PRIVACY POLICY

The Psych Practice aims to be as clear as possible about how and why information about you is used so that you can be confident that your privacy is protected. This policy describes the information that The Psych Practice collects when you use the service. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent UK Data Protection Bill that will be enacted from May 25th 2018.

The policy describes how The Psych Practice manages your information when you use our services, if you contact us or when we contact you. The Psych Practice uses the information collected in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, The Psych Practice is the data controller; if another party has access to your data, we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why The Psych Practice needs to provide them with the information.

Please contact us if you have any queries on:

Telephone: 020 8058 4060

Email: Admin@thepsychpracticetpp.com

If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.

1. Why do we need to collect your personal data?

The Psych Practice needs to collect information about you so that we can know who you are and communicate with you in a personal way. The legal basis for this is a legitimate interest.

  • Deliver services to you. The legal basis for this is the contract (verbal or written) with you.
  • Process your payment for services. The legal basis for this is the contract with you (verbal or written).
  • Verify your identity do that we can be sure we are dealing with right person. The legal basis for this is a legitimate interest.
  • Contact you in case there is a problem. The legal basis for this is a legitimate interest.
  • Provide you with useful information about services provided. The legal basis for this is legitimate interest. 
2. What personal information do we collect and when do we collect it?

For The Psych Practice to provide you with services, we need to collect the following information:

  • Your name
  • Your contact details including a postal address, telephone number(s) and electronic contact such as email address.
  • Your payment card/bank/insurance details
  • Diagnostic instrument data

The Psych Practice collects this information directly from you.
We may also collect information about you from third parties; such as another health professional (such as your Doctor) to provide a complete health assessment

3. How do we use the information that we collect?

The Psych Practice will use the data collected from you in the following ways:

  • To communicate with you so that we can inform you about your appointments with us. This will involve the use your name, your contact details such as your telephone number, email address or postal address.
  • To deliver the correct service to you we will use your name, your contact details and the details about you.
  • To create your invoice we will use your name and email address, bank or insurance details.
  • To process your payment, we will use your name and your payment card /bank or insurance details.
4. Where do we keep the information?

The Psych Practice will keep your information in the stores described below.

4.1. On our company computers
The Psych Practice uses personal computers which are password protected and encrypted hard drives. Passwords are not shared.

All data is saved on Dropbox in keeping with GDPR guidelines.

4.2. As a paper copy
We take handwritten/electronic notes when we meet you. These notes are used to create the report that we provide to you, and relevant third parties e. g your Insurance company, G.P with your consent

5. How long do we keep the information?

We keep the electronic invoice for seven years as this is the required length to comply with the HMRC requirements. After seven years we delete the invoices using the Sage delete function.

The Psych Practice will keep your reports for 10 years as this is the requirement for clinical data.

6. Who do we send the information to?

The Psych Practice will send your report to you and anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are encrypted and password protected.

The Psych Practice will send the paper copy of our invoices to you, our accountant or Insurance Company. The accountant is based in the UK and all their computer systems are in the UK

7. How can I see all the information you have about me?

You can make a subject access request (SAR) by contacting the Data Protection Officer. The Psych Practice may require additional verification that you are who you say you are to process this request.

We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

8. What if my information is incorrect or I wish to be removed from your system?

Please contact the Data Protection Officer. The Psych Practice may require additional verification that you are who you say you are to process this request.

If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems, we will send you a copy of the updated information in the same format at the subject access request in section 7.

9. How can I have my information removed?

If you want to have your data removed The Psych Practice have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.

10. Will we send emails and text messages to you?
As part of providing our service to you The Psych Practice will send your report to you via email (if required). The report will be encrypted, and password protected. Also, as part of this service, we will need to send details of your appointments to you. To protect your information, we prefer to use an end-to end encrypted messaging service. If you are not able to use such a service, we may use SMS (text messages); however, this does increase the risk of someone intercepting the message.
11. How do I opt out of receiving emails and/or text messages from us?

If you are receiving text /email messages from The Psych Practice, you may unsubscribe at any time by letting us know.

12. How We Use AI Tools?

As part of our mission to provide high-quality psychological care, we use AI-powered tools for example Jane (CRM for administrative tasks), Heidi and Asana to support our clinicians and improve your overall experience.

  1. Heidi – AI Clinical Documentation Assistant

Heidi is used by clinicians during sessions to assist in capturing clinical notes through live transcription.

  • No audio is recorded or stored. Only transcribed notes that the clinician approves are saved into your Electronic Health Record (EHR).
  • Data Access: Only your assigned clinician has access to your transcribed notes. We use strict access controls in accordance with GDPR, NHS compliance, and our ISO27001-certified information security practices.
  • Data Hosting: All data is stored locally in the UK, supporting data sovereignty and regulatory compliance.
  • Consent: Use of Heidi is subject to your explicit consent. You may withdraw this consent at any time without affecting the care you receive.
  • Data Use: Your data is used solely for:
    • Clinical documentation
    • Service improvement of Heidi’s performance (in anonymised or aggregate form where applicable)
    • Legal and regulatory compliance

We do not use your data for marketing purposes or disclose it to third parties without lawful basis or your consent.

  1. Asana – Task and Workflow Management

Asana is used internally to manage tasks related to service delivery, such as scheduling, follow-ups, and care coordination.

  • No sensitive personal or medical data is stored in Asana.
  • Only minimal, non-clinical data (e.g. initials, appointment dates) may be used for task assignment.
  • Access is restricted to staff who need it for operational purposes.

All tools used in our practice are vetted for security, and data sharing agreements are in place where applicable.

Jane-This is our client management platform.

  • We have the choice to opt-in to any clinical features in Jane powered by generative AI and can manage tour clinic’s access to these updates.
  • Our patient and clinic data is ours, it is not shared and it is not used to train Jane’s AI models.
  • Jane features powered by AI are presented as suggestions, that can be modified, accepted, or rejected.
  • Jane is GDPR compliant