We appreciate and respect that the confidentiality of your interactions with the Service are of utmost importance to you. Information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.
The confidentiality of all information shared between yourself and your therapist is upheld to the highest level possible. We recognise that you may consider some information you give to us, and that may be recorded in the verbatim records of therapy sessions and/or messaging, as particularly sensitive. Relevant internal policies and procedures are designed to share the minimum information necessary to provide the best treatment, care and protection for yourself or others.
In delivering the Service to you, your personal information may be shared with:
Your GP and/or your referring healthcare provider - Like all NHS service providers, it is important for us to work in collaboration with other healthcare professionals like your GP or your local psychological therapy service. This will be at the start and end of your treatment where we notify your GP or healthcare provider of the assessment and discharge, where the letter to the GP is sent by encrypted email (and where you also receive a copy of these letters), or where we transfer your care to another healthcare provider or refer you back to your original provider where an alternate provider is able to administer more appropriate care, where we provide them with a patient report so they have the details of your condition and the treatment provided by us. During registration we ask whether you are happy for your therapist to share information about your treatment with your GP and you may decline this. Some of our NHS contracts require us to update the referring provider’s patient management systems with information such as when you have sessions and clinical summaries of the sessions, and some also require audit meetings to review feedback which very occasionally may include the joint viewing of/ listening to specific verbatim records of sessions or messaging relating to any internal investigations that have been conducted by us as a result of a serious clinical incident or significant complaint during the year. We also update your referring healthcare service to enable invoicing and/or during the investigation of any serious clinical incidents.
NHS Digital - Providers of NHS-funded mental health services in England are required to provide a specified set of data (Minimum Data Set) to NHS Digital, who use this to create a picture of services delivered around the country to check that quality standards are similar everywhere. The data set includes NHS numbers, gender, age and ethnicity, but all reports published from this data are aggregated and contain no information that could reveal your identity.
- We share minimum personal data with systems we use to process the data; your email address for automated emails, your case reference number if the case is discussed in supervision sessions, and your IP address. (See sections 5 ‘How we store your information’ and section 7 ‘Cookies and tracking’ below.)
Outside the normal course of providing services
We also share the minimum necessary information where required or entitled by law, legal process, or professional ethical or law enforcement reporting purposes. This may include notifying appropriate authorities, regulators or law enforcement agencies, or allowing them confidential access to specific information as part of an inspection or review, or to prevent fraud or cybercrime or any threats. This would include the sharing of specific information required by government and/ or contracts with our NHS payers (e.g. specific employment information for the Department of Work and Pensions). If these circumstances arise, we will inform you wherever possible.
Where you have indicated to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by Ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, we will use your contact details to give you more information and process your information further for this purpose if you subsequently give your consent, which would include wider sharing of your personal data as agreed with you.
If you agree to leave a review of our service on an external site, then the process will include giving a name, email address, star-rating, comment and optional photograph to the 3rd party site e.g. Trustpilot, who will then be the controller of this data. The third-party will not receive any data before your agreement.
In order to conduct research, we sometimes partner with researchers outside of Ieso, e.g. university research groups. When this happens, we remove directly identifiable information (including any names and locations) from the data we share with them, so they will be unable to identify anyone personally. All partners also sign a legal agreement that any data they receive is kept confidential and secure.
Where you are accessing these services as part of a research project led by another organisation, you will have consented with them to share the relevant data back to them for their research. For the avoidance of doubt this will not include verbatim records of your therapy sessions.
We have internal procedures in place to safeguard your privacy, so that only the minimum necessary information is used to conduct research on the most de-identified data possible. We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices, unless we have an overriding legal duty to so do (for example, in the prevention and/or detection of a crime).
Sharing your personal information without your agreement
The sharing of information about you without your agreement is strictly controlled by law.
In exceptional situations we may need to share information (only the minimum necessary) without your permission if:
- A serious crime has been committed
- Withholding information could endanger someone’s life
- A child or vulnerable adult is at potential risk or
- We are ordered to by a court of law
In such circumstances, we would inform you wherever possible.
Transferring data outside the UK, and holidays during treatment
We seek where possible to prevent any transfers of your personal information to countries which have not been assessed as having adequate data protection standards.
Post Brexit, the UK has accepted all adequacy decisions made by the European Commission. (Decisions on the adequacy of the protection of personal data in third countries, where the Commission have decided that personal data can flow safely between countries). Data can therefore flow freely in the European Union, the European Economic Area (EEA), and 12 other territories without any further safeguards being necessary. (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)
Accessing our Services when outside these territories is considered a transfer of data to a third country by data protection legislation. It is at your own risk if you decide to attend therapy sessions whilst you are visiting countries not listed at the web reference above. Our therapists are not permitted to access the Service from outside these territories, so will notify you of any necessary short breaks in your treatment due to travel.
We will not sell or share your personal information for direct marketing or other promotional purposes.