On 25th May 2018 it became a legal requirement under the GDPR (General Data Protection Regulation) for us to be explicit with you about our data processing procedures. Most importantly the GDPR made it a legal requirement for you to actively opt in and consent to these arrangements and the handling of your data.

In compliance with the GDPR, our new Privacy Policy explains in detail what information we receive from you and why. It also outlines in which circumstances and how we may share your personal information and with whom we share it with. The latest revision of this Privacy Policy was published on 16th August 2018. Please read the following carefully to understand our views and practices regarding your personal data. By visiting our website you are accepting and consenting to the practices described in this policy. Please check back regularly to keep track of any Privacy Policy update. We care about your privacy and being transparent about our data handling. This ‘Privacy Policy’ sets out how we handle your personal data securely and in accordance with your rights. We only collect personal information necessary to deliver our services and we handle it carefully and sensibly.

  1. Who We Are

In the context of this Policy, Untapped (Uk) CIC is both the ‘Data Controller’ and the ‘Data Processor’ of the personal data you provide to us, and we will sometimes refer to ourselves in this Policy as “we”, “us” or “our”.

The term Data Controller means that Untapped (Uk) CIC  determines the purposes and way in which any personal data you provide to us is, or will be, processed.

The term Data Processor means that Untapped (Uk) CIC is responsible for processing personal data you provide to us.

We are registered with the UK Information Commissioner’s Office (www.ico.org.uk) which is our lead data protection supervisory authority.

All of your data is secure and compliant with current regulations. We have always adhered to codes of confidentiality set by our professional and supervising bodies (British Association of Art Therapists (BAAT) and Health Care Professions Council (HCPC)). We also adhere to legislation upheld by the conditions of our Insurer. Without your personal information or your explicit agreement to store it, we are unable to provide you with therapeutic services.

In order for us to provide a safe and professional clinical treatment including supervision and consultation services and to arrange invoices and payments, we have measures regarding the handling and storage of the sensitive personal information which you share with us.

  • Personal Information We May Collect

Whenever you provide personal information, we will treat that information in accordance with current Data Protection legislation keeping only the minimum required. We only use your personal information to administer your account, provide you with therapeutic / supervisory services and invoice you. Personal information may be collected through use of the company website or through other points of contact relevant activities with Untapped (Uk) CIC that you wish to engage with.

For example, we collect personal information when you:

  • Contact us in person or by telephone, email or letter in order to discuss potential services we offer;
  • Make an enquiry by completing a contact form on our website;
  • Register to attend an event;
  • Register for learning and development activity;
  • Submit any other information in connection with the purchase of our services.

The types of personal information collected will be relevant to these services. Information collected/requested may include your title, first name, surname, gender, age and your preferred contact details (telephone, address, email address).

We ask for any pertinent historical information and information about other professionals supporting you, including your family doctor (GP). This allows a thorough assessment of your needs and liaison in order to ensure you receive the best care. Your GP maintains medical responsibility for you.

We also collect information about your visit to our websites and the devices you use to access them (desktop and mobile), and this may include an IP address. This information is used to help us follow browsing preferences on our websites so we can improve them and enable more advanced features to enhance the user experience.

  • Storing Your Personal Data

Your details will be kept in a confidential and secure environment including written case notes. Your phone number may be kept in my business mobile phone which is pass code protected. When you pay by BACS your name will appear on bank statements and only your contact details are stored within our accounting software. With this in mind, please consider the identifying information you share when making a payment through these means.

  • Our Reasons For Data Processing 

Data protection legislation says that we are allowed to use and share your personal data only where we have a proper reason to do so. We rely on a number of legal bases to use your information, as set out in this Policy:

The lawful basis for collecting and processing special category data such as sensitive health information is:

Contract (Article 6.b): The use of your information is necessary to perform any contractual obligations in order to provide any Services to you which you have requested including a no obligation initial consultation.

Requirement to provide health-related services (Article 9.2(h): processing is necessary for the provision of health or social care or treatment on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

  • Do You Have To Give Us The Personal Information We Ask For?

You are not obliged to provide your personal information to us when generally navigating our website; however, we cannot fulfil any specific requests for information or provide you with specific services unless you do so.

In order to provide you with services we may need to collect personal data which data protection legislation regards as sensitive or special categories of personal data, for example, information relating to your physical or mental health. By completing and signing our Referral form for the services you have purchased from us, you will signify your explicit consent to such sensitive data being processed by us.

Any such information provided will be held in the strictest confidence and used only for the purpose stated.

  • How Long Do We Keep Your Information For?

When we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under relevant legislation. To meet the requirements of the Limitation Acts 1980, we may need your personal information for legal, accounting or regulatory purposes. Your personal information, session notes, Referral form and Privacy & Consent Notice will continue to be stored securely for 7 years from the point of our final contact. For children, this time scale runs from the point of their 18th birthday. After this time information will be destroyed through shredding or a safe data destruction company.

The only exceptions to this are where:

  • The law requires us to hold your personal information for a longer period or to delete it sooner;
  • You exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;
  • We bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible; or
  • In limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period
  • Sharing Your Information With Third Parties

We will never sell on data or use it for unethical reasons.

It is our usual practice to liaise with our professional colleagues from education, health or social care when they are supporting you or will be in the future, however we won’t do this without your consent.

Clinical supervision is part of best and safe practice for art therapists. Art Therapy supervision cannot happen without sharing client’s images which will be done confidentially with a professional supervisor who is bound by comparable rules of confidentiality.

On rare occasions, when we are concerned about the risk of harm to a child or vulnerable adult who may require Safeguarding, we have a duty of care and legal obligation to share data with Social Care or the Police. If our notes are subpoenaed by court, we may have to share data,  or if  there is a duty to disclose in order to comply with any legal obligation (for example terrorism alerts, money laundering).

In the unexpected event that your therapist is unable to work with you due to serious ill health, a ‘Clinical Executor’ who is bound by comparable rules of confidentiality will have access to your details to get in touch with you.

  • Cookie Notice

A cookie is a small piece of data sent from a website and stored in your web browser on your computer, mobile or other handheld device, while you are browsing a website. Our Site uses Cookies to identify you. Cookies can store your account identifier, personalisation or website tracking. They can also be used for technical purposes such as keeping track of your current browsing session, collecting information about your computer, including (where available) your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and we will not use it in isolation to identify you or any individual.

The website is based on a content management system and, for the website to function certain other cookies may be stored temporarily on your computer. In particular, the text size widgets utilise cookies to remember the setting between pages and certain other cookies are required to ensure correct functioning of the website and are not used for any other purpose.

You have the ability to accept or decline cookies by modifying the settings in your web browser; however, you may not be able to use all the features of the website if cookies are disabled. For information on how to disable cookies, please consult the “Help” tab of your browser via the menu bar. The information stored in cookies is safe and anonymous to any external third party. You can find more information about cookies at http://www.allaboutcookies.org/ and www.youronlinechoices.com/ .

  • Data Security

We will use operational procedures and technical and organisational security measures to mitigate any unauthorised access, change, deletion or transmission of your personal information. Although we do our best in this way to protect your personal information, you should be aware that the transmission of information via the internet is not completely secure and we cannot guarantee the security of your personal information transmitted by you to us via email address or website or any third party; for this reason, any such transmission is at your own risk.

The email system which we use utilises encryption in transport and at rest. If you choose to email this service from an insecure email address, please consider limiting content in order to protect your privacy when sharing information via email with us.

  1. Links To Other Websites

The Untapped (Uk) CIC website may contain links to other websites of interest. However, you should note that we do not have any control over such websites and we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Policy. You should therefore look at the privacy statements applicable to any such websites as appropriate.

  1. Your Rights Regarding Access, Correction And Deletion Of Personal Information

Under applicable data protection laws you are entitled to request the following:

  • Right Of Access 

(to request access to your personal information and information about how it is processed);

  • Right To Rectification 

(to have your personal information corrected if it is inaccurate and to have incomplete personal information completed);

  • Right To Erasure 

(also known as the Right to be Forgotten, however this is subject to any legal rights or obligations we may have to retain data);

  • Right To Restriction 

of processing of your personal information;

  • Right To Data Portability 

(to electronically move, copy or transfer your personal information where appropriate);

  • Right To Object 

to processing of your personal information;

  • Rights With Regards To Automated Individual Decision Making, Including Profiling.

These are called your Data Subject Rights and there is more information about them on the

Information Commissioner’s Office website www.ico.org.uk . To exercise your rights, you can

email us at mail@ksarttherapy.co.uk quoting ‘Data Subject Rights’ in the subject line of your email.

 If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated at info@untapped.org.uk 

 If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/