Privacy Policy

 

The following information outlines how information will be processed and stored within The Nook Therapy Clinic Ltd

 

The Nook Therapy Clinic takes the privacy rights of all its clients seriously and adopts a high standard of compliance and confidentiality when dealing with your data.  We want you to understand that this is a safe place for you to discuss your feelings and concerns and we operate in a highly confidential environment.  This privacy policy sets out the details of how data is collected and processed through the use of our website and when you use our services.

 

Data Controller

Dr Selina Warlow is our data controller and is registered with the Information Commissioners Office (ICO).  She is responsible for overseeing questions in relation to this privacy policy.  If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact Dr Selina using the details below:

 

Data Controller:  Dr Selina Warlow

Email Address: admin@thenookclinic.co.uk

Postal Address: The Nook Therapy Clinic, 29 East Street, Farnham, GU9 7SW

 

What is processed and why:

The personal data we collect and process from clients includes the following:

  • Personal data: basic contact information including name, title, date of birth, gender, address, email, school, contact number and GP contact details.
  • Sensitive personal data: Signed contract, assessment records, reports, and outcome measures.  Including details about your ethnicity and health, which includes information about your existing and previous medical conditions, medication details, psychiatric history and any other relevant health information to enable us to carry out our services to you
  • Technical data: Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website

 

We require your explicit consent for processing sensitive data, so when you submit your details, we will send you a further communication asking for you to confirm your consent to this processing.

We also collect and use Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Technical Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

 

How is your personal data collected?

We use different methods to collect data from and about you. The majority of the time, our information is collected directly when you contact us in the following ways:

 

  • When you fill in any new client forms;
  • When you complete any forms before or during an appointment;
  • Verbally during discussions;
  • Correspondence with us via post, phone, email or otherwise;
  • When you apply for our services;
  • When you request marketing communications to be sent to you; or
  • When you give us feedback or contact us.

 

Another method we may use to collect data includes the use of automated technologies or interactions, like website cookies or other similar technologies. This includes information about your equipment, browsing actions and patterns and information about your browsing activity if you visit another website that uses the same cookies as us. This means we receive information about how you use these third-party websites.

 

This data collection helps us to improve user experience, and to gather information about how you use our website. For more information, please refer to our Cookie Policy, which can be accessed here.

 

The lawful basis for processing personal data:

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances to provide therapy and diagnostic assessments:

  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent when collecting sensitive data (such as health information) and before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.  Your information will never be sold to others.

What are the purposes for which we will use your data?

  • To register you as a new client.
  • To provide our services and to process and deliver any orders, including: a) to manage payments, fees and charges and b) to collect and recover money owed to us.
  • To manage our relationship with you e.g., to notify you about changes to our terms of this privacy policy or to ask you to leave a review.
  • To send you relevant marketing information about our services.
  • To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
  • To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.
  • To use data analytics to improve our website, services, marketing, client relationships and experiences.
  • To make suggestions and recommendations to you about goods or services that may be of interest to you

 

Do we use Cookies?

Cookies help make our website work better for you, remembering your preferences and improving your experience. You can control cookie settings in your browser.  Cookies make your browsing experience on our site as smooth as possible, because they remember your preferences.

 

Our website uses cookies to distinguish you from other users of our website. Please refer to our Cookie Policy here to learn more:

 

How long we store personal information:

Your personal information will only be stored for as long as it is required. Basic contact information held on a therapist’s mobile phone will be deleted within 6 months of the end of the assessment.

The sensitive personal data defined above is stored for a period of 7 years after the child / young person has turned 18 (until their 25th birthday). After this time, this data will be deleted.

 

Sharing personal information:

Information about you, your child and the assessment is held in confidence. This means that your personal information is not normally shared with anyone else. However, there are exceptions to this when we may be need to liaise with other third parties in exceptional circumstances such as:

  • When there is need-to-know information for another health provider, such as your GP or another associate within our clinic.
  • When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
  • When the information concerns risk of harm to the client, or risk of harm to another adult or a child.

 

We will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or to someone else. 

 

We may also share your personal information with certain third party service providers who provide IT and system administration services to our practice.  For example, WriteUpp owed by Pathway Software Limited, who provide our practice management software and Heidi Health Trading Pty Limited who provides AI software for our therapy notes.  These third party service providers have a requirement to respect the security of your personal data. We do not permit them to use your personal data for their own purposes, and they are only permitted to process your data for specified purposes in line with our instructions.

 

 

Do we ever transfer your data internationally?

We do not transfer your data outside the United Kingdom.

 

We will NOT do the following with your personal information:

Your personal information will not be shared with third parties for marketing purposes.

 

How we will keep your personal information secure:

We have strong security measures in place to keep your personal information safe. Only authorised individuals who have a need to know are granted access to your data, such as our employees or trusted partners. They will process your data in accordance with our confidentiality terms.

Personal information is minimised in phone and email communication.

Sensitive personal data will be sent to clients in an email attachment that is password protected. Email applications use private (SSL) settings which encrypts email traffic.

No open or unsecure Wi-Fi will be used to send any personal data.

Personal information is stored on a GDPR compliant secure cloud-based storage facility. This is password protected. No information will be stored on any office computer or mobile phone.

Malware and antivirus protection is installed on all computing devices used to access the cloud storage and secure email.

Mobile devices are protected with a passcode/thumbprint scanner.

 

What are your legal rights in relation to your data?

You have the following rights regarding your personal data:

 

Access: You can request a copy of the personal data we hold about you. This is known as a “data subject access request.”

 

Correction: If the personal data we have about you is incomplete or incorrect, you can ask us to correct it.

 

Erasure:  You can ask us to delete your personal data. It’s important to note, however, that there might be legal reasons that prevent us from fulfilling this request. If such reasons exist, we will inform you when you make your request.

 

Objection: In certain situations, you have the right to object to the processing of your personal data.

 

Restriction of Processing: You can request that we restrict the processing of your personal data under specific circumstances.

 

Data Portability: You have the right to request the transfer of your personal data directly to you or to a third party of your choice.

 

Withdrawal of Consent: At any point where we rely on your consent to process your personal data, you have the right to withdraw this consent. Withdrawal of consent will not affect the legality of the processing done before the consent was withdrawn. Should you withdraw your consent, we might be unable to provide you with certain products or services. We will inform you if that is the case when you withdraw your consent.

 

If you wish to exercise any of the rights set out above, please contact us.

 

We won’t charge any fees for you to request access to your personal data. However, a reasonable fee may be charged if your request is clearly unjustified, repetitive or excessive. We also reserve the right to not comply in this scenario.    We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was last updated in June 2024.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Thanks for reading our privacy policy. If you have any questions please don’t hesitate to contact us.

 

 

REFERENCES:

Data Protection Act 2018

Record Management Code of Practice for Health and Social Care 2016

Royal College of Occupational Therapists ‘Keeping Records; Guidance for Occupational therapists (4th edition)’

Royal College of Speech and Language Therapists Guidance on Record Keeping

Health and Care Professions Council – Standards of Conduct, Performance and Ethics, 26th January 2016