Privacy Policy

We collect the following personal information about you in several ways:

a) Information you provide when you register and use the online therapy service

This includes:

• Registration information - when you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient such as your date of birth, NHS number, GP details and address, and to authenticate your access to the service by way of a password for your sign-in security.
• During the course of your treatment - This includes messaging between you and your therapist between sessions to arrange and provide you with information about your therapy sessions, the sessions themselves, the ‘homework’ activities and questionnaires completed, and the setting of goals. The sessions comprise a written real time conversation between you and your therapist that are recorded in the form of a transcript that you can access through the account settings of the service. This will include information relevant to and about how you are feeling at that point in time. You will be encouraged to record goals within your account, and we generate information about these treatment goals and assessment score graphs to help you and us to monitor and understand your progress
• Any specific information required by NHS England and/ or contracts with our NHS payers. E.g. specific employment information for part of Improving Access to Psychological Therapies (IAPT).
• Your queries or comments - we will collect information if you contact us for example with a question or comment about the service and/ or its content.

You always have the option to refuse to submit personally identifiable information but note that without this information, treatment via this modality may be unavailable to you.

b) Information collected automatically from your use of the service

Certain information is collected automatically from your computer or device about your engagement with the service.

This includes:

• Session activity information - we collect information about you from your use of the service. (E.g. when you log on, accept an appointment, join a session etc.)
• Device information - this includes information about whether you are using the service on a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure the service is optimised for different devices.
• Log information - we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with the service.

See here or read below for further information on cookies.

We have appointed a Data Protection Officer and Caldicott Guardian to seek to ensure that our procedures for handling patient information meet with our obligations.

We use the personal and clinical information that we receive from you and in connection with providing treatment to:

• Register you with the service - to consider requests for use of the service and to enable sign-in and verified access and use of the service.
• Communicate with you
  • via email or messages between sessions if/ when appropriate, to confirm appointments, about service availability and related service updates or notifications, or to reply to your enquiries, requests or complaints.
  • via text message to remind you about upcoming appointments
  • Where you have indicated to us on a questionnaire or in response to an email that you would be happy to participate in user experience feedback or evaluations, or to share your experience of receiving therapy for therapist training purposes, we will use your contact details to give you more information and process your information further for this purpose if you subsequently give us your consent in connection with this.
• Protect you and/or others - and seek to maintain a confidential and safe environment. These measures include:
  • user authenticated access controls to the service
  • restricted access to patient identifiable information. Access to patient records within Ieso is limited on a strictly 'need to know' basis and wherever possible processed by reference to indirect rather than directly identifying information, such as case reference numbers.
  • administering our professional compliance duties and obligations.
• We may conduct analysis and research on your data to improve our service delivery, patient recovery rates and service development. We are passionate about learning from data by conducting high-quality scientific research to feed into treatment to improve outcomes. We believe research can help provide a greater understanding of both the causes of mental illness and the effectiveness of treatments for different subgroups of patient. We have internal procedures in place to safeguard privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible.

Click here for more information about how Ieso may use your data for research.

We have specific processes in place regarding transcripts which are only shared beyond your therapist internally or externally in very limited circumstances, for example we may facilitate joint viewing of specific transcripts with the contracting NHS service in the case of a serious upheld complaint, see section 3 'When we share your information'.

We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation, or, for any other reason not set out in this policy unless we have an overriding legal duty to do so.

Information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.

We share minimum personal data with systems we use to process the data, for example your email address / mobile number to send appointment reminders, and your IP address. (See sections 5 ‘How we store your information’ and section 7 ‘Cookies and tracking’ below.)

We share the minimum necessary information where required by law, legal process, or professional ethical or law enforcement reporting purposes. This may include notifying appropriate authorities, regulators or law enforcement agencies, or allowing them confidential access to specific information as part of an inspection or review, or to prevent fraud or cybercrime or any threats. If these circumstances arise, we will inform you wherever possible.

In order to conduct research to improve treatment, we sometimes partner with researchers outside of Ieso, e.g. university research groups. When this happens, we remove directly identifiable information (including any names and locations) from the data we share with them, so they will be unable to identify anyone personally. All partners also sign a legal agreement that any data they receive is kept confidential and secure.

We have internal procedures in place to safeguard your privacy, so that only the minimum necessary information is used to conduct research on the most de-identified data possible. We would always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy without your knowledge or permission unless we have an overriding legal duty to do so.

Sharing your personal information without your consent

The sharing of information about you without your consent is strictly controlled by law.

In exceptional situations we may need to share information (only the minimum necessary) without your permission if:

• A serious crime has been committed
• Withholding information could endanger someone’s life
• A child or vulnerable adult is at potential risk or
• We are ordered to by a court of law

• In such circumstances, we would inform you wherever possible.

Transferring data outside the UK, and holidays during treatment

We seek where possible to prevent any transfers of your personal information to countries which have not been assessed as having adequate data protection standards.

The European Commission makes the decisions on the adequacy of the protection of personal data in third countries, and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and 11 other territories without any further safeguards being necessary. (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en)

Accessing these online therapy services when outside the EEA is considered a transfer of data by data protection legislation. It is at your own risk if you decide to attend therapy sessions whilst you are visiting countries not listed at the web reference above.

We do not use or share your personal information for direct marketing or promotional purposes.

We place great importance on the security of personal identifiable information. We have put controls in place to safeguard personal information, applying physical, technical and procedural measures against the loss, misuse and alteration of personal information under our control.

All information submitted by you is encrypted in transit using best-practice Transport Layer Security (TLS) with at least 128-bit encryption. All clinical data is encrypted using the industry-standard AES-256 cipher and stored at hosted facilities with dedicated physical access controls and restricted system access.

We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus certification, and satisfy the requirements of the NHS Data Security and Protection Toolkit requirements.

Remember also that you are responsible for keeping your password secret at all times when accessing and using the service.

Ieso Digital Health headquarters are in the United Kingdom (UK), and information about you submitted via the online therapy service is hosted by our service provider on secure servers in the UK. As detailed in the Security section of these Privacy Notices, such information is stored in an encrypted state, both in transit and at rest, meaning the provider cannot lawfully access identifiable information.

We use a small number of well-known SaaS (Software as a System) providers to store subsets of your information and enable the uses of information described in these notices. We have Data Processor Agreements in place with each. These providers either store the data in the UK or EEA, or have in place Binding Corporate Rules, EU-US Privacy Shield self-certification, or EU Model Clauses to uphold your legal data protection rights.

We may retain your information and health record as a resource that you can return to at any time you wish. This can help you remember coping strategies, techniques or processes that you learnt in therapy. If you were to experience a setback between sessions or after you’ve completed treatment, you may find it useful to refer to your therapy transcripts and messages. Also, if you were to require further therapy sessions at any time in the future, a therapist would be able to access all the relevant information. We retain your clinical record by reference to the IGA Records Management Code of Practice for Health and Social Care guidance for managing health records. The Code is based on current legal requirements and professional best practice.

Research records and data are kept for a minimum of 20 years in accordance with Medical Research Council guidance.

Our data retention practices are reviewed at least annually in conjunction with industry standards and best practice.

You can access specific details relating to your treatment through the service online at any time directly through your account. This includes your treatment goals, score graphs, messaging and treatment session transcripts, and may remain a resource available to you after the conclusion of your treatment. You can also update or amend some key registration and contact details directly through your account.

If you feel there is an error of fact on your health record held by us, you can contact your therapist or your referring healthcare service or GP. If they agree the information is incorrect, the alteration will be made. If they are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.

Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.

If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the data you have provided (for example to your GP) please email, subject: ‘For the Attention Of the Chief Clinical Officer’, to info@iesohealth.com

If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.

We use cookies or similar technologies such as device IDs, pixel tags and web beacons (collectively described here as 'cookies') to collect information about the access to and use of the Ieso site and service. These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the site or using the service and that sometimes track information about a user.

We use cookies for the following reasons:

• Secure login and navigation - we use necessary session cookies to help verify and authenticate your access to the services and to let you smoothly navigate the service and use its features.
• Functionality - these cookies allow us to optimise the service to you. For example, you can shut your browser but not be logged out, as long as an hour of inactivity does not pass, to enable you to complete questionnaires, ‘homework’ etc.
• Analytics and performance - we use cookies to collect information about how you use the site and service or engage with communications about the service and which enables us to improve the way each works. These cookies provide us with overall statistics about the number of unique interactions there are with the Site and service and provides aggregate information on overall patterns of usage. We use a third-party provider, Google Analytics to collect and provide this information by reference to the cookie id and IP of your device and the log information about the use of the site or service affiliated to that cookie id to measure these activity levels. This information is transmitted to and stored on the servers of Google. You can opt-out from the collection of this information by Google by downloading and installing a browser plug-in at https://tools.google.com/dlpage/gaoptout.

Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or service.

You can also learn more about our use of cookies by visiting our cookies policy.

Our contract with your healthcare provider determines the lower age limit for our services. As standard it is 18, but specific contracts also include 16 and 17 year olds.

If you have any questions or comments about these notices, please let us know:

By email: info@iesohealth.com (or for technical support questions contact our technical support team: support@iesohealth.com)

By telephone: on 0800 074 5560

To reach our data protection officer please use the above details and mark your communication for the attention of Helen Simpson.

In an emergency please contact:

• Your GP surgery or local A&E
• Your referring healthcare provider
• Urgent Care (for out of hours access to GP):111
• The Samaritans 116 123 or jo@samaritans.org
• Emergency Services 999

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.