Summary of changes to these Privacy Notices
This update does not introduce any material changes to how your personal data is collected or processed. The changes include:
We are committed to protecting your privacy and confidentiality.
Effective date: 19th December 2023
We reserve the right to change these Privacy Notices as appropriate, by updating the effective date and posting it on the Site. If we make material changes to how we process your personal data, we will notify you via a banner in your account or by email. In all cases, your use of the Service after the effective date of any modified Privacy Notices indicates you have read and understood the modified Privacy Notices.
You may contact us to obtain previous versions of this Privacy Notice.
These Privacy Notices describes the privacy practices of Ieso Digital Health (UK) Limited and our subsidiaries and affiliates (including Ieso Digital Health Limited and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect through the provision of Cognitive Behavioural Therapy services provided online through iesohealth.uk (the Site) as well as through other activities described in this Privacy Notice, such as our research and product development activities. Collectively, these form the Service. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers ZA239229 and Z5383093). If you require further information on anything below, please contact our Data Protection Officer via email@example.com. Full details on how to contact us can be found in
We understand that the privacy and confidentiality of all the personal data you provide, especially the verbatim records of therapy sessions, is important to you, and our internal policies and procedures reflect this and the need to share the minimum information necessary.
What these Privacy Notices covers
These notices explain how ieso collect, process, store, share and secure your personal data, and how you can exercise and manage your personal data.
We collect the following Personal Data about you in several ways:
• Registration information - When you register, we collect contact information such as your name, date of birth, email address and mobile number. We also collect information to authenticate you as an eligible patient, such as your NHS number (or CHI number if your registered in Scotland), GP details and address.
• Demographic information - We collect information about you so we and the NHS can build a picture of the services we deliver to different groups of people, monitor the quality of our standards (including to monitor potential bias and improve fairness), and to ensure sufficient services are delivered to local populations. These questions are entirely voluntary to answer and include questions regarding your ethnicity, religion, sexual orientation, etc.
• Assessment information - We collect information using standard patient assessment questionnaires to understand your clinical needs and build a treatment plan. Assessment information can include your experiences and how you are feeling, as well as your medical history, lifestyle, family, work and education.
• Delivering treatment - We collect information whilst delivering treatment to you, including the conversations you have with your clinician inside and outside therapy, appointments, the “homework” activities, setting goals, and clinical questionnaires. You’re able to access your verbatim record at any time, to reflect on the treatment and care delivered to you.
• Additional information required by the NHS - We provide our services on behalf of NHS Talking Therapies in England and nationally in Scotland, and we may collect additional information if it’s required by individual NHS Talking Therapies services. For example, some NHS Talking Therapies services collect employment information to provide optional employment support as appropriate.
• Your queries or comments - We collect information about you and your query, comment or complaint, for example, a question about our service or request for technical support.
You always have the option to refuse to submit personal identifiable information to us; however, without this information, we may not be able to provide you with our Service.
• Referral information - If you are referred to ieso by your local NHS Talking Therapies service or by your GP, we will usually collect your name, date of birth, address, mobile number, consent option to receive voicemails, email address, NHS number, reason for referral and any relevant information notes or questionnaire scores. NHS numbers may be obtained directly from the central NHS system.
• Therapist notes - At the end of each session, your clinician will write up a clinical summary of the session. For some NHS contracts, these will be routinely shared with your NHS Talking Therapies service. (This doesn’t include your verbatim records, which aren’t shared externally except in exceptional circumstances, such as in a serious clinical incident).
• Supervision notes – Your clinician may share some of your details with their supervisor
for feedback and/ or advice. Where this affects the treatment you receive, this will form part of your health record.
We use your Personal Data to ensure that we provide you with the best possible treatments, both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to ensure that our procedures for handling patient information and requests meet with our obligations.
Under our terms, we use your Personal Data to provide this Service, to:
Truly transforming mental healthcare requires deeper research and innovation. We know that therapy can be highly effective, but currently clinicians are unable to reliably predict which therapies are most likely to work for particular people. This means that those seeking help for a mental health condition can face a lengthy process of trial-and-error before they find the right treatment, or combination of treatments, for them. To understand how to make therapy more effective for more people, we need to learn how patients’ treatment outcomes (including their mental health measures, functional measures, emotional wellbeing, and achievement of personal goals) relate to the therapy they are given. The answers lie in health and care data; the key to unlocking them is research. Our scientists have developed tools that use machine learning, natural language processing (NLP) and artificial intelligence (AI) to automatically label every element of therapy given to each patient. This means we can measure how much of each therapy session is spent on different activities, such as understanding a patient’s needs, delivering different therapy protocols, evaluating progress, and setting and reviewing between-session homework tasks. You can read more about research at ieso here.
If you’d like to opt out of ieso’s research and planning, please visit ieso Online Therapy | Research and your data (NHS) (iesohealth.com)
We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices, unless we have an overriding legal duty to so do (for example, in the prevention and/or detection of a crime).
Legal bases for processing your Personal Data:
We use your Personal Data only as permitted by law, for the purposes for which we collected it. By agreeing to the terms and conditions of the Service you have entered into a contract with us which forms the legal basis for most of the processing of your Personal Data.
For most of our processing, our Article 9 condition to process special category data is provision of health care, except where indicated otherwise in brackets.
• For delivery of treatment, including communicating with you, we rely on contract.
• For the retention of your health record when treatment has ended, we rely on legitimate interests.
• For processing demographic information to monitor our services, including monitoring for bias and discrimination, seeking to improve fairness and to report to the NHS as required, we rely on legitimate interests.
• For safeguarding and NHS minimum data set information, we rely on legal obligations.
• For standard information sharing with GPs or during referrals for secondary care, we rely on consent.
• For sharing information with an employee assistance service, we rely on consent (Article 9 condition is explicit consent).
• For sharing information with the emergency services when consent isn’t possible, we rely on vital interests (Article 9 condition is vital interests).
• For information held in establishment or defence of a legal claim or complaint, we rely on legitimate interests.
• For upholding NHS Digital opt-outs in England, we rely on public task.
• For research and service analytics, such as service evaluation, improvement and development, we rely on legitimate interests (Article 9 condition is scientific research and provision of health care),
We appreciate and respect that the confidentiality of your treatment is of the utmost importance to you. That’s why we share information on a strict need-to-know basis, and anyone receiving information about you will be under an equal legal duty to keep it confidential.
In delivering the Service to you, your Personal Data may be shared with:
a) Health services and support
b) Outside the normal course of providing our Service
If you indicate to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, we will use your contact details to give you more information and process your Personal Data further for this purpose if you subsequently give your consent, which would include wider sharing of your Personal Data as agreed with you.
If you leave a review of our service on an external site, e.g., Trustpilot, you do so at your own discretion and ieso is not responsible for how that data is processed. We may respond to your review.
c) Sharing your Personal Data without your agreement
The sharing of Personal Data is strictly controlled by law, but as the Caldicott Principles highlight, “the duty to share information for individual care is as important as the duty to protect patient confidentiality” when required by law or to protect either yours or another person’s wellbeing.
In exceptional circumstances, we may need to share information (only the minimum necessary) without your permission if:
In such circumstances, we would inform you wherever possible.
d) Transferring Personal Data outside the UK or European Economic Area, and holidays during treatment
In the limited instances when data is shared overseas, the UK Government, in consultation for the ICO, make decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards and contracts that mean the transfer is lawful and appropriate.
We take the security of your Personal Data very seriously.
We have implemented controls to safeguard the Personal Data that you provide, applying physical and organisational measures against loss, misuse and alteration of your Personal Data under our control.
All information you provide is encrypted in transit using the best-practice encryption (256-bit encryption) and secured in our trusted and vetted providers.
We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus and exceed the expectation of the NHS Data Security and Protection toolkit.
You must also take responsibility for the protection of your account by keeping your password secure and secret and all times when accessing or using our Service.
ieso is headquartered in the UK and information submitted about you via the Service is stored in the UK or European Economic Area and managed by ieso. Until our change of patient management system is complete, the storage will be hosted by Microsoft Azure. After successful integration and migration, your patient file will be stored in Iaptus, used by over 200 NHS customers and vetted by ieso, which is owned by Mayden House Ltd and hosted in the UK. We will continue to use Microsoft Azure for storage of our research and service evaluation data. Both software providers may access your data in specific, approved circumstances, and we have Data Processing Agreements in place with Mayden and Microsoft.
We also use a small number of well-known SaaS (Software as a Service) providers to process and/ or store smaller subsets of your Personal Data and enable the uses of the Personal Data as described in this privacy notice. We have Data Processor Agreements in place with each SaaS provider. Where possible these providers store the Personal Data in the UK or EEA; otherwise, we have implemented legal safeguards to ensure the transfer of data is legal and ethical.
How long we retain your Personal Data
We retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it. We’ve taken considerable time and diligence to determine the most appropriate retention periods, considering the nature, amount and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and applicable legal and healthcare industry requirements.
In particular, we retain records in accordance with the Records Management Code of Practice developed by NHE England – Transformation Directorate, which is accessible here.
When we no longer require the Personal Data we have collected about you, we will either delete or anonymise it, or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymise your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy.
If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider medical record your referring healthcare service or GP. If we agree the information is incorrect, the alteration will be made. If we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate but we will not alter the information, and you will be notified of either the correction or the note.
Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict Personal Data processing where certain limited grounds apply. Note however that Personal Data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.
Our complaints procedure is available on the site, and there is a link to it here.
Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting http://allaboutcookies.org/ which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service.
Our Services are not intended for use by anyone under 16 years old. Our contract with your healthcare provider determines the lower age limit for our Services. As standard it is 18, but specific contracts also include 16- and 17-year-olds.
If you have any questions or comments about this privacy notice, please let us know:
By telephone: 0800 074 5560
By post: ieso, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS
To reach our data protection officer, please use the above details and mark your communication for the attention of the Privacy team. In an emergency regarding your health, please contact:
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
This Privacy Notice applies to any Site where it is referenced, regardless of the computer, mobile or other device you use to access or use the Service. The Site and Service may contain links to websites, mobile applications, and other online services operated by third parties. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy notices or content of such websites, mobile applications and online services you use.