates of destruction provided) or using a process which meets standards for document destruction management.
Individual Rights to the Data Held
Under the GDPR, you have the following rights:
The right to be informed about the collection and use of your personal data
The right to access the personal data that we hold about you
The right to have your personal data rectified if any of your data held by us is incorrect or incomplete
The right to be forgotten – the right to ask us to delete or destroy any of your personal data that we hold
The right to restrict (prevent) the processing of your personal data
The right to object to us using your personal data for stated purposes
The right to data portability – if you have provided personal data to us, we are using it with your consent, you can ask us for a copy of the personal data to re-use with another business
Rights relating to automated decision making and profiling. We don’t use your data in this way
Please make any requests relating to these rights in writing to us and we will respond in a timely manner. Please note there may be a financial charge relating to your request to cover the administration of the request. Please contact us at firstname.lastname@example.org
If you believe there has been a breach of security or a breach of your personal data rights, please contact us in the first instance. Alternatively, if you still have concerns, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/
EPS(UK)Ltd is strongly committed to protecting your personal data. If you have any unanswered questions, please contact us at email@example.com
Review date – August 2019