Privacy Policy

NCPS Privacy Policy

“Our Commitment to Your Privacy”

May 2018

Introduction

NCPS’s mission is to provide our clients and referrers with the highest quality care and service experience. Our NCPS associates are the public face of our company and are key to helping our company achieve our mission. A necessary part of putting that mission into practice is collating and processing information about the people we work with and offer services to.

Here at NCPS we take protecting people’s privacy extremely seriously and so we have put together this policy to explain what that means and how we go about it.

For ease of use we have organised this policy into two sections: part one of this policy focuses on our clients and part two explains about the information we process with regard our associates.

Who we are and how you can contact us

Northern Clinical Psychology Services (NCPS) provide assessment, therapies and expert consultancy services across Yorkshire and beyond. People who use our service are either referred to us by a third party (such as a health insurance company, rehabilitation agency, solicitor, local authority, etc) or they contact us direct and refer themselves or their children to us for help.

Our caring team of qualified and experienced professionals help adults, adolescents and children with a range of psychological, developmental, behavioural and mental health difficulties. We refer to our clinicians as NCPS Associates. Each of our Associates is fully qualified and accountable for ensuring the services they provide on behalf of NCPS meet not only our expectations around quality, effectiveness and data protection, but the standards also set out by the law and their professional body relating to their practice and the services they provide.

NCPS is registered with the Information Commissioners Office (ICO) and how we manage your personal information is designed to comply with all applicable laws concerning the protection of personal information, such as the General Data Protection Regulation (GDPR) 2018.

If you’d like to talk to us more about how we collect and use your information you can contact NCPS by:

Writing to us at:

NCPS Ltd.

PO Box 100

Tadcaster

LS24 0BT

Telephoning us on:

0800 622 6266

Emailing us via:

admin@ncps-uk.com

Or you can contact us via our website (which has lots more information about our service on) using the direct contact form:

www.ncps-uk.com/contact/

Part One: Our Clients

What information we collect about you

Sharing your personal information with us is a necessary and core part of being a client within a health care setting. That being said we understand that the nature of our business often means that clients share with us very private and sensitive information.

The data we collect and hold about you helps us to provide you with the most appropriate care and a quality service. We treat your information with the utmost respect and understand it is important for us to be transparent with you about what information we collect and process about you.

When people are referred to NCPS by a Third Party (e.g. health insurance company, rehabilitation agency, solicitor, local authority, etc), we are supplied with information from that third party. This information is called ‘referral information’ and will include details of why you are being referred to us, what type of service you are looking to NCPS to provide you with, your name and contact details, and relevant clinical and health information (such as your date of birth, past assessments and diagnoses, copies of prior assessments, records and reports, details of other professionals involved in your care, etc). Before providing NCPS with this information, the Third Party should have discussed the referral with you and sought your permission to provide us with your information.

When people contact NCPS themselves, or on behalf of their children, we will ask them for their (and where relevant their child’s) full name, date of birth and contact details, some information about what they are seeking help with, some information about their background and current health needs, and about any other treatments or professionals involved in their care. This information might be collected with you over the phone, by post, by email or you may have provided us with it via the online contact form. We call this information ‘screening information’ and we use this to help us decide whether NCPS are the right service for you. If we feel we can help you and you agree to proceed with a self referral then this screening information is also used to help us allocate your care to the most suitable NCPS clinician(s). We would then pass the information you have provided us with on to that NCPS Associate so they can make the necessary arrangements to see you. If we do not feel we are the most suitable service for what you are looking for then we may suggest another service for you but we would not share your screening information with that service unless you provided NCPS with your written consent to do so.

Whilst you are under the care of NCPS we will collect more detailed information about you. This information will be directly related to the clinical services being provided and is necessary in order for us to be able to provide you with the most appropriate and quality care. We understand that the nature of our business means you will be sharing very personal and often sensitive information with NCPS and its Associates and we take the safeguarding of this information very seriously.

Sometimes it is really helpful to have someone who knows you well involved in your care with us. When this is the case we would of course discuss and agree this with you in advance. However, sometimes we are contacted out of the blue by people from our client’s personal lives, such as their parent, partner or a close relative or friend. Often these people are contacting us because they care about and are worried about the person we are seeing. When this happens we will not share any information about you with this person unless we already have your consent for us to do so. If this person shares information about you with us that we deem relevant to your care with us then this would be recorded within your clinical record as ‘third-party’ information. We always encourage people to let our client know that they have contacted us and we advise them that, unless there is a legal or clear risk / safeguarding reason for us not to, it is standard practice for us to disclose to our client that contact has taken place.

We will explain more about how we protect and store your information and who and when your information gets shared later this guide. Your NCPS clinician will remind you of some of this when you meet in person and you can ask them more about it if you would like to understand more, or alternatively contact NCPS Head Office direct using the contact details supplied at the start of this guide.

In summary, NCPS will use your information to:

Provide you with information about our service and to deal with your requests and enquiries.
Help deal with enquiries and referrals made by Third-Party referrers on your behalf (and with the permission you have provided them with).
Provide you with appropriate clinical services in line with what has been agreed (e.g. with the third-party referrer where relevant and always with yourself (or parent/legal guardian, on behalf of a minor)) and in line with the relevant professional standards and our clinical and statutory obligations as set out in law (e.g. the Mental Health Act, the Mental Capacity Act). This will sometimes include sharing your information with others, which we will explain more about later in this guide.
For service administration purposes, such as allocation of your case to NCPS Associates, processing of payments, dealing with complaints and processing requests to access information, service audit purposes (designed to ensure quality and to improve service delivery).
To contact you (or another person(s) you have nominated on your behalf) about your care, the information we process about you, to update you on changes to our service that may affect you and to respond to any correspondences we receive from you.

2. What if the client is under 18 years old?

Typically when the client is under 18 years old they are referred to NCPS by a parent, legal guardian or by a third-party referrer who has sought the consent of the parent / guardian.

If NCPS are contacted directly by a prospective client who is under 18 years old we ask that they seek their parent or legal guardian’s permission before we can accept a referral initiated by a child or young person. We would verify with the relevant adult that they are aware of and in agreement with the referral.

When a child or young person comes to us, it would be the appropriate adult (be it a parent or legal guardian) who signs any service paperwork (such as the treatment contract and consent form) and who is liable for any payments that may be applicable. Where the client is 16 or above, we ask them to sign some paperwork alongside the adult, in recognition of their capacity to provide their own consent and understanding.

NCPS recognise how important it is for children and young people to feel that they have a part to play in their care and so where appropriate, the NCPS clinician will endeavour to tailor things to the individual child including, where relevant, explaining to them about what happens to the information collected during their involvement with NCPS.

3. On what legal basis we process your information

There are a number of different reasons why we need process your information. New data protection regulations set out different legal bases or reasons why services might use and process a person’s personal and sensitive information.

Here at NCPS:

We will ask you for your explicit consent to process and use your information in certain ways and we would not process your information in those ways without your consent to do so.

We also process our client’s information under certain contractual obligations, because of legal and statutoryexpectations of our profession (to deliver appropriate health care services, to follow our professional guidelines and codes of conduct and to enable us to defend our practice in case of a claim) and for legitimate intereststhat are necessary for NCPS to function as a business.

We will explain more about these in the following section.

4. When, with who and why NCPS process and share your information

To provide our client’s with safe and effective care we sometimes need to share your information with others. We appreciate that our client’s trust us with very sensitive and personal information and so we take great care in ensuring the information we do share is appropriate to the purpose we are sharing it for.

Where people are referred to NCPS by a Third-Party, NCPS are usually contractedto share information about your care as standard. This is likely to include things like an assessment report, update or interim report, discharge report, details of questionnaires and copies of any forms they ask us to get you to sign on their behalf, as well as intermittent brief updates on how you are getting on in your treatment, your attendance records and sometimes, copies of summary session notes. The Third-Party has a responsibility to inform you about this prior to referring you to NCPS and your NCPS paperwork and clinician will remind you of information sharing practice when you come to us.

Where people refer themselves to NCPS we will not share any information that would identify you unless you have provided us with your explicit consentto do so. However, there are times when information that does not identify you would be shared and, more rarely, times when identifiable information is shared without NCPS needing your consent. We have explained the times when these might apply below.

Whether you come to NCPS via a third-party or direct all ongoing cases are regularly discussed as part of case management. This is where each Associate briefly reviews each case they are working on with a senior NCPS clinician (e.g. the Managing Director or Clinical Manager). Case management is designed to support our Associates in their delivery of the most appropriate and quality careto our clients and to enable us to provide updates to Third-Party referrers where relevant and in line with contractualexpectations. In addition, and in line with professional standards and professional registration(where relevant) all NCPS clinicians have regular clinical supervision during which they may discuss cases they are working on. This practice is a core part of being a therapist and is designed to ensure clinicians are working effectively and safely. Supervision, like any other element of clinical practice, conforms to the same standards and expectations with regard data protection and people’s right to privacy as set out at within the relevant professional standards and the law.

There are times when we may process and share your information without needing your consent to do so. We would always endeavour to inform you of this in advance, however this may not always be possible (e.g. if time is short or we cannot get hold of you) or appropriate (e.g. if in telling you about sharing your information we may increase clinical risk, increase the risk posed to another or, in the case of illegal activities, may interfere with an investigation or legal process). The times when this would come into force include:

NCPS and its Associates have a statutory duty of care(as set out by the relevant professional body, regulatory body and / or the law) to keep appropriate clinical records and to share information with relevant parties and agencies (including but not limited to your GP, social services, the Police, your case handler where Third-Party referrers are involved, and other professionals involved in your care) where there is reasonable evidence of a risk or safeguarding concern (e.g. risk of the client harming them self, a risk to the public, concerns over the well being of a child or vulnerable adult) or where the clinician has a duty to uphold the law.
Where NCPS and/or your clinician are subject to a court order or subpoenathen this requires them to provide any relevant information requested.
Where your information is being processed on behalf of NCPS, and under contract with NCPS, with regard NCPS business and legitimate interests(such as the bank processing BACS payments, cloud storage providers, email service suppliers, etc) we take great care in protecting your identity and any personal or sensitive information (e.g. by using non-identifiable references, password protecting documents and attachments, and taking reasonable steps to verify that services involved in such processing have safeguards in place and meet GDPR standards).

5. How long we keep your information for

NCPS only store your information for as long as is needed and then it is deleted and/or destroyed.

Where we collect your information only as part of an enquiry and you do not engage in our services as a client then we store your information for 12 months from the point we finished dealing with your enquiry. The reason we do not delete your information immediately is that we find clients often come back to us for further information or to become a client of our service within the weeks and months after making an enquiry with us. So by retaining your information for a few months it enables us to deal with follow-up enquiries or referrals much faster and means we do not have to ask you for the same information again. If you make an enquiry with us and would like us to immediately delete your information then please just ask us at the time or contact us at NCPS Head Office using the contact details at the start of this guide.

Where you come to us as a client regardless of whether you have referred yourself or been referred by another party and regardless of how long you remain as a client of NCPS you will have a ‘clinical record’ with us. A clinical record is a place where all your information is stored and contains everything that is relevant to the care we provide you with. A clinical record would include information such as copies of referral information, copies of session notes, assessments, measures and questionnaires undertaken, copies of forms you have filled in, copies of reports, letters, messages and emails relating to your case and notes from meetings or discussions that have taken place regarding your case.

We retain and store a client’s clinical record even after they finish being seen by NCPS. Where children and young people are concerned we retain their clinical record up until they reach the age of 25 years old. With adult clients we will retain the clinical record for 8 years after they are discharged. We retain records for this length of time in order to:

comply with our statutory duties as clinicians to keep appropriate clinical records
enable us to defend against legal action that may be instigated against us or assist with court cases where we are subject to supplying information under subpoena or court order
to meet the expectations placed on us within the contractual terms and conditions of relevant professional indemnity policies.

6. What we do to keep your information with us safe and secure

As well as only sharing information with others when appropriate (as already explained); we take great care to ensure the safety and security of the information we record, store, process and transfer.

As already mentioned NCPS are registered with the Information Commissioner’s Office (ICO) and follow relevant legal and practice guidance when it comes to processing your information. As such NCPS we are called the Data Controllers (the party responsible for the information and how it is processed) of your information. It is NCPS who store your information safety until such time your information would automatically be deleted because it is no longer needed. During the time you are being seen by the NCPS Associate, however, it is necessary for them to store and process some of your information relating to the care being provided on NCPS’s behalf. Whilst they are processing your information for and on behalf of NCPS the Associate is called a Data Processor: we provide our Associates with guidance and strict expectations relating to how they should process your information on behalf of NCPS. In addition to this all NCPS Associates are registered with the Information Commissioner’s Office (ICO) in their own rights and, as such, are accountable for their own practices when it comes to data processing. What this means is that they also have a direct responsibility to you in relation to the personal and sensitive information they hold about you and will need to inform you should they intend to process your information for any other reason than on NCPS’s behalf or if they wish to store your information beyond the time you are seeing them.

NCPS have a data protection regime in place to oversee the effective and secure processing of your personal data. All the personal data NCPS process is processed by our staff and Associates in the UK and we do not share your information with others except where this is in your best interests or we are compelled to do so (as outlined in the section ‘When, with who and why NCPS process and share your information’). We restrict access to your information using a number of security measures (e.g. lockable and fire retardant physical storage, individualised access IT system log-ins, IT encryption).

Our IT systems use secure cloud based storage located on servers within the European Union. Where we use US based products (e.g. email communication, website host) we ensure such providers have agreements in place in relation to practice compliance with EU GDPR data protection standards. To further safeguard your information we encrypt any sensitive information transferred using electronic means.If our clients want to share sensitive personal information with us we advise them to contact us, or their NCPS Associate therapist, direct (e.g. via phone or speaking in person). There are times, however, when sharing sensitive information with us electronically is helpful to a client. If so, we would always recommend you protect your confidential and sensitive information, for example, by putting it in an attachment and password protecting it. If you are unsure of how to do this then just contact us using the details at the start and we will provide you with support on how you can encrypt information. You can also get advice online about protecting your data, such as on the getsafeonline website (getsafeonline.org).

At the end of the period we store your information for it is deleted. For any paper records this would involve destroying your information using appropriate confidential waste systems (e.g. confetti shredder). Where electronic information is concerned, your information would be deleted from our systems and any hardware, once no longer used, would be subject to a permanent deletion process (e.g. physically destroyed or permanent data erasure).

If you would like more information on this then please contact us using the details at the start of this guide and we would be happy to respond to any queries you may have.

Our Website

Our website may contain links to other sites run by other organisations, for example news articles, or links to other clinicians. This privacy policy only applies to our website, so we advise you to read the privacy statements of other websites that you visit as we can’t be held responsible for their privacy policies and practices.

You can communicate with us via e-mail, however it is important to note that information sent via e-mail is not encrypted. This means that information you send us may not be secure, so please bear this in mind when sending information - particularly over shared internet connections (such as in a cafe or library). However, we do offer a service to allow information to be securely transmitted to us, and this will be explained if you sign-up to our services. However, if you wish to send us personal and/or sensitive information before signing up, please telephone us first and we will send you an encrypted document which can be used to securely transmit information.

We use HTTPS to secure the connection to our website, and you can verify this by looking for the small padlock near the website address bar near the top of your web browser.

We use analytics software provided by Wix.com to collect information about how you use our website. This includes information on the pages you visit, how long you spend on them, how you arrived at the website originally (i.e. through a search engine), and what you click whilst on the site. This allows us to identify which pages on the site are popular, and allows us to make improvements to the website based on how it is used.

Cookies are small files that are stored on your computer, which contain information about visits to websites you visit, and how you use and interact with the website.

The only cookies we use are technical cookies that are necessary to run the website from a technical level, and to ensure it runs quickly and efficiently. For example, our cookies collect information on the type of web browser you are using, and how you’re accessing the website (for example using a web browser on a mobile phone).

We do not use profiling cookies, which are cookies used to provide personalised recommendations and website tailoring based on how you use the site, and we do not use cookies for advertising purposes at all.

You can turn off, or delete, cookies by looking in your web browser settings, and information on how you can do this can be found in the ‘Help’ function of your web browser.

If you need any further information on our use of cookies, please contact us using the details in this policy, or visit the website www.aboutcookies.org.

7. Your rights

We make every effort to make sure the information we hold about you is accurate, kept safe and processed responsibly. As the person who the information is about, you have a number of rights when it comes to the information we process about you.

You have a right to see the information we hold about you. This may be for your own records or because you wish to transfer your care records to another provider. To access your information all you need to do is write to us using the contact information at the front of this guide. This is called making a ‘Subject Access Request’. We will respond to straightforward requests, free of charge, within a month of receiving your access request in writing. Where a person’s records are substantial or repeated access requests are made, then it may take up to two months and we reserve the right to charge for administrative costs. If we receive a request for copies of your records from third parties we will only share information with them if we have your written consent to do so (notwithstanding the occasions when we are compelled to share information as described in the section ‘When, with who and why NCPS process and share your information’).

If you believe the information we hold about you contains errors or needs updating then you have a right to ask us, in writing, to alter our records. Where this extends to clear errors, omissions or outdated information we will take immediate action to update our information. We have a duty, however, to uphold a clinician’s position and opinion where applicable.

We have explained there are clear reasons why we retain records for as long as we do and our commitment to not keeping your information for any longer than this. You do have a right to ask us to erase the information we hold on you however if this request is received in relation to your clinical record and before the relevant retention period then we would not be able to erase your clinical record for the reasons already outline in this guide. If your request is in relation to other information we hold (e.g. your bank details, an enquiry form) which does not need to be retained for these reasons then we will of course take appropriate action.

NCPS take great care in ensuring the safety and privacy of your information. In the unlikely event of a data breach occurring (for example personal data is lost, corrupted, unintentionally shared) then we have a duty to take appropriate steps to minimise any potentially negative impact the breach may cause. If there is clear evidence of a breach then we will notify those affected no later than 72 hours after the breach becomes known. As part of our registration with the Information Commissioner’s Office (ICO) we have a duty to disclose serious breaches to them as well.

If you would like any further information about how NCPS process your information then please do not hesitate to contact us using the contact details at the start of this guide. If you wish to raise a complaint on how we have handled your personal data, you can contact us in writing to have the matter investigated at:

Head Office

NCPS Ltd.

PO Box 100

Tadcaster

LS24 0BT

Or via email:

admin@ncps-uk.com

If you are not satisfied with our response or believe we are not processing your information in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/

Part Two: Our Associates

What information we collect about you

In order to register with NCPS as an associate it is necessary to share with us your personal information as well as details about your professional qualifications and background.

The data we collect and hold about you helps us to:

ensure the services we offer to our clients and referrer is both safe and of the highest quality

provide you with the support you need to practice as an NCPS associate

process business related matters, such as payment for services, contacting you about service changes and updates and to respond to any communication we receive from you.

As with clients of our service, we treat our associate’s personal information with the utmost respect and understand it is important for us to be transparent with you about what information we collect and process about you.

In order to register as an associate with NCPS we ask you to supply us with information and, where relevant evidence, as to your:

Name and contact details
Professional qualifications, experience and training
Payment and banking details

For associates who register with us as care providers we also ask them for details of:

Professional registrations (e.g. HCPC)
Registration with the Information Commissioner’s Office (ICO) as a Data Controller
An up to date Disclosure and Barring Service (DBS) certificate
Details of professional referees and clinical supervisor

Where your registrations are in the public domain (eg ICO, HCPC, DBS update service) we reserve the right to check on these as and when needed.

We also ask you to confirm you

have appropriate professional indemnity insurance coverage
use safe and appropriate premises from which you deliver services
understand and abide by relevant professional and legal practices
have read, understood and signed an associate agreement
are willing to sign up to the online DBS update service.

2. On what legal basis we process your information

Here at NCPS:

We will ask you for your explicit consentto process and use your information in certain ways and we would not process your information in those ways without your consent to do so.

We also process our Associate’s information under certain contractual obligations(e.g. as set out in the Associate Agreement), because of legal and statutoryexpectations of our profession (to deliver appropriate health care services, to follow our professional guidelines and codes of conduct and to enable us to defend our practice in case of a claim) and for legitimate intereststhat are necessary for NCPS to function as a business.

We will explain more about these in the following section.

3. When, with who and why NCPS process and share your information

To enable us to work with associates it is sometimes necessary to share your information with others. We only share information that is necessary and appropriate to the purpose we are sharing that information for and we take great care in protecting your data during transit.

It is sometimes helpful for referrers or third-parties also involved in the care of a client to be able to contact and liaise with our clinical associates in the best interests of that client. We will always seek your permission (consent) before sharing your contact details for this reason and, to help keep everything on track we ask that NCPS are copied in or, at the very least updated at the time, of any direct communication with third-parties in relation to NCPS business.

Connecting clients and clinical associates is usually through a referral to the associate, who would then contact the client direct and share with them their preferred method of contact. However, if a client were to misplace their associate’s contact information and ask the NCPS office for that information, then we will contact you to either ask your permission (consent) for us to share that information or to ask you to contact the client yourself.

There may be times when NCPS share your information without needing your consent:

We may process and share your information for legitimate interestsassociated with running a business. Where your information is being processed on behalf of NCPS, and under contract with NCPS, with regards to NCPS business and legitimate interests (such as the bank processing BACS payments, cloud storage providers, email service suppliers, etc) we take great care in protecting your identity and any personal or sensitive information (e.g. by password protecting sensitive documents and attachments, and taking reasonable steps to verify that services involved in such processing have safeguards in place and meet GDPR standards).
NCPS have a statutory duty of care(as set out by the relevant professional body, regulatory body and / or the law) to keep appropriate records and to seek and/or share information from and with relevant parties and agencies where
- there is reasonable evidence of a risk or safeguarding concern either relating to your client, the public and/or vulnerable other
- there is reasonable evidence of you posing a risk to others or significantly failing in your statutory and ethical professional duties
- NCPS are subject to a court order or subpoena that requires them to provide any relevant information requested, including your personal details.

4. How long we keep your information for

NCPS only store your information for as long as is needed and then it is deleted and/or destroyed.

Once notice in respect of end of service is reached we will remove your details from our list of active Associate’s within the office and on our company website.

If you have actively provided clinical services as an NCPS associate then we will retain your personal information for as long as we retain the client records for the cases you have been involved in. Where children and young people are concerned we retain their clinical record up until they reach the age of 25 years old. With adult clients we will retain the clinical record for 8 yearsafter they are discharged.

5. What we do to keep your information with us safe and secure

As already mentioned NCPS are registered with the Information Commissioner’s Office (ICO) and follow relevant legal and practice guidance when it comes to processing your information.

NCPS have a data protection regime in place to oversee the effective and secure processing of your personal data. All the personal data NCPS process is processed by our staff in the UK and we do not share your information with others except where this is in your best interests or we are compelled to do so (as outlined in the section ‘When, with who and why NCPS process and share your information’). We restrict access to your information using a number of security measures (e.g. lockable and fire retardant physical storage, individualised access IT system log-ins, IT encryption).

Our IT systems use secure cloud based storage located on servers within the European Union. Where we use US based products (e.g. email communication, website host) we ensure such providers have agreements in place in relation to practice compliance with EU GDPR data protection standards. To further safeguard your information we encrypt any sensitive information transferred using electronic means. If our associates want to share sensitive personal information with us we advise them to contact their NCPS case manager directly or, if preferred, they can contact the NCPS main office using the contact details supplied at the start of this policy. There are times, however, when sharing sensitive information with us electronically may be helpful and in such cases we would always recommend you protect your confidential and sensitive information, for example, by putting it in an attachment and password protecting it.

6. Your rights

You have a right to see the information we hold about you. If you wish to know what information we hold about you as an associate then please just ask us and we will be happy to share this with you direct. If you are wishing to access information relating to a case you have worked on in the past then we would need you to put that request to us in writing, along with your reasons for asking and you your intentions are with regard to that information so that we can decide on next steps. The reason for this is that we have a duty to our client’s to protect their information and only share it under the terms and conditions outlined in this policy. Depending on the nature and outcome of this request we reserve the right to charge for administrative costs.

If you believe the information we hold about you contains errors or needs updating then you have a right to ask us to alter our records. Where this extends to clear errors, omissions or outdated information we will take immediate action to update our information.

We have explained there are clear reasons why we retain information for as long as we do and our commitment to not keeping your information for any longer than this.

Head Office

NCPS Ltd.

Tadcaster

LS24 0BT

Or via email:

admin@ncps-uk.com

If you are not satisfied with our response or believe we are not processing your information in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/