On 25th May 2018 it became a legal requirement under the GDPR (General Data Protection Regulation) for us to be explicit with you about our data processing procedures. Most importantly the GDPR made it a legal requirement for you to actively opt in and consent to these arrangements and the handling of your data.
In the context of this Policy, Untapped (Uk) CIC is both the ‘Data Controller’ and the ‘Data Processor’ of the personal data you provide to us, and we will sometimes refer to ourselves in this Policy as “we”, “us” or “our”.
The term Data Controller means that Untapped (Uk) CIC determines the purposes and way in which any personal data you provide to us is, or will be, processed.
The term Data Processor means that Untapped (Uk) CIC is responsible for processing personal data you provide to us.
We are registered with the UK Information Commissioner’s Office (www.ico.org.uk) which is our lead data protection supervisory authority.
All of your data is secure and compliant with current regulations. We have always adhered to codes of confidentiality set by our professional and supervising bodies (British Association of Art Therapists (BAAT) and Health Care Professions Council (HCPC)). We also adhere to legislation upheld by the conditions of our Insurer. Without your personal information or your explicit agreement to store it, we are unable to provide you with therapeutic services.
In order for us to provide a safe and professional clinical treatment including supervision and consultation services and to arrange invoices and payments, we have measures regarding the handling and storage of the sensitive personal information which you share with us.
Whenever you provide personal information, we will treat that information in accordance with current Data Protection legislation keeping only the minimum required. We only use your personal information to administer your account, provide you with therapeutic / supervisory services and invoice you. Personal information may be collected through use of the company website or through other points of contact relevant activities with Untapped (Uk) CIC that you wish to engage with.
For example, we collect personal information when you:
The types of personal information collected will be relevant to these services. Information collected/requested may include your title, first name, surname, gender, age and your preferred contact details (telephone, address, email address).
We ask for any pertinent historical information and information about other professionals supporting you, including your family doctor (GP). This allows a thorough assessment of your needs and liaison in order to ensure you receive the best care. Your GP maintains medical responsibility for you.
We also collect information about your visit to our websites and the devices you use to access them (desktop and mobile), and this may include an IP address. This information is used to help us follow browsing preferences on our websites so we can improve them and enable more advanced features to enhance the user experience.
Your details will be kept in a confidential and secure environment including written case notes. Your phone number may be kept in my business mobile phone which is pass code protected. When you pay by BACS your name will appear on bank statements and only your contact details are stored within our accounting software. With this in mind, please consider the identifying information you share when making a payment through these means.
Data protection legislation says that we are allowed to use and share your personal data only where we have a proper reason to do so. We rely on a number of legal bases to use your information, as set out in this Policy:
The lawful basis for collecting and processing special category data such as sensitive health information is:
Contract (Article 6.b): The use of your information is necessary to perform any contractual obligations in order to provide any Services to you which you have requested including a no obligation initial consultation.
Requirement to provide health-related services (Article 9.2(h): processing is necessary for the provision of health or social care or treatment on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
You are not obliged to provide your personal information to us when generally navigating our website; however, we cannot fulfil any specific requests for information or provide you with specific services unless you do so.
In order to provide you with services we may need to collect personal data which data protection legislation regards as sensitive or special categories of personal data, for example, information relating to your physical or mental health. By completing and signing our Referral form for the services you have purchased from us, you will signify your explicit consent to such sensitive data being processed by us.
Any such information provided will be held in the strictest confidence and used only for the purpose stated.
When we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under relevant legislation. To meet the requirements of the Limitation Acts 1980, we may need your personal information for legal, accounting or regulatory purposes. Your personal information, session notes, Referral form and Privacy & Consent Notice will continue to be stored securely for 7 years from the point of our final contact. For children, this time scale runs from the point of their 18th birthday. After this time information will be destroyed through shredding or a safe data destruction company.
The only exceptions to this are where:
We will never sell on data or use it for unethical reasons.
It is our usual practice to liaise with our professional colleagues from education, health or social care when they are supporting you or will be in the future, however we won’t do this without your consent.
Clinical supervision is part of best and safe practice for art therapists. Art Therapy supervision cannot happen without sharing client’s images which will be done confidentially with a professional supervisor who is bound by comparable rules of confidentiality.
On rare occasions, when we are concerned about the risk of harm to a child or vulnerable adult who may require Safeguarding, we have a duty of care and legal obligation to share data with Social Care or the Police. If our notes are subpoenaed by court, we may have to share data, or if there is a duty to disclose in order to comply with any legal obligation (for example terrorism alerts, money laundering).
In the unexpected event that your therapist is unable to work with you due to serious ill health, a ‘Clinical Executor’ who is bound by comparable rules of confidentiality will have access to your details to get in touch with you.
The website is based on a content management system and, for the website to function certain other cookies may be stored temporarily on your computer. In particular, the text size widgets utilise cookies to remember the setting between pages and certain other cookies are required to ensure correct functioning of the website and are not used for any other purpose.
You have the ability to accept or decline cookies by modifying the settings in your web browser; however, you may not be able to use all the features of the website if cookies are disabled. For information on how to disable cookies, please consult the “Help” tab of your browser via the menu bar. The information stored in cookies is safe and anonymous to any external third party. You can find more information about cookies at http://www.allaboutcookies.org/ and www.youronlinechoices.com/ .
We will use operational procedures and technical and organisational security measures to mitigate any unauthorised access, change, deletion or transmission of your personal information. Although we do our best in this way to protect your personal information, you should be aware that the transmission of information via the internet is not completely secure and we cannot guarantee the security of your personal information transmitted by you to us via email address or website or any third party; for this reason, any such transmission is at your own risk.
The email system which we use utilises encryption in transport and at rest. If you choose to email this service from an insecure email address, please consider limiting content in order to protect your privacy when sharing information via email with us.
Under applicable data protection laws you are entitled to request the following:
(to request access to your personal information and information about how it is processed);
(to have your personal information corrected if it is inaccurate and to have incomplete personal information completed);
(also known as the Right to be Forgotten, however this is subject to any legal rights or obligations we may have to retain data);
of processing of your personal information;
(to electronically move, copy or transfer your personal information where appropriate);
to processing of your personal information;
These are called your Data Subject Rights and there is more information about them on the
Information Commissioner’s Office website www.ico.org.uk . To exercise your rights, you can
email us at firstname.lastname@example.org quoting ‘Data Subject Rights’ in the subject line of your email.
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated at email@example.com
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/