If you’re looking for our corporate services, visit our Group sitehere.

Privacy Notice

External Referring Clinician Hub Privacy Notice

Effective date: 4 May 2020

These are the Privacy Notices that explain what personal data (information) Ieso Digital Health Ltd (Ieso, we, us and our) hold about you, how we collect it, and how we use and share information about you for the duration of your organisation’s contract with us, and reflect legal requirements, regulations, and best practice. For the purposes of data protection legislation, we are a data controller registered with the Information Commissioner (Z5383093).

We have entered into a contract with your employer which forms the lawful basis for the processing of your information in the very limited ways detailed below.

We reserve the right to change these Privacy Notices from time to time and when we do so we will revise the effective data at the top of the statement, so would recommend you view them periodically.

  • 1. Information we collect

    We collect the following personal information about you in of the following ways:

    a) Information we collect from you
    First name, surname, work email address, employer, and requirements from the site.

    b) Information collected automatically from your use of the therapist hub
    Certain information is collected automatically from your computer or device about your online engagement with the therapist hub.

    This includes:

    • Session activity information - we collect information about you from your use of the Service. (E.g. when you log on, view a page etc.)
    • Device information - this will include information about whether you are using a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure optimisation for different devices.
    • Log information - we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with our systems.
  • 2. How we use collected information (includes sharing within Ieso)

    We use the personal information we collect to ensure that we provide you with the best possible support now and in the future. We have appointed a Data Protection Officer to ensure that our procedures for handling data subject information and requests meet with our obligations.

    We use the personal information that we that we collect from/ about you to:

    • Register you on the therapist hub – the eLearning team adds you to this site to enable you to access information on Ieso, training materials and CBT resources.
    • Communicate with you – to include clarifying the resources you require and that these meet your needs, service updates or notifications, and to reply to your enquiries, requests, or complaints.
  • 3. When we share your information

    Ieso works hard to ensure that only the right people have access to your personal data, and information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.

    We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy unless we have an overriding legal duty to do so.

    We do not sell, use or share your personal information with 3rd parties for direct marketing or other external promotional purposes.

    Sharing your personal information without your consent

    The sharing of information about you without your consent is strictly controlled by law.

    In exceptional situations we may need to share information (only the minimum necessary) without your permission if:

    • We are required to do so by law e.g. A serious crime has been committed; withholding information could endanger someone’s life, a child or vulnerable adult is at potential risk; or we are ordered to by a court of law.
    • We have significant evidence of misconduct and therefore an obligation to share this as part of our commitment to the standards of conduct, performance and ethics detailed by the BABCP.

    If these circumstances arise, we would inform you wherever possible.

    Transferring data outside the UK

    We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards.

    The European Commission makes the decisions on the adequacy of the protection of personal data in third countries and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and 11 other territories without any further safeguards being necessary.

    Accessing our Services when outside the EEA is considered a transfer of data by data protection legislation.

  • 4. How we secure your information

    We place great importance on the security of personal identifiable. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against the loss, misuse and alteration of personal information under our control.

    All information submitted by you is encrypted in transit using best-practice Transport Layer Security (TLS) with at least 128-bit encryption and using the industry-standard AES-256 cipher and stored at hosted facilities with dedicated physical access controls and restricted system access.

    We have achieved the International Standard certification for information security (ISO 27001), maintain Cyber Essentials Plus certification, and satisfy NHS Data Security and Protection Toolkit.

    Remember also that you are responsible for keeping your password secret at all times.

  • 5. How we store your information

    We store your personal data:

    On the therapist hub: name, ID code, courses attended with associated assignments and test scores (email address is collected but then transformed into the ID code). These are stored by Kineo Limited with whom we have a data processing agreement, based in the UK, with no transfers outside the UK, hosted by Rackspace in the EU.

    In Microsoft SharePoint, OneDrive and Exchange (within the EEA with a data processing agreement and appropriate security controls).

    All have appropriate and audited access controls.

    As detailed in the Security section of these Privacy Notices, such information is stored in an encrypted state, both in transit and at rest, meaning the provider cannot lawfully access identifiable information.

    Our data retention practices are reviewed at least annually in conjunction with industry standards and best practice.

  • 6. Your data protection rights

    Data protection law provides you with rights that Ieso Digital Health is committed to supporting you with:

    Right to Access

    You have the right to obtain:

    • Confirmation that your information is being used, stored or shared by the company
    • A copy of information held about you
    • If you only require a particular part of your record, tell us and this can reduce the time it takes to provide it
    • We will respond to your request within one month of receipt or will tell you when it might take longer.
    • We are required to validate your identity including the identity of someone making a request on your behalf

    If you feel there is an error of fact within your personal details held by us, please contact us. If we agree the information is incorrect, the alteration will be made, but if we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.

    Data protection law also includes the right to make other requests to seek to erase, port, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health, employment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights may be restricted or not apply in practice.

    For more detailed information on your rights visit the ICO website.

    If you need any assistance in these areas, please write to:

    The Data Protection Officer
    Ieso Digital Health (UK) Limited
    Jeffreys Building
    Cowley Road
    Cambridge CB4 0DS

    Or by email, For the Attention Of the Data Protection Officer, to info@iesohealth.com


    You have the right to make complaints and request investigations into the way your information is used. Please contact our Data Protection Officer in the first instance.

    If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office You can call the ICO on 0303 123 1113 or write to them at:

    Information Commissioner's Office
    Wycliffe House
    Water Lane
    SK9 5AF

    Additionally, you also have a right to seek to enforce your rights through the courts.

  • 7. Cookies and tracking

    A cookie is a small data file stored by your browser on your device's hard disk for record-keeping purposes and typically includes a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the same site.

    Session cookies are stored only temporarily during a browsing session and are deleted from the user’s device when the browser is closed; Persistent cookies are saved on your computer for a longer, fixed period and are not deleted when the browser is closed and are used to remember you when you visit the website again; and Third party cookies are set by a different organisation to the owner of the website you are visiting. They might include cookies set for website visitor analytics or embedded content, for example Google Analytics.

    Cookies will be collected from you in your use of the Therapist hub, set by Totara the LMS platform used by Kineo. The Totara platform use of cookies is minimal: a session cookie and two for additional functionality. Read the Totara cookie policy.

  • 8. Your questions and how to contact us

    If you have any questions or comments about these notices, please let us know: By email: info@iesohealth.com (or for technical support questions contact our technical support team: support@iesohealth.com)

    By telephone: on 0800 074 5560

    Or by post to Jeffreys Building, Cowley Road, Cambridge, CB4 0DS

    To reach our Data Protection Officer please use the above details and flag your communication for the attention of Helen Simpson.

  • 9. Changes to your personal data

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

In an emergency
Call 111 - if you urgently need medical help or advice but it is not a life threatening situation
Call 999 - if you or anyone else is in immediate danger or harm
Call the Samaritans 24 hours a day on 116 123