Effective date for users who register from 22 Sept 2021:22 Sept 2021
Effective date for users who registered before 22 Sept 2021: 22 Oct 2021
Previous versions can be obtained from the Data Protection Officer.
We are committed to protecting your privacy and confidentiality.
These are the Privacy Notices that cover the supply of Cognitive Behavioural Therapy services provided online (the Service) through http://iesohealth.com (the Site). The Site and the Service are provided by Ieso Digital Health (UK) Ltd (ieso, we, us and our). For the purposes of data protection legislation, we are a data controller registered with the Information Commissioner (registration number ZA239229). If you don’t understand or require further information on anything below, please contact our Data Protection Officer firstname.lastname@example.org. Full details on how to contact us can be found in section 8 below.
By agreeing to the terms and conditions of the Service you have entered into a contract with us which forms the legal basis for most of the processing of your personal information, including for research compatible with the original purposes of processing. Safeguarding information is processed under legal obligation; and any information held in establishment or defence of a legal claim or complaint is processed in our legitimate interests. We process your special category data for medical purposes. As part of our contract with you, we are committed to continued improvement and development. Research supports us to provide you and all our patients with high-quality, evidence-based care. We publish findings (which only ever include aggregated data) in peer reviewed scientific journals, satisfying the legal basis of the special category data processing being necessary for scientific research purposes, which we use for a subset of our research activities.
Here we explain what personal information we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your data. These Privacy Notices reflect legal requirements, regulations, and best practice.
We understand that the privacy and confidentiality of all the personal information, especially some messaging and the verbatim records of therapy sessions, that you provide and we handle, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary.
These Privacy Notices describe our treatment of personal and clinical information that we collect when you access or use our Service.
We describe here how we handle your personal and clinical information for the purpose of providing and improving the Service. We will not sell or share your personal information for direct marketing or other promotional purposes.
These Privacy Notices apply to any Site where they are referenced, regardless of the computer, mobile or other device you use to access or use the Service. The site and Service includes links to websites that are owned and operated by third parties. We are not responsible for the privacy policies or content of such websites.
We reserve the right to change these Privacy Notices from time to time by changing them on the Site and by notifying you through your account or by email. Amended terms will take effect 30 days after they are published.
We collect the following personal information about you in several ways:
We collect the following personal information about you in several ways:
You always have the option to refuse to submit personally identifiable information to us but note that without this information, the Services may be unavailable to you.
We add to the information we collect from you with information we receive from other sources. This includes:
Certain information is collected automatically from your computer or device about your engagement with the Service. This includes:
See here or read below for further information on cookies
We use the personal information we collect to ensure that we provide you with the best possible treatment both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to seek to ensure that our procedures for handling patient information meet with our obligations.We use the personal and clinical information that we receive under our terms with you and in connection with providing treatment to:
Communicate with you
Protect you and/or others - and seek to maintain a confidential and safe environment. These measures include: user authenticated access controls to the service
Conduct analysis and research to improve our service delivery, patient recovery rates and service and product development. We are passionate about learning from these data by conducting high-quality scientific research to feed into treatment to further improve outcomes. We believe research can help provide a greater understanding of both the causes of mental illness and the effectiveness of treatments for different subgroups of patient. We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible.Much of our research is based on questionnaire scores and responses, in combination with some or all of: number of sessions, age, gender, diagnoses and partial post codes; but we also use machine learning, natural language processing (NLP) and artificial intelligence (AI) on the communications between you and your therapist and on therapist summaries of the sessions. Click here for more information about how ieso uses your data for research.We only ever share the minimum information necessary to provide the best treatment, care and protection for yourself or others, or to satisfy legal requirements. We have specific processes in place regarding verbatim records of sessions and messaging, which have restricted access internally, and are only shared externally in very limited circumstances where required to do so by law.We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices, unless we have an overriding legal duty to so do (for example, in the prevention and/or detection of a crime).
We appreciate and respect that the confidentiality of your interactions with the Service are of utmost importance to you. Information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.
The confidentiality of all information shared between yourself and your therapist is upheld to the highest level possible. We recognise that you may consider some information you give to us, and that may be recorded in the verbatim records of therapy sessions and/or messaging, as particularly sensitive. Relevant internal policies and procedures are designed to share the minimum information necessary to provide the best treatment, care and protection for yourself or others.
In delivering the Service to you, we share minimum personal data with systems we use to process the data - your email address for automated emails, your case reference number if the case is discussed in supervision sessions, and your IP address. (See sections 5 ‘How we store your information’ and section 7 ‘Cookies and tracking’ below.)
Outside the normal course of providing services
We also share the minimum necessary information where required or entitled by law, legal process, or professional ethical or law enforcement reporting purposes. This may include notifying appropriate authorities, regulators or law enforcement agencies, or allowing them confidential access to specific information as part of an inspection or review, or to prevent fraud or cybercrime or any threats. If these circumstances arise, we will inform you wherever possible.
Where you have indicated to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, we will use your contact details to give you more information and process your information further for this purpose if you subsequently give your consent, which would include wider sharing of your personal data as agreed with you.
If you agree to leave a review of our service on an external site, then the process will include giving a name, email address, star-rating, comment and optional photograph to the 3rd party site e.g. Trustpilot, who will then be the controller of this data. The third-party will not receive any data before your agreement.
In order to conduct research, we sometimes partner with researchers outside of ieso, e.g. university research groups. When this happens, we remove directly identifiable information from the data we share with them, so they will be unable to identify anyone personally. All partners also sign a legal agreement that any data they receive is kept confidential and secure.
Where you are accessing these services as part of a research project led by another organisation, you will have consented with them to share the relevant data back to them for their research. For the avoidance of doubt this will not include verbatim records of your therapy sessions.We have internal procedures in place to safeguard your privacy, so that only the minimum necessary information is used to conduct research on the most de-identified data possible. We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices unless we have an overriding legal duty to do so (for example, in the prevention and/or detection of a crime).
Sharing your personal information without your agreement
The sharing of information about you without your agreement is strictly controlled by law. In exceptional situations we may need to share information (only the minimum necessary) without your permission if:
In such circumstances, we would inform you wherever possible.
Transferring data outside the UK, and holidays during treatment
We seek where possible to prevent any transfers of your personal information to countries which have not been assessed as having adequate data protection standards. Post Brexit, the UK has accepted all adequacy decisions made by the European Commission. (Decisions on the adequacy of the protection of personal data in third countries, where the Commission have decided that personal data can flow safely between countries). Data can therefore flow freely in the European Union, the European Economic Area (EEA), and 12 other territories without any further safeguards being necessary. (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)
Accessing our Services when outside these territories is considered a transfer of data to a third country by data protection legislation. It is at your own risk if you decide to attend therapy sessions whilst you are visiting countries not listed at the web reference above. Our therapists are not permitted to access the Service from outside these territories, so will notify you of any necessary short breaks in your treatment due to travel.
We will not sell or share your personal information for direct marketing or other promotional purposes.
We place great importance on the security of personal identifiable information associated with our patients. We have put controls in place to safeguard the personal information that you provide, applying physical, technical and procedural measures against the loss, misuse and alteration of personal information under our control.
All information submitted by you is encrypted in transit using best-practice Transport Layer Security (TLS) with at least 128-bit encryption. All clinical data is encrypted using the industry-standard AES-256 cipher and stored in Microsoft Azure, on secure servers in the UK, managed by ieso.
We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus certification, and satisfy the requirements of the NHS Data Security and Protection Toolkit requirements.
Remember also that you are responsible for keeping your password secret at all times when accessing and using the Service.
ieso headquarters are in the United Kingdom (UK), and information about you submitted via the Services is used by us and hosted by our service provider, Microsoft Azure, on secure servers in the UK, managed by ieso. As detailed in the Security section of these Privacy Notices, such information is stored in an encrypted state, both in transit and at rest, meaning the provider cannot lawfully access identifiable information.
We use a small number of well-known SaaS (Software as a Service) providers to store subsets of your information and enable the uses of information described in these notices. We have Data Processor Agreements in place with each. Where possible these providers store the data in the UK or EEA. Where they are located outside the UK / EEA we ensure they are either party to an adequacy decision or have in place one of the additional safeguards necessary to make the transfer such as Binding Corporate Rules or EU Model Clauses (Standard Contractual Clauses) to uphold your legal data protection rights.We retain your information and health record as a resource that you can return to for 20 years post discharge. This can help you remember coping strategies, techniques or processes that you learnt in therapy. If you were to experience a setback between sessions or after you’ve completed treatment, you may find it useful to refer to the transcripts/ audio recordings of your therapy sessions and messages.
We retain your clinical record by reference to the NHSX Records Management Code of Practice https://www.nhsx.nhs.uk/media/documents/NHSX_Records_Management_CoP_V7.pdf and to support our legal obligations to be accountable for your care. The Code is based on current legal requirements and professional best practice.
Research records and data are kept for a minimum of 20 years in accordance with Medical Research Council guidance.
Our data retention practices are reviewed annually in conjunction with industry standards and best practice.
You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy. You can also update or amend some key registration and contact details directly through your account.
If you feel there is an error of fact on your health record held by us, you can contact us. If we agree the information is incorrect, the alteration will be made. If we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate. You will be notified of either the correction or the note.
Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict personal data processing where certain limited grounds apply. Note however that data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.
If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the data you have provided (for example to your GP) please write to: The Chief Clinical Officer, ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
Or by email, For the Attention Of the Chief Clinical Officer, to email@example.com
Our complaints procedure is available on the site, and there is a link to it here.
If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.
Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service.
If you have any questions or comments about these notices, please let us know:
By email: firstname.lastname@example.org (or for technical support questions contact our technical support team: email@example.com)
By telephone: on 0800 074 5560
Or by post to:ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
To reach our data protection officer please use the above details and mark your communication for the attention of: Helen SimpsonIn an emergency please contact:
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Our approach means we’re continually gathering a new understanding of what works and why in treatment. Read our latest news, research and articles written by people shaping the future of mental healthcare.
Our service is free for lots of NHS patients.
It only takes a minute or two to check if you are eligible for treatment.