We are committed to protecting your privacy and confidentiality.
Effective date for users who register from the 07/09/2017: 07/09/2017
Effective date for users who registered before the 07/09/2017: 07/10/2017
Previous version: 02/03/2015 access previous version
These are the Privacy Notices that cover the supply of Cognitive Behavioural Therapy services provided online (the Service) through iesohealth.uk (the Site). The Site and the Service are provided by Ieso Digital Health (UK) Ltd (Ieso, we, us and our). For the purposes of data protection legislation, we are a data controller.
By agreeing to the terms and conditions of the Service you have entered into a contract with us which forms the legal basis for the processing of your information.
Here we explain what personal information we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your data. These Privacy Notices reflect legal requirements, regulations, and clinical best practice.
We understand that the privacy and confidentiality of all the personal information, especially the transcripts of therapy sessions, you provide and that we handle, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary.
What these Privacy Notices cover
These Privacy Notices describe our treatment of personal and clinical information that we collect when you access or use our Service.
We describe here how we handle your personal and clinical information for the purpose of providing and improving the Service. We will not sell or use or share your personal information for direct marketing or other promotional purposes. These Privacy Notices prohibit this.
These Privacy Notices apply to any Site where they are referenced, regardless of the computer, mobile or other device you use to access or use the Service. The site and Service may include links to websites that are owned and operated by third parties. We are not responsible for the privacy policies or content of such websites.
We reserve the right to change these Privacy Notices from time to time by changing them on the Site and/or by notifying you through your account or by email. Amended terms will take effect 30 days after they are published.
We collect the following personal information about you in a number of ways:
a) Information you provide to us when you register and use our Service This includes:
- Registration information - when you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient such as your date of birth, NHS number, GP details and address, and to authenticate your access to the Service by way of a password for your sign-in security.
- Assessment information - we collect information using standard structured patient assessment questionnaires both to initially establish what treatment plan is likely to be beneficial to your needs, and on an ongoing basis prior to each session of your subsequent care. Assessment information can cover a range of factors relevant to your experiences and how you are feeling in addition to your medical history, lifestyle, family, work and education.
- During the course of your treatment - This includes messaging between you and your therapist between sessions to arrange and anticipate your therapy sessions, the sessions themselves, the ‘homework’ activities and questionnaires completed, and the setting of goals. The sessions comprise a written real time conversation between you and your therapist that are recorded in the form of a transcript that you can both access through the account settings of the Service. This may include information relevant to and about how you are feeling at that situation in time. You will be encouraged to record goals within your account, and we may generate information about these treatment goals and assessment score graphs to help you and us to monitor and understand your progress
- Your queries or comments - we will collect information if you contact us for example with a question or comment about the Service and its content.
You have the option at all times to refuse to submit personally identifiable information to us but note that without this information, the Services may be unavailable to you.
b) Information we may collect from other sources We may add to the information we collect from you, with information we receive from other sources.This includes:
- Referral information - from your General Practitioner (GP) or healthcare provider, if you are referred by them for treatment to Ieso and the Service. This may include your name, date of birth, address, mobile number, email address, NHS number, reason for referral and any relevant assessment notes and questionnaire scores.
- Demographic information - that is publicly available and that enables us to understand anonymous health statistics at postcode level.
- Therapist notes - At the end of each session your therapist will produce a short set of clinical notes to summarise the session. For some of our NHS contracts, these summary notes are copied into your health record on your health care provider’s patient management system, but the transcripts will never be copied over.
c) Information collected automatically from your use of the Service Certain information is collected automatically from your computer or device about your engagement with the Service. This includes:
- Session activity information - we collect information about you from your use of the Service. (E.g. when you log on, accept an appointment, join a session etc.)
- Device information - this may include information about whether you are using the service on a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure the Service is optimised for different devices.
- Log information - we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with the Service.
See here or read below for further information on cookies
We use the personal information we collect to ensure that we provide you with the best possible treatment both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to seek to ensure that our procedures for handling patient information meet with our obligations.
We use the personal and clinical information that we receive under our terms with you and in connection with providing treatment to:
- Register you with the Service - to consider requests for use of the Service and to enable sign-in and verified access and use of the Service.
- Assess your treatment needs - to place you with an appropriate therapist, and to aid selection of exercises and questionnaires.
- Provide your treatment - your personal information is shared with your therapist to enable their treatment to you and evaluate your progress, including messaging to arrange sessions, conducting sessions, assessing progress against treatment goals and maintaining your case file. It’s your choice to decide what to share with your therapist, but the more information that your therapist has about you, the more likely it is that they will be able to provide you with highly effective treatment. It will be clear when you are entering information, what your therapist will have access to. Your therapist only has access to your personal information during your treatment and for 6 weeks after discharge to allow for reflection and/ or to consider any feedback from you. Subject to appropriate safeguards, some of the details of your case may be shared in your therapist’s routine clinical supervision with their Clinical Supervisor. The British Association of Behavioural & Cognitive Psychotherapies (“BABCP”) requires that all therapists must receive clinical supervision. A Clinical Supervisor is a therapist who has received additional training and is generally more experienced than the therapist. This is to ensure that the therapy you are receiving is the most helpful it can be and remains faithful to best practice evidence. Clinical supervision includes case discussions either individually or within a group of therapists, all of whom are bound by confidentiality. This may include looking at transcripts of sessions, but other personal details will not be shown in conjunction with these transcripts.
- Communicate with you - about Service availability and related Service updates or notifications, reply to your enquiries, requests or complaints. We may also contact you after you’ve completed treatment to ask for feedback, or to check on your wellbeing. We may also use anonymised patient quotes or case studies to explain our service to potential partners or patients. We do not use or share your personal information for direct marketing or other promotional purposes.
- Protect you and/or others - and seek to maintain a confidential and safe environment. These measures include:
- user authenticated access controls to the service
- restricted access to patient identifiable information. Access to patient records within Ieso is limited on a strictly 'need to know' basis and wherever possible processed by reference to indirect rather than directly identifying information, such as case reference numbers.
- ongoing review of the care and help our professional therapists provide to make sure it meets our quality standards. This includes training, case management support, moderation, supervision and may include monitoring of messaging and treatment sessions;
- developing learning/ training programmes for our therapists.
- administering our professional compliance duties and obligations.
- Conduct analysis, profiling and research to improve our service - we conduct research, profiling and analysis on treatments and outcomes such as average outcome scores to help identify, in our legitimate interest, improvements in treatment outcomes and to generally enhance how we deliver our Service.We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible.
Analysis for quality assurance (including to evaluate best practices, best protocols and best therapists for particular diagnoses), and research into new product development, may include the use of machine learning, natural language processing (NLP) and artificial intelligence (AI). Access to sensitive data may occasionally be required by our clinical scientists where suboptimal results have been obtained. Such access is controlled and approved by our clinical team and is subject to their supervision. Such research and analysis enables us to understand the drivers for recovery and improvement in certain mental health conditions where CBT is an appropriate treatment, and use that knowledge to improve your care and the care provided to others in the future.
We only ever share the minimum information necessary to provide the best treatment, care and protection for yourself or others, or to satisfy legal requirements. For example, your data may be provided to update your referring healthcare provider and/or as part of the Minimum Data Set required nationally by NHS England for all its patients. We will only share transcripts in very limited and rare circumstances. For example, some of our NHS contracts require annual audit meetings to review feedback which may occasionally include the joint viewing of transcripts from any internal investigations that have been conducted by us as a result of a complaint, see section 3 'When we share your information'.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation, or, for any other reason not set out in this policy unless we have an overriding legal duty to do so. We will not sell or use or share your personal information for direct marketing or other promotional purposes.
We appreciate and respect that the confidentiality of your interactions with the Service are of utmost importance to you. Information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.
The confidentiality of all information shared between yourself and your therapist is upheld to the highest level possible. We recognise that you may consider some information you give to us and that may be recorded in the transcripts, as particularly sensitive. Relevant internal policies and procedures are designed to share the minimum information necessary to provide the best treatment, care and protection for yourself or others.
We do not routinely make directly identifiable information available to anyone within Ieso or beyond, although there are specific situations when we may disclose certain personal information in the context of operating or providing the Service – see section 2 'How we use collected information'.
In delivering the Service to you, your personal information may be shared with:
Your GP and/or your referring healthcare provider - Like all NHS service providers, it is important for us to work in collaboration with other healthcare professionals like your GP or your local psychological therapy service. This may be at the start and end of your treatment where we notify your GP or healthcare provider of the assessment and discharge, where the letter to the GP may be sent by fax (and where you also receive a copy of these letters), or where we transfer your care to another healthcare provider or refer you back to your original provider where an alternate provider may be able to administer more appropriate care, where we may provide them with a patient report so they have the details of your condition and the treatment provided by us. We will always ask your consent before contacting your GP and you may decline this. The personal and clinical information provided through the Service may also from part of your health records and used as appropriately by your GP/ healthcare provider. Some of our NHS contracts require us to update the referring provider’s patient management systems with information such as when you have sessions and clinical summaries of the sessions, and some also require annual audit meetings to review feedback which may occasionally include the joint viewing of transcripts from any internal investigations that have been conducted by us as a result of a complaint during the year. We also update your referring healthcare service to enable invoicing.
- NHS Digital - Providers of NHS-funded mental health services in England are required to provide a specified set of data (Minimum Data Set) to NHS Digital, who use this to create a picture of services delivered around the country to check that quality standards are similar everywhere. The data set includes NHS numbers but all reports published from this data are aggregated contain no information that could reveal your identity.
Outside the normal course of providing services, we may also share the minimum necessary information where required or entitled by law, legal process, or professional ethical or law enforcement reporting purposes. This may include notifying appropriate authorities, regulators or law enforcement agencies, or allowing them confidential access to specific information as part of an inspection or review, or to prevent fraud or cybercrime or any threats. If these circumstances arise, we would inform you wherever possible.
We have internal procedures in place to safeguard your privacy, so that only the minimum necessary information is used to conduct research on the most de-identified data possible. We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy without your knowledge or permission unless we have an overriding legal duty to do so.
Sharing your personal information without your consent
The sharing of information about you without your consent is strictly controlled by law. In exceptional situations we may need to share information (only the minimum necessary) without your permission if:
- A serious crime has been committed
- Withholding information could endanger someone’s life
- A child or vulnerable adult is at potential risk or
- We are ordered to by a court of law
In such circumstances, we would inform you wherever possible.
Transferring data outside the UK, and holidays during treatment
We seek where possible to prevent any transfers of your personal information to countries which may not have adequate data protection standards.
The European Commission makes the decisions on the adequacy of the protection of personal data in third countries, and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and 11 other territories without any further safeguards being necessary. (http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm)
Accessing our Services when outside the EEA is considered a transfer of data by the Data Protection Act. It is at your own risk if you decide to attend therapy sessions whilst you are visiting countries not listed at the web reference above. Our therapists are not permitted to access the Service from outside these territories, so will notify you of any necessary short breaks in your treatment due to travel.
We do not use or share your personal information for direct marketing or promotional purposes. We may use anonymised patient quotes or case studies to explain our service to potential partners or patients.
We place great importance on the security of personal identifiable information associated with our patients. We have put controls in place to safeguard the personal information that you provide, applying physical, technical and procedural measures against the loss, misuse and alteration of personal information under our control.
All information submitted by you is encrypted in transit using best-practice Secure Sockets Layer (SSL) with at least 128-bit encryption. All clinical data is encrypted using the industry-standard AES-256 cipher and stored at hosted facilities with dedicated physical access controls and restricted system access.
Click here for more details about our current encryption levels and methodologies.
We have achieved the International Standard certification for information security (ISO 27001) and satisfy NHS Information Governance Toolkit requirements to levels 2 or 3.
Remember also that you are responsible for keeping your password secret at all times when accessing and using the Service.
Ieso Digital Health is headquartered in the United Kingdom (UK) and information about you submitted via the Services is used by us and hosted by our service provider on secure servers in the UK. As detailed in the Security section of these Privacy Notices, such information is stored in an encrypted state, both in transit and at rest, meaning the provider cannot lawfully access identifiable information.
We retain your information and health record as a resource that you can return to at any time you wish. This can help you remember coping strategies, techniques or processes that you learnt in therapy. If you were to experience a setback between sessions or after you’ve completed treatment you may find it useful to refer to your therapy transcripts and messages. Also, if you were to require further therapy sessions at any time in the future, your therapists would be able to access all your therapy notes. We retain your clinical record by reference to the IGA Records Management Code of Practice for Health and Social Care guidance for managing health records https://digital.nhs.uk/information-governance-alliance and to support our legal obligations to be accountable for your care. The Code is based on current legal requirements and professional best practice. Our data retention practices are reviewed at least annually in conjunction with industry standards and best practice.
You can access specific details relating to your treatment through the Service online at any time directly through your account. This includes your treatment goals, score graphs, messaging and treatment session transcripts, and will remain a resource available to you after the conclusion of your treatment. You can also update or amend your key registration and contact details directly through your account.
Clinical and personal information will also form part of your wider medical record and, subject to certain exemptions, you may obtain access to your health records by prior arrangement with your referring healthcare service or GP, who may be entitled to charge an administration fee if you request copies of information from your medical records.
If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider Medical record your referring healthcare service or GP. If we or they agree the information is incorrect, the alteration will be made. If we or they are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will notified of either the correction or the note.
Data protection law also includes the right to make other requests to seek to erase, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights may be restricted or not apply in practice.
If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the data you have provided (for example to your GP) please write to:
The Chief Clinical Officer, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office
- Secure login and navigation - we use necessary session cookies to help verify and authenticate your access to the Services and to let you smoothly navigate the Service and use its features.
- Functionality - these cookies allow us to optimise the Service to you. For example, you can shut your browser but not be logged out, as long as an hour of inactivity does not pass, to enable you to complete questionnaires, ‘homework’ etc.
Most computers and some mobile devices will automatically accept cookies but, if you prefer you can change your browser to prevent that or to notify you each time a cookie is set.
You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser.
Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service.
Our contract with your healthcare provider determines the lower age limit for our services. As standard it is 18, but specific contracts include 16 year olds and older, and for others the lower age limit is 12. The services are only available to children under 16 following a referral by a verified General Practitioner or healthcare provider and where relevant, the consent of the child's parent or guardian.
If you have any questions or comments about these notices please let us know:
By email: firstname.lastname@example.org (or for technical support questions contact our technical support team: email@example.com)
By telephone: on 0800 074 5560
Or by post to: Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
To reach our data protection officer please use the above details and flag your communication for the attention of: Helen Simpson
In an emergency please contact:
- Your GP surgery or local A&E
- Your referring healthcare provider
- Urgent Care (for out of hours access to GP):111
- The Samaritans 116 123 or firstname.lastname@example.org
- Emergency Services 999