Privacy Notice
If you have any questions regarding this policy, please contact our Data Protection Lead, using the following details:
Paul Brown Therapist Ltd,
Company No: 15273502.
9 Branklene Close, Kimberly, Nottingham, NG16 2NY
Email: letstalk@paulbrowntherapist.com
Paul Brown Therapist Ltd takes privacy and confidentiality very seriously. This policy informs you how we collect personal information. Personal information is held strictly in accordance with the General Data Protection Regulation (GDPR). Paul Brown Therapist Ltd may at times modify, alter and update this Privacy Policy. We will notify you of any changes to this Privacy policy by posting the amended version on our website. Paul Brown Therapist Ltd only collects the personal data required to carry our core business.
This policy applies to information we collect about:
• Visitors to our websites
• People who use our services
• Any other information that you may choose to send to us
• Third party suppliers
Information we collect and what we use it for Visitors to our websites:
When someone visits our Site, we collect standard internet log information and details of visitor behaviour patterns, we do this to find out things such as the number of visitors to the various parts of our site. We collect this information in a way that does not identify anyone. We may use your personal information to monitor and improve our website site. By using our website, you
agree to the collection and use of information in accordance with this policy.
Search engine :
Search queries and results are logged anonymously to help us improve our website and search functionality, no user-specific data is collected by either Paul Brown Therapist Ltd or any other third party.
People who use Paul Brown Therapist Ltd online services:
Paul Brown Therapist Ltd offer various services to its clients, including event booking. These services are provided by third parties [for example, EventBrite or Survey Monkey].
Where possible, we do not request personal identifiable information unless it is necessary for the functionality of the service being provided. We will not request more information than necessary to supply the service. We will only use details to provide the service the person has requested and for other closely related purposes. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.
When financial transactions take place online and a third party processor has been used then your information will be stored on their servers securely and in line with GDPR.
People who email us:
Any email sent to us, including any attachments, may be monitored and used for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used.
Communications:
We may use your personal information to contact you with newsletters, marketing or promotional material.
We may also gather content in the form of film, photography and case study stories for use in our PR and marketing activity. Our process for this involves informed consent. At events we put up a notice informing people of our activities, with a contact person for people to make themselves known to crew if they do not wish to be filmed.
If we are gathering case studies, we discuss the potential use of those case studies, images etc. in terms of where and how the case studies and images may be used.
Complaints about Paul Brown Therapist Ltd:
All complaints about Paul Brown Therapist Ltd are treated seriously and we will only use the personal information we collect to process the complaint and to check on the level of service we provide.
Lawful processing of personal data:
Paul Brown Therapist Ltd will only process your personal data in accordance with one of the conditions for lawful processing set out in the GDPR. The main ways in which we process data are as follows:
• Processing on the basis of consent
• Processing is necessary for the performance of a contract
• Processing based on “legitimate interests”
Retention of data Information:
about how long we keep the personal data of members is set out in our retention policy, available on request by contacting us. For non-members, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Security:
We will respect your confidentiality and will keep the information about you confidential. We store it securely and control who has access to it.
We will only share such information as necessary, and where we are satisfied that a third party is entitled to receive it and they will keep your information confidential and secure.
The security of your Personal Information is important to us, but remember that no method of transmission over the internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
Other websites:
If you transfer to another website from a link within the Paul Brown Therapist Ltd website, this privacy notice does not apply. We recommend you examine all privacy statements for all third party websites to understand their privacy procedures.
Your rights:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to this privacy notice:
We aim to keep this notice under review to reflect changes to law or practice. Last updated: November 2023.
Data Protection Policy Statement
Introduction and purpose:
Paul Brown Therapist Ltd needs to comply with the requirements of the General Data Protection Regulation (GDPR), and related data protection legislation. The purpose of this policy is to set out the principles of data protection that Paul Brown Therapist Ltd adheres to, and what Paul Brown Therapist Ltd does to protect data subjects’ personal data. Paul Brown Therapist Ltd will follow procedures which aim to ensure that all employees and consultants, who have access to personal data held by or on behalf of the Paul Brown Therapist Ltd are fully aware of and abide by their duties under the GDPR.
This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
Scope:
This policy applies to anyone who handles personal data on behalf of Paul Brown Therapist Ltd, this includes employees and consultants.
Definitions of data protection terms:
The following terms will be used in this policy and are defined below.
Data Subjects include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion. It can also include an identifier such as an identification number, location data, and an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the GDPR and data protection legislation. Paul Brown Therapist Ltd is the data controller of all personal data that is processed in connection with Paul Brown Therapist Ltd’s work and activities.
Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website hosts, fulfilment houses or other service providers which handle personal data on our behalf. Data Processors also have obligations under GDPR.
ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK).
Processing is any activity that involves use of personal data, whether or not by automated means. It includes, but is not limited to:
• Collecting;
• Recording;
• Organising;
• Structuring;
• Storing;
• Adapting or altering;
• Retrieving;
• Disclosing by transmission;
• Disseminating or otherwise making available;
• Alignment or combination;
• Restricting;
• Erasing;
• Destruction of personal data.
Sensitive Personal Data (which is defined as “special categories of personal data” under the GDPR) includes information about a person's:
• Racial or ethnic origin;
• Political opinions;
• Religious, philosophical or similar beliefs;
• Trade union membership;
• Physical or mental health or condition;
• Sexual life or orientation;
• Genetic data;
• Biometric data;
• Other categories of personal data as may be designated “special categories of personal data” under the Legislation.
Data Protection Principles:
Paul Brown Therapist Ltd needs to collect and use personal information in order to operate and carry out its functions. This personal information must be handled and dealt with in accordance with the principles below. Paul Brown Therapist Ltd shall ensure that personal data is:
• Processed fairly, lawfully and transparently, in particular, not processed unless these principles and the rules set out here are followed.
• Obtained only for specified, explicit and lawful purposes, and not processed in any manner incompatible with that purpose or those purposes.
• Adequate, relevant and limited to what is necessary for the purpose for which it is held.
• Processed for a specific purpose or purposes.
• Accurate and, where necessary, kept up to date.
• Kept for no longer than is necessary (See Data Retention Policy).
• Processed in accordance with the rights of data subjects under the GDPR.
• Processed in a manner that ensures appropriate security of the personal data.
What is Data Protection?:
The GDPR aims to protect individual's fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.
The GDPR applies to paper and electronic records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data. Data protection gives data subjects a number of rights as explained further below.
How does Paul Brown Therapist Ltd process personal data?:
More information about how Paul Brown Therapist Ltd observes the data protection principles is set out below. Paul Brown Therapist Ltd’s Privacy Policy provides further information about how Paul Brown Therapist Ltd processes data. However, this section provides an overview. Paul Brown Therapist Ltd may process personal data regarding any of the following data subjects:
• Psychotherapy clients
• Business clients and contacts within the organisations
• Workshop participants
• Complainants, correspondents and enquirers
• Advisors, consultants and other professional experts
• Research subjects
The types of personal data which are being, or which are to be processed include:
• Personal Details
• Your preferences of the types of information that you prefer to receive and what types of information about yourself you are willing to share with others
• Offences (including alleged offences)
• Criminal proceedings, outcomes and sentences
• Financial details
• Employment Details
Recipients:
Recipients are individuals or organisations to whom Paul Brown Therapist Ltd as a data controller intends or may wish to disclose data. This list does not include any person to whom Paul Brown Therapist Ltd as a data controller may be required by law to disclose in any particular case, for example if required by the police under a warrant (in this case, the processing is necessary so that Paul Brown Therapist Ltd can comply with a legal obligation to which it is subject).
This list should not be read as a list of those to whom data will be disclosed. Paul Brown Therapist Ltd is required to make clear all of the possible categories of ‘recipient’ to which they might need or wish to disclose.
• Current, past or future employers
• Healthcare, social and welfare advisors or practitioners
• Education, training and accrediting establishments and examining bodies
• Suppliers, providers of goods and services
• Persons making an enquiry or complaint (for example with an organisational member or another regulatory body)
• Police forces
• Central government
• Voluntary and charitable organisations
• Ombudsmen and regulatory authorities
Purposes:
The purposes to which Paul Brown Therapist Ltd as a Data Controller holds data are described here. This list is not exhaustive and the purposes may change as processes develop.
Paul Brown Therapist Ltd holds a range of data types. At various times the data held in respect of these subjects may be used in relation to some or all of the following purposes:
• Administration of complaints processes - The administration of complaint and grievance processes of all kinds, including professional disciplinary processes, and complaints against officers, committees.
• Advertising marketing and public relations - Public relations work, advertising and marketing, including host mailings for other organisations and list broking.
• Education and workshops - The provision of education, training, accreditation and reaccreditation, supervision and/or research as a primary function or business activity.
• Realising the objectives of a Paul Brown Therapist Ltd as a business - The provision of goods and services in order to realise the objectives of the charity or voluntary body.
• Research - Research in any field, including market, health, and lifestyle, scientific or technical research.
Processing data fairly and lawfully:
The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract. The conditions are:
• The data subject has given their consent to processing (consent must relate to a particular purpose/particular purposes).
• The processing is necessary in order to perform a contract to which the data subject is party, or in order to take steps at the data subject’s request prior to entering into a contract.
• The processing is necessary so that Paul Brown Therapist Ltd can comply with a legal obligation to which it is subject.
• The processing is necessary to protect the “vital interests” of a data subject or other living individual. In this regard, “vital” means essential for the data subject’s life – it is likely to cover, for example, emergency medical situations.
• The processing is necessary for purposes of legitimate interests pursued by Paul Brown Therapist Ltd or a third party unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the data subject is a child).
To comply with the first data protection principle, every time Paul Brown Therapist Ltd receives personal data about a person directly from that individual, which Paul Brown Therapist Ltd intend to keep, Paul Brown Therapist Ltd needs to provide that person with the following “fair processing information”:
• The type of information Paul Brown Therapist Ltd will be collecting (categories of personal data concerned)
• Who will be holding their information, i.e. Paul Brown Therapist Ltd including contact details and the contact details of Data Protection Lead
• Why Paul Brown Therapist Ltd is collecting their information and what it intends to do with it (for instance to process their membership application, or send them mailing updates about Paul Brown Therapist Ltd activities)
• The legal basis for collecting their information (for example, legitimate interests).
• If we are relying on legitimate interests as a basis for processing what those legitimate interests are.
• Whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data;
• The period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period;
• Details of people or organisations with whom Paul Brown Therapist Ltd will be sharing their personal data.
Paul Brown Therapist Ltd aims to achieve this by using its Privacy Notice, which is available on its website and made available prior to any data subject providing the Paul Brown Therapist Ltd with their personal data or, where the personal data is collected from a third party, as soon as reasonably possible thereafter.
Where Paul Brown Therapist Ltd obtains personal data about a person from a source other than the person his or her self, it must provide that individual with the following information in addition to that listed above:
• The categories of personal data that we hold
• The source of the personal data and whether this is a public source.
In addition, in both scenarios, (where personal data is obtained both directly and indirectly) Paul Brown Therapist Ltd must also inform individuals of their rights, including the right to lodge a complaint with the ICO and, the right to withdraw consent to the processing of their personal data.
This fair processing information can be provided in a number of places including on web pages, in mailings or on application forms. Paul Brown Therapist Ltd must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.
Finally, the processing carried out by Paul Brown Therapist Ltd must be fair. This includes not acting in a way that would not be reasonably expected by the data subject, for example, because the data subject had been misled about why the personal data was required. Fairness also means not using personal data in a way that have unjustified effects on data subjects.
Processing data for the original purpose:
The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when Paul Brown Therapist Ltd first obtained their information.
This means that Paul Brown Therapist Ltd should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, the individual should be informed of the new purpose beforehand. For example, if Paul Brown Therapist Ltd collect personal data such as a contact number or email address, in order to update a person about our activities it should not then be used for any new purpose, for example to share it with other organisations for marketing purposes, without first getting the individual’s consent.
Personal data should be adequate and accurate:
The third and fourth data protection principles require that personal data that we keep should be accurate, adequate and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Inaccurate or out-of-date data should be destroyed securely, and Paul Brown Therapist Ltd must take every reasonable step to ensure that personal data which is inaccurate is corrected.
Not retaining data longer than necessary:
The fifth data protection principle requires that Paul Brown Therapist Ltd should not keep personal data for longer than it needs to for the purpose it was collected for. This means that the personal data that Paul Brown Therapist Ltd holds should be destroyed or erased from our systems when it is no longer needed.
Rights of individuals under the GDPR:
The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of Paul Brown Therapist Ltd needs to be aware of these rights. They include (but are not limited to) the right:
• to request a copy of any personal data that we hold about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights).
• to be told, where any information is not collected from the person directly, any available information as to the source of the information.
• to object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests.
Paul Brown Therapist Ltd: 1 Coombs Wood Court, Steel Park Road, Halesowen, B62 8BF 8
• to have all personal data erased (the right to be forgotten) unless certain limited conditions apply.
• to restrict processing where the individual has objected to the processing.
• to have inaccurate data amended or destroyed.
• to prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else.
If you become aware of a data subject who would like to exercise their rights, please speak to the Data Protection Lead.
Data security:
The sixth data protection principle requires that Paul Brown Therapist Ltd keeps secure any personal data that it holds. Paul Brown Therapist Ltd are required to put in place procedures to keep the personal data that it holds secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
When Paul Brown Therapist Ltd is dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held on a memory stick or other portable device it should always be encrypted.
When deciding what level of security is needed, your starting point should be to look at whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
The following security procedures and monitoring processes must be followed in relation to all personal data processed by Paul Brown Therapist Ltd:
• Measures to restore availability and access to data in a timely manner in event of physical or technical incident
• Paper documents should be shredded, memory sticks, and other media on which personal data is stored should be physically destroyed when they are no longer required
• Personal data must always be transferred in a secure manner (the degree of security required will depend on the nature of the data - the more sensitive and confidential the data, the more stringent the security measures should be)
• Other measures to ensure confidentiality, integrity, availability and resilience of processing systems
• Desks and cupboards should be kept locked if they hold confidential or sensitive personal data
Processing sensitive personal data
Paul Brown Therapist Ltd: 1 Coombs Wood Court, Steel Park Road, Halesowen, B62 8BF 9
In addition to the lawful bases for processing personal data described above, Paul Brown Therapist Ltd must comply with an additional condition in respect of sensitive personal data. Sometimes this will involve obtaining explicit consent from the individuals involved. There are a limited number of other circumstances in which the GDPR permits organisations to process sensitive personal data, including processing which:
• Is in compliance with employment law obligations
• Is necessary to protect the vital interests of the data subject
• Relates to information made public by the data subject
• Is necessary for legal advice and establishing/defending legal rights
• Is necessary for reasons of substantial public interest (as defined in Schedule 1 to the Data Protection Act 2018)
There are also particular rules about personal data relating to criminal convictions and offences or related security measures, where reasons of substantial public interest can also be relied on
As with any other type of information Paul Brown Therapist Ltd will also have to be absolutely clear with people about how it is going to use their information
Entering into contracts with data processors
Paul Brown Therapist Ltd uses data processors to carry out certain data processing activities on its behalf – for example, production of transcripts. Where Paul Brown Therapist Ltd engages data processors, there are a number of obligations it must comply with:
• Paul Brown Therapist Ltd may only use data processors who offer sufficient guarantees to meet the requirements of GDPR and protect data subjects’ rights.
• Paul Brown Therapist Ltd must enter into a written agreement with the data processor which sets out (i) the subject matter, duration, nature and purpose(s) of the processing; (ii) the type(s) of personal data and (iii) the categories of data subjects which will be processed.
• In relation to the data processor, the data processing agreement must provide:
i. that the data processor will not engage another data processor without the prior specific or general written authorisation of Paul Brown Therapist Ltd.
ii. that the data processor will only process personal data based on documented instructions from Paul Brown Therapist Ltd.
iii. that the person(s) authorised to process the personal data on Paul Brown Therapist Ltd’s behalf commit to the confidentiality of the personal data.
iv. that the data processor will take organisational and technical security measures appropriate
Paul Brown Therapist Ltd: 1 Coombs Wood Court, Steel Park Road, Halesowen, B62 8BF 10
to the nature, scope, context and purposes of processing, the type(s) of personal data involved and the associated risks to data subjects;
v. that the data processor will facilitate Paul Brown Therapist Ltd’s obligations to comply with data subjects’ request to exercise their rights as detailed above;
vi. that, bearing in mind the nature of the processing and information available to the data processor, the data processor will assist Paul Brown Therapist Ltd in complying with the following obligations:
A. Paul Brown Therapist Ltd’s security obligations as set out above
B. Paul Brown Therapist Ltd’s obligation to report security breaches as set out in below – in particular, the data processor must notify Paul Brown Therapist Ltd without undue delay after becoming aware of a security breach and, where appropriate, must provide information as to the nature of the breach, the categories and approximate numbers of data subjects involved and the measures taken to mitigate potential adverse effects; and
C. Where appropriate, conducting a data protection impact assessment (“DPIA”) and/or consulting with the ICO prior to commencing processing likely to result in a high-risk to the rights and freedoms of natural persons. To the extent that Paul Brown Therapist Ltd conducts a DPIA and/or consults with the ICO and you become involved, you will receive appropriate training and information at the relevant time.
vii. that the data processor is obliged, at the choice of Paul Brown Therapist Ltd, to delete or return all the personal data concerned to Paul Brown Therapist Ltd at the end of the provision of data processing services.
viii. makes available to the Paul Brown Therapist Ltd all information necessary to demonstrate compliance with obligations under GDPR.
• In general, if you have any reason to believe that Paul Brown Therapist Ltd and/or the relevant data processor is not complying with its obligations, or that the underlying agreement does not comply with GDPR, please contact Information Compliance Lead in the first instance.
The role of the ICO:
Paul Brown Therapist Ltd recognizes that whilst there is no obligation to make an annual notification to the ICO under the GDPR, it will consult with the ICO where necessary when we are carrying out “high risk” processing.
Paul Brown Therapist Ltd will report breaches (other than those which are unlikely to be a risk to individuals) to the
ICO where necessary, within 72 hours. Paul Brown Therapist Ltd will also notify affected individuals where the breach is likely to result in a high risk to the rights and freedoms of these individuals. More information is available in the data breach policy. Please contact the Data Protection Lead if you think there may have been a data breach.
Record keeping:
We must keep a record of our data processing activities, to demonstrate that we are complying with them. These records will include the purpose of processing, descriptions of categories of data subjects and categories of personal data, details of transfers to third countries and retention periods of personal data.
Monitoring and review of the policy:
This policy is reviewed regularly to ensure that it is achieving its objectives.
Introduction and purpose:
Paul Brown Therapist Ltd needs to comply with the requirements of the General Data Protection Regulation (GDPR), and related data protection legislation. The purpose of this policy is to set out the principles of data protection that Paul Brown Therapist Ltd adheres to, and what Paul Brown Therapist Ltd does to protect data subjects’ personal data. Paul Brown Therapist Ltd will follow procedures which aim to ensure that all employees and consultants, who have access to personal data held by or on behalf of the Paul Brown Therapist Ltd are fully aware of and abide by their duties under the GDPR.
This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
Scope:
This policy applies to anyone who handles personal data on behalf of Paul Brown Therapist Ltd, this includes employees and consultants.
Definitions of data protection terms:
The following terms will be used in this policy and are defined below.
Data Subjects include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion. It can also include an identifier such as an identification number, location data, and an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the GDPR and data protection legislation. Paul Brown Therapist Ltd is the data controller of all personal data that is processed in connection with Paul Brown Therapist Ltd’s work and activities.
Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website hosts, fulfilment houses or other service providers which handle personal data on our behalf. Data Processors also have obligations under GDPR.
ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK).
Processing is any activity that involves use of personal data, whether or not by automated means. It includes, but is not limited to:
• Collecting;
• Recording;
• Organising;
• Structuring;
• Storing;
• Adapting or altering;
• Retrieving;
• Disclosing by transmission;
• Disseminating or otherwise making available;
• Alignment or combination;
• Restricting;
• Erasing;
• Destruction of personal data.
Sensitive Personal Data (which is defined as “special categories of personal data” under the GDPR) includes information about a person's:
• Racial or ethnic origin;
• Political opinions;
• Religious, philosophical or similar beliefs;
• Trade union membership;
• Physical or mental health or condition;
• Sexual life or orientation;
• Genetic data;
• Biometric data;
• Other categories of personal data as may be designated “special categories of personal data” under the Legislation.
Data Protection Principles:
Paul Brown Therapist Ltd needs to collect and use personal information in order to operate and carry out its functions. This personal information must be handled and dealt with in accordance with the principles below. Paul Brown Therapist Ltd shall ensure that personal data is:
• Processed fairly, lawfully and transparently, in particular, not processed unless these principles and the rules set out here are followed.
• Obtained only for specified, explicit and lawful purposes, and not processed in any manner incompatible with that purpose or those purposes.
• Adequate, relevant and limited to what is necessary for the purpose for which it is held.
• Processed for a specific purpose or purposes.
• Accurate and, where necessary, kept up to date.
• Kept for no longer than is necessary (See Data Retention Policy).
• Processed in accordance with the rights of data subjects under the GDPR.
• Processed in a manner that ensures appropriate security of the personal data.
What is Data Protection?:
The GDPR aims to protect individual's fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.
The GDPR applies to paper and electronic records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data. Data protection gives data subjects a number of rights as explained further below.
How does Paul Brown Therapist Ltd process personal data?:
More information about how Paul Brown Therapist Ltd observes the data protection principles is set out below. Paul Brown Therapist Ltd’s Privacy Policy provides further information about how Paul Brown Therapist Ltd processes data. However, this section provides an overview. Paul Brown Therapist Ltd may process personal data regarding any of the following data subjects:
• Psychotherapy clients
• Business clients and contacts within the organisations
• Workshop participants
• Complainants, correspondents and enquirers
• Advisors, consultants and other professional experts
• Research subjects
The types of personal data which are being, or which are to be processed include:
• Personal Details
• Your preferences of the types of information that you prefer to receive and what types of information about yourself you are willing to share with others
• Offences (including alleged offences)
• Criminal proceedings, outcomes and sentences
• Financial details
• Employment Details
Recipients:
Recipients are individuals or organisations to whom Paul Brown Therapist Ltd as a data controller intends or may wish to disclose data. This list does not include any person to whom Paul Brown Therapist Ltd as a data controller may be required by law to disclose in any particular case, for example if required by the police under a warrant (in this case, the processing is necessary so that Paul Brown Therapist Ltd can comply with a legal obligation to which it is subject).
This list should not be read as a list of those to whom data will be disclosed. Paul Brown Therapist Ltd is required to make clear all of the possible categories of ‘recipient’ to which they might need or wish to disclose.
• Current, past or future employers
• Healthcare, social and welfare advisors or practitioners
• Education, training and accrediting establishments and examining bodies
• Suppliers, providers of goods and services
• Persons making an enquiry or complaint (for example with an organisational member or another regulatory body)
• Police forces
• Central government
• Voluntary and charitable organisations
• Ombudsmen and regulatory authorities
Purposes:
The purposes to which Paul Brown Therapist Ltd as a Data Controller holds data are described here. This list is not exhaustive and the purposes may change as processes develop.
Paul Brown Therapist Ltd holds a range of data types. At various times the data held in respect of these subjects may be used in relation to some or all of the following purposes:
• Administration of complaints processes - The administration of complaint and grievance processes of all kinds, including professional disciplinary processes, and complaints against officers, committees.
• Advertising marketing and public relations - Public relations work, advertising and marketing, including host mailings for other organisations and list broking.
• Education and workshops - The provision of education, training, accreditation and reaccreditation, supervision and/or research as a primary function or business activity.
• Realising the objectives of a Paul Brown Therapist Ltd as a business - The provision of goods and services in order to realise the objectives of the charity or voluntary body.
• Research - Research in any field, including market, health, and lifestyle, scientific or technical research.
Processing data fairly and lawfully:
The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract. The conditions are:
• The data subject has given their consent to processing (consent must relate to a particular purpose/particular purposes).
• The processing is necessary in order to perform a contract to which the data subject is party, or in order to take steps at the data subject’s request prior to entering into a contract.
• The processing is necessary so that Paul Brown Therapist Ltd can comply with a legal obligation to which it is subject.
• The processing is necessary to protect the “vital interests” of a data subject or other living individual. In this regard, “vital” means essential for the data subject’s life – it is likely to cover, for example, emergency medical situations.
• The processing is necessary for purposes of legitimate interests pursued by Paul Brown Therapist Ltd or a third party unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the data subject is a child).
To comply with the first data protection principle, every time Paul Brown Therapist Ltd receives personal data about a person directly from that individual, which Paul Brown Therapist Ltd intend to keep, Paul Brown Therapist Ltd needs to provide that person with the following “fair processing information”:
• The type of information Paul Brown Therapist Ltd will be collecting (categories of personal data concerned)
• Who will be holding their information, i.e. Paul Brown Therapist Ltd including contact details and the contact details of Data Protection Lead
• Why Paul Brown Therapist Ltd is collecting their information and what it intends to do with it (for instance to process their membership application, or send them mailing updates about Paul Brown Therapist Ltd activities)
• The legal basis for collecting their information (for example, legitimate interests).
• If we are relying on legitimate interests as a basis for processing what those legitimate interests are.
• Whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data;
• The period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period;
• Details of people or organisations with whom Paul Brown Therapist Ltd will be sharing their personal data.
Paul Brown Therapist Ltd aims to achieve this by using its Privacy Notice, which is available on its website and made available prior to any data subject providing the Paul Brown Therapist Ltd with their personal data or, where the personal data is collected from a third party, as soon as reasonably possible thereafter.
Where Paul Brown Therapist Ltd obtains personal data about a person from a source other than the person his or her self, it must provide that individual with the following information in addition to that listed above:
• The categories of personal data that we hold
• The source of the personal data and whether this is a public source.
In addition, in both scenarios, (where personal data is obtained both directly and indirectly) Paul Brown Therapist Ltd must also inform individuals of their rights, including the right to lodge a complaint with the ICO and, the right to withdraw consent to the processing of their personal data.
This fair processing information can be provided in a number of places including on web pages, in mailings or on application forms. Paul Brown Therapist Ltd must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.
Finally, the processing carried out by Paul Brown Therapist Ltd must be fair. This includes not acting in a way that would not be reasonably expected by the data subject, for example, because the data subject had been misled about why the personal data was required. Fairness also means not using personal data in a way that have unjustified effects on data subjects.
Processing data for the original purpose:
The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when Paul Brown Therapist Ltd first obtained their information.
This means that Paul Brown Therapist Ltd should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, the individual should be informed of the new purpose beforehand. For example, if Paul Brown Therapist Ltd collect personal data such as a contact number or email address, in order to update a person about our activities it should not then be used for any new purpose, for example to share it with other organisations for marketing purposes, without first getting the individual’s consent.
Personal data should be adequate and accurate:
The third and fourth data protection principles require that personal data that we keep should be accurate, adequate and relevant. Data should be limited to what is necessary in relation to the purposes for which it is processed. Inaccurate or out-of-date data should be destroyed securely, and Paul Brown Therapist Ltd must take every reasonable step to ensure that personal data which is inaccurate is corrected.
Not retaining data longer than necessary:
The fifth data protection principle requires that Paul Brown Therapist Ltd should not keep personal data for longer than it needs to for the purpose it was collected for. This means that the personal data that Paul Brown Therapist Ltd holds should be destroyed or erased from our systems when it is no longer needed.
Rights of individuals under the GDPR:
The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of Paul Brown Therapist Ltd needs to be aware of these rights. They include (but are not limited to) the right:
• to request a copy of any personal data that we hold about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights).
• to be told, where any information is not collected from the person directly, any available information as to the source of the information.
• to object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests.
Paul Brown Therapist Ltd: 1 Coombs Wood Court, Steel Park Road, Halesowen, B62 8BF 8
• to have all personal data erased (the right to be forgotten) unless certain limited conditions apply.
• to restrict processing where the individual has objected to the processing.
• to have inaccurate data amended or destroyed.
• to prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else.
If you become aware of a data subject who would like to exercise their rights, please speak to the Data Protection Lead.
Data security:
The sixth data protection principle requires that Paul Brown Therapist Ltd keeps secure any personal data that it holds. Paul Brown Therapist Ltd are required to put in place procedures to keep the personal data that it holds secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
When Paul Brown Therapist Ltd is dealing with sensitive personal data, more rigorous security measures are likely to be needed, for instance, if sensitive personal data (such as details of an individual’s health, race or sexuality) is held on a memory stick or other portable device it should always be encrypted.
When deciding what level of security is needed, your starting point should be to look at whether the information is sensitive or highly confidential and how much damage could be caused if it fell into the wrong hands.
The following security procedures and monitoring processes must be followed in relation to all personal data processed by Paul Brown Therapist Ltd:
• Measures to restore availability and access to data in a timely manner in event of physical or technical incident
• Paper documents should be shredded, memory sticks, and other media on which personal data is stored should be physically destroyed when they are no longer required
• Personal data must always be transferred in a secure manner (the degree of security required will depend on the nature of the data - the more sensitive and confidential the data, the more stringent the security measures should be)
• Other measures to ensure confidentiality, integrity, availability and resilience of processing systems
• Desks and cupboards should be kept locked if they hold confidential or sensitive personal data
Processing sensitive personal data
Paul Brown Therapist Ltd: 1 Coombs Wood Court, Steel Park Road, Halesowen, B62 8BF 9
In addition to the lawful bases for processing personal data described above, Paul Brown Therapist Ltd must comply with an additional condition in respect of sensitive personal data. Sometimes this will involve obtaining explicit consent from the individuals involved. There are a limited number of other circumstances in which the GDPR permits organisations to process sensitive personal data, including processing which:
• Is in compliance with employment law obligations
• Is necessary to protect the vital interests of the data subject
• Relates to information made public by the data subject
• Is necessary for legal advice and establishing/defending legal rights
• Is necessary for reasons of substantial public interest (as defined in Schedule 1 to the Data Protection Act 2018)
There are also particular rules about personal data relating to criminal convictions and offences or related security measures, where reasons of substantial public interest can also be relied on
As with any other type of information Paul Brown Therapist Ltd will also have to be absolutely clear with people about how it is going to use their information
Entering into contracts with data processors
Paul Brown Therapist Ltd uses data processors to carry out certain data processing activities on its behalf – for example, production of transcripts. Where Paul Brown Therapist Ltd engages data processors, there are a number of obligations it must comply with:
• Paul Brown Therapist Ltd may only use data processors who offer sufficient guarantees to meet the requirements of GDPR and protect data subjects’ rights.
• Paul Brown Therapist Ltd must enter into a written agreement with the data processor which sets out (i) the subject matter, duration, nature and purpose(s) of the processing; (ii) the type(s) of personal data and (iii) the categories of data subjects which will be processed.
• In relation to the data processor, the data processing agreement must provide:
i. that the data processor will not engage another data processor without the prior specific or general written authorisation of Paul Brown Therapist Ltd.
ii. that the data processor will only process personal data based on documented instructions from Paul Brown Therapist Ltd.
iii. that the person(s) authorised to process the personal data on Paul Brown Therapist Ltd’s behalf commit to the confidentiality of the personal data.
iv. that the data processor will take organisational and technical security measures appropriate
Paul Brown Therapist Ltd: 1 Coombs Wood Court, Steel Park Road, Halesowen, B62 8BF 10
to the nature, scope, context and purposes of processing, the type(s) of personal data involved and the associated risks to data subjects;
v. that the data processor will facilitate Paul Brown Therapist Ltd’s obligations to comply with data subjects’ request to exercise their rights as detailed above;
vi. that, bearing in mind the nature of the processing and information available to the data processor, the data processor will assist Paul Brown Therapist Ltd in complying with the following obligations:
A. Paul Brown Therapist Ltd’s security obligations as set out above
B. Paul Brown Therapist Ltd’s obligation to report security breaches as set out in below – in particular, the data processor must notify Paul Brown Therapist Ltd without undue delay after becoming aware of a security breach and, where appropriate, must provide information as to the nature of the breach, the categories and approximate numbers of data subjects involved and the measures taken to mitigate potential adverse effects; and
C. Where appropriate, conducting a data protection impact assessment (“DPIA”) and/or consulting with the ICO prior to commencing processing likely to result in a high-risk to the rights and freedoms of natural persons. To the extent that Paul Brown Therapist Ltd conducts a DPIA and/or consults with the ICO and you become involved, you will receive appropriate training and information at the relevant time.
vii. that the data processor is obliged, at the choice of Paul Brown Therapist Ltd, to delete or return all the personal data concerned to Paul Brown Therapist Ltd at the end of the provision of data processing services.
viii. makes available to the Paul Brown Therapist Ltd all information necessary to demonstrate compliance with obligations under GDPR.
• In general, if you have any reason to believe that Paul Brown Therapist Ltd and/or the relevant data processor is not complying with its obligations, or that the underlying agreement does not comply with GDPR, please contact Information Compliance Lead in the first instance.
The role of the ICO:
Paul Brown Therapist Ltd recognizes that whilst there is no obligation to make an annual notification to the ICO under the GDPR, it will consult with the ICO where necessary when we are carrying out “high risk” processing.
Paul Brown Therapist Ltd will report breaches (other than those which are unlikely to be a risk to individuals) to the
ICO where necessary, within 72 hours. Paul Brown Therapist Ltd will also notify affected individuals where the breach is likely to result in a high risk to the rights and freedoms of these individuals. More information is available in the data breach policy. Please contact the Data Protection Lead if you think there may have been a data breach.
Record keeping:
We must keep a record of our data processing activities, to demonstrate that we are complying with them. These records will include the purpose of processing, descriptions of categories of data subjects and categories of personal data, details of transfers to third countries and retention periods of personal data.
Monitoring and review of the policy:
This policy is reviewed regularly to ensure that it is achieving its objectives.
Any more questions, please ask me. I am here to help you.
Get in touch
