We collect the following Personal Data about you in several ways:
‍

a) Information you provide to us when you register and use our Service

This includes:

• Registration information - when you register, we collect contact information such as your name, date of birth, email address and mobile number; information to authenticate you as an eligible patient such as your date of birth, NHS number (CHI number in Scotland), GP details and address, and to authenticate your access to the Service by way of a password for your sign-in security; and demographic information, mostly not mandatory to answer, such as gender, ethnicity, religion to enable ieso and the NHS to create a picture of services delivered around the country to check that quality standards are similar everywhere and the local demographic population is provided with adequate services (all reports published from this data are aggregated and contain no information that could reveal your identity).
  ‍
• Assessment information - we collect information using standard structured patient assessment questionnaires both to initially establish what treatment plan is likely to be beneficial to your needs, and on an ongoing basis prior to each session of your subsequent care. Assessment information can cover a range of factors relevant to your experiences and how you are feeling in addition to your medical history, lifestyle, family, work and education.
  ‍
• During the course of your treatment - This includes messaging between you and your therapist between sessions to arrange and provide you with information about your therapy sessions, the sessions themselves, the ‘homework’ activities and questionnaires completed, and the setting of goals. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy, and which you can access through the account settings of the Service. This will include information relevant to and about how you are feeling at that point in time. You will be encouraged to record goals within your account, and we generate information about these treatment goals and assessment score graphs to help you and us to monitor and understand your progress.
  ‍
• Any specific information required by the NHS and/ or contracts with our NHS payers. E.g., specific employment information for part of Improving Access to Psychological Therapies (IAPT).
  ‍
• Your queries or comments - we will collect information if you contact us for example with a question or comment about the Service and/ or its content.
  ‍
  

You always have the option to refuse to submit personally identifiable information to us, but note that without this information the Services may be unavailable to you.
‍

b) Information we collect from other sources
‍

We add to the information we collect from you with information we receive from other sources.

This includes:

• Referral information - from your General Practitioner (GP) or healthcare provider, if you are referred by them for treatment to ieso and the Service. This will usually include your name, date of birth, address, mobile number and whether you have consented to voicemail messaging, email address, NHS number, reason for referral and any relevant assessment notes and questionnaire scores. NHS numbers, or home telephone numbers where required by a specific NHS contract, may be obtained directly from central NHS systems, and CHI numbers in Scotland from your GP or local psychology team.
  ‍
• Therapist notes - At the end of each session your therapist will produce a short set of clinical notes to summarise the session. For some of our NHS contracts, these summary notes are copied into your health record on your health care provider’s patient management system, but the verbatim records of sessions will never be copied over.
  ‍
• Supervision notes – a therapist may share some of your details with their supervisor per section 2 below and receive advice and /or feedback. Where this affects the treatment you receive, and/or the outcome, it makes up part of your medical record with us.
  ‍
• Demographic information - that is publicly available and that enables us to understand anonymous health statistics at postcode level.
  ‍

c) Information collected automatically from your use of the Service
‍

Certain information is collected automatically from your computer or device about your engagement with the Service.
‍
This includes:

• Session activity information - we collect information about you from your use of the Service. (E.g., when you log on, accept an appointment, join a session etc.)
  ‍
• Device information - this includes information about whether you are using the service on a mobile, tablet or computer. This helps us understand how people interact with our service so that we can ensure the Service is optimised for different devices.
  ‍
• Log information - we collect technical information such as your Internet Protocol (IP) address, (the unique address that identifies your device or computer on the internet), your browser type and when, how often and for how long you interact with the Service.
  ‍

See here or read below for further information on cookies

We use the Personal Data we collect to ensure that we provide you with the best possible treatments both now and in the future. We have appointed a Data Protection Officer and Caldicott Guardian to seek to ensure that our procedures for handling patient information and requests meet with our obligations.

We use the Personal Data that we receive under our terms with you to:

• Assess your suitability and eligibility for CBT
  ‍
• Assess your eligibility for the ieso app, and where eligible, offer you access whilst you wait for your first appointment.
  ‍
• Register you with the Service - to consider requests for use of the Service and to enable sign-in and verified access and use of the Service.
  ‍
• Assess your treatment needs - to place you with an appropriate therapist, and to aid selection of exercises and questionnaires.
  ‍
  
• Provide your treatment - your Personal Data is shared with your therapist to support your treatment and evaluate your progress, including messaging to arrange sessions, conducting sessions, assessing progress against treatment goals and maintaining your case file. It’s your choice to decide what to share with your therapist, but the more information that your therapist has about you, the more likely it is that they will be able to provide you with highly effective treatment. Your therapist only has access to your Personal Data during your treatment and for 6 weeks after discharge to allow for reflection and/ or to consider any feedback from you.
  Subject to appropriate safeguards, some of the details of your case may be shared in your therapist’s routine clinical supervision with their Clinical Supervisor if they wish to obtain advice or assurance on the work you are doing together. The British Association of Behavioural & Cognitive Psychotherapies (“BABCP”) requires that all therapists must receive clinical supervision. A Clinical Supervisor is a therapist who has received additional training and is generally more experienced than the therapist. This is to ensure that the therapy you are receiving is the most helpful it can be and remains faithful to best practice evidence. Clinical supervision includes case discussions (and may include referring to messages/ transcripts/ audio recordings) either individually or within a group of therapists, all of whom are bound by confidentiality.
  
• Investigate and find solutions for any infotech issues you ask us to resolve in association with your account

• Communicate with you
• via email, phone or the messages section of your file between sessions if/ when appropriate, to confirm appointments, remind about incomplete questionnaires, about Service availability and related Service updates or notifications, to resolve technical issues, or reply to your enquiries, requests or complaints.
• via text message to remind you about upcoming appointments or alert you to messages in your account.
• via voicemail (where you have agreed to this) for missing information or questionnaires.
• via post at assessment and /or the end of treatment.
• If you have indicated to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, for example, we will use your contact details to give you more information. We may also use your demographic information to ensure we contact a representative and diverse population. If you subsequently consent, we will process your Personal Data further for this purpose, which would include wider sharing of your Personal Data as agreed with you. (A separate set of privacy notices will be provided for these specific purposes)
• To let you know of any clinical trials/ studies/ projects for which you may be eligible (in which of course you can decline to take part).
• We also contact you after you’ve completed treatment to ask for feedback and to check on your wellbeing.
  ‍
• Uphold the NHS Opt-out service in England. We submit all patient NHS numbers to the ‘Check for National Opt-outs service’ in order to apply data opt-outs in accordance with patient wishes.
  ‍
• Determine whether or not you are eligible and suitable for participation in one of our clinical trials/ studies. We are data-driven research orientated company who passionately believe in responsible innovation to increase the understanding of mental health, improve treatments and widen access to treatment, and our team may review your Personal Data to identify participants.
  ‍
• Offer you a referral to an employment assistance programme where an NHS customer offers such a service.
  ‍
• Protect you and/or others - and seek to maintain a confidential and safe environment.

These measures include:

• user authenticated access controls to the service
• restricted access to patient identifiable information. Access to patient records within ieso is limited on a strictly 'need to know' basis and wherever possible processed by reference to indirect rather than directly identifying information, such as case reference numbers.
• ongoing review of the care and help our professional therapists provide to make sure it meets our quality standards. This includes training, case management support, moderation, supervision and monitoring of messaging and treatment sessions.
• developing learning/ training programmes for our therapists.
• administering our professional compliance duties and obligations.
  ‍
• To investigate queries from our NHS payers. For example, investigating any delays in treatment or complaints
  ‍
• Conduct analysis and research to improve the Service, the Site and/or to develop new digital products/ tools to improve the access, assessment or treatment of mental health conditions. We are passionate about learning from your Personal Data by conducting high-quality scientific research to feed into treatment and product development to further improve outcomes and help more people get treatment earlier. We believe research can help provide a greater understanding of both the causes of mental illness and the effectiveness of treatments and interventions for different subgroups of patient. We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible, including anonymisation where possible. Some of our research is based on the NHS Minimum data set (see section 3 below), but we also use machine learning, natural language processing (NLP) and artificial intelligence (AI) on questionnaires, communications between you and your therapist, and on therapist summaries of the sessions. To learn more, click here.
  ‍
• To anonymise your Personal Data to use it for the development of products/ tools intended to help more people access treatment earlier and/or assess their need for such treatments. Although this is not then Personal Data, you may be interested in reading about an example of this research here.
  ‍

We only ever share the minimum information necessary to provide the best treatments, care and protection for yourself or others, to conduct our research, and/or to satisfy legal requirements. For example, depending on your referring healthcare provider, your Personal Data may be shared to update their records and/or as part of the Minimum Data Set required nationally by NHS England for all its patients. We have specific processes in place regarding verbatim records of sessions which are only shared internally, or externally in very limited circumstances, for example we may facilitate joint viewing of/ listening to specific verbatim records of sessions with the contracting NHS service in the case of a serious upheld complaint, see section 3 'When we share your Personal Data'.

We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices, unless we have an overriding legal duty to so do (for example, in the prevention and/or detection of a crime).

Legal bases for processing your Personal Data:
‍
‍We use your Personal Data only as permitted by law, for the purposes for which we collected it. By agreeing to the terms and conditions of the Service you have entered into a contract with us which forms the legal basis for most of the processing of your Personal Data, including processing for service evaluation and improvement purposes which is deemed compatible with the original purposes of processing.

Safeguarding and NHS minimum data set information is processed under legal obligation;

Standard information sharing with GPs or during referrals for secondary care is by consent;

Sharing with an employment assistance service where available is by consent;

Sharing with emergency services when consent is not possible is under vital interests;

Any information held in establishment or defence of a legal claim or complaint is processed in our legitimate interests; and

Processing to uphold NHS Digital opt outs in England is to carry out a public task.

(see also sharing data without your agreement below)

We process your special category data for medical purposes.

As part of our contract with you, we are committed to continued improvement and development. Research supports us to provide you and all our patients with high-quality evidence-based care and products/ tools, and to help more people get treatment earlier. We publish findings (which only ever include aggregated data) in peer reviewed scientific journals, satisfying the legal basis of the special category data processing being necessary for scientific research purposes, which we use for a subset of our research activities. Where we process your deidentified data for research purposes, which is deemed compatible with the original lawful basis, we rely on legitimate interests and, where we process special category data, additionally scientific research purposes.

We appreciate and respect that the confidentiality of your interactions with the Service are of utmost importance to you. Information is only shared on a strictly ‘need to know’ basis. Anyone receiving information about you will be under an equal legal duty to keep it confidential.

The confidentiality of all information shared between yourself and your therapist is upheld to the highest level possible. We recognise that you may consider some information you give to us, and that may be recorded in the verbatim records of therapy sessions and/or messaging, as particularly sensitive. Relevant internal policies and procedures are designed to share the minimum information necessary to provide the best treatments, care and protection for yourself or others, and to conduct our research.

‍In delivering the Service to you, your Personal Data may be shared with:
‍

• Your GP and/or your referring healthcare provider - Like all NHS service providers, it is important for us to work in collaboration with other healthcare professionals like your GP or your local psychological therapy service. This will be at the end of your treatment where we notify your GP or healthcare provider of the discharge (and of the assessment at the start of treatment if you are assessed by ieso) via encrypted email or by post (you also receive a copy of these letters), or where we refer you back to your original provider or transfer your care to another healthcare provider where the alternate provider is able to administer more appropriate care (we provide them with details of your condition and the treatment provided by us). During registration we ask whether you are happy for your therapist to share information about your treatment with your GP and you may decline this. Some of our NHS contracts require us to update the referring provider’s patient management systems with information such as when you have sessions and clinical summaries of the sessions, and some also require audit meetings to review feedback (which very occasionally may include the joint viewing of/ listening to specific verbatim records of sessions or messaging relating to any internal investigations that have been conducted by us as a result of a serious clinical incident or significant complaint during the year). We also update your referring healthcare service to enable invoicing and/or during the investigation of any serious clinical incidents.
  ‍
• N.B. Public health record-keeping requirements and our contractual obligations to healthcare providers mean that even if you self-refer to ieso, we will update the patient management system of the NHS healthcare provider funding your treatment (or provide regular reports in Scotland) in regions where we do not directly submit the Minimum Data Set statistics to NHS Digital (see below) with your Personal Data. Please be assured however, that this will NOT include the verbatim records of your therapy sessions or messages with therapists.
  ‍
• NHS Digital - Providers of NHS-funded mental health services in England are required to provide a specified set of data (Minimum Data Set) to NHS Digital, who use this to create a picture of services delivered around the country to check that quality standards are similar everywhere. The data set includes NHS numbers, gender, age and ethnicity, but all reports published from this Personal Data are aggregated and contain no information that could reveal your identity.
  ‍
• Mayden House, provider of the iaptus patient management system, to store your health record, to enable streamlined sharing with your referring healthcare provider, for development and maintenance of this service, and to anonymise for research on aggregated data across providers. (Your therapy transcripts will NOT be stored by Mayden or shared with them).
  ‍
• An employment assistance service if available and you have consented (basic contact details, presenting problems, GP details and demographics).
  ‍
• We share minimum Personal Data with systems we use to process the Personal Data: your email address for automated emails, your case reference number if the case is discussed in supervision sessions, and your IP address. (See sections 5 ‘How we store your Personal Data’ and section 7 ‘Cookies and tracking’ below.)
  ‍

Outside the normal course of providing services

If we believe that care is required for a severe and enduring mental illness, we will discuss this with you and, with your consent, refer relevant personal data to a secondary care (psychiatry led care) provider.

We also share the minimum necessary information where required or entitled by law, legal process, or professional ethical or law enforcement reporting purposes. This may include notifying appropriate authorities, regulators or law enforcement agencies, or allowing them confidential access to specific information as part of an inspection or review, or to prevent fraud or cybercrime or any threats. This would include the sharing of specific information required by government and/ or contracts with our NHS payers (e.g., specific employment information for the Department of Work and Pensions). If these circumstances arise, we will inform you wherever possible.

If you self-refer to ieso from a region where ieso do not directly submit Minimum Data Set statistics to NHS Digital in England, and are unsuitable for our services, your Personal Data will be shared with the NHS healthcare provider who would have funded your treatment with us.

If you indicate to us on a questionnaire or in response to an email that you would be happy to share your experience of receiving therapy provided by ieso to raise awareness of our service or for therapist training purposes, or to participate in some user experience evaluations, we will use your contact details to give you more information and process your Personal Data further for this purpose if you subsequently give your consent, which would include wider sharing of your Personal Data as agreed with you.

If you agree to leave a review of our service on an external site, then the process will include giving a name, email address, star-rating, comment and optional photograph to the 3rd party site e.g., Trustpilot, who will then be the controller of this Personal Data. The third-party will not receive any Personal Data before your agreement.

In order to conduct research and development to improve treatment outcomes and help more people get treatment earlier, we sometimes partner with external researchers, e.g. university researchers or potential future commercial partners. When this happens, we ensure that the data is deidentified and that they will be unable to identify anyone personally. All partners also sign a legal agreement that any Personal Data they receive is kept confidential and secure.

Where you are accessing these services as part of a research project led by another organisation, you will have consented with them to share the relevant Personal Data back to them for their research. For the avoidance of doubt this will not include verbatim records of your therapy sessions.

We have internal procedures in place to safeguard your privacy, so that only the minimum necessary information is used to conduct research and development on the most de-identified data possible. We will always seek your permission before disclosing your personal identifiable information to another person or organisation for any other reason than those set out in these privacy notices, unless we have an overriding legal duty to so do (for example, in the prevention and/or detection of a crime).
‍
‍Sharing your Personal Data without your agreement
‍
The sharing of your Personal Data without your agreement is strictly controlled by law.

In exceptional situations we may need to share information (only the minimum necessary) without your permission if:

• A serious crime has been committed;
• Withholding information could endanger someone’s life;
• A child or vulnerable adult is at potential risk; or
• We are ordered to by a court of law.

In such circumstances, we would inform you wherever possible.
‍
Transferring Personal Data outside the UK/European Union, and holidays during treatment
‍
We seek where possible to prevent any transfers of your Personal Data to countries which have not been assessed as having adequate data protection standards.

The European Commission makes decisions on the adequacy of the protection of personal data in third countries and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and other listed territories without any further safeguards being necessary. Post UK departure from the EU, the UK has been granted adequacy by the EU, and the UK has accepted the European Commission’s adequacy decisions for the UK too, and also included Gibraltar.

If we transfer your Personal Data out of the EEA and the UK to a country not deemed by the relevant regulatory authority to provide an adequate level of personal information protection, the transfer will be performed (i) pursuant to the recipient’s compliance with standard contractual clauses (with additional technological and organisational controls as necessary or appropriate) or Binding Corporate Rules; (ii) pursuant to your consent; or (iii) as otherwise permitted by applicable data protection requirements.

You may contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the United Kingdom and the EEA.

‍We will not sell your Personal Data for direct marketing or other promotional purposes.

We place great importance on the security of personal identifiable information associated with our patients. We have put controls in place to safeguard the Personal Data that you provide, applying physical, technical and procedural measures against the loss, misuse and alteration of Personal Data under our control.
‍
All information submitted by you is encrypted in transit using best-practice Transport Layer Security (TLS) with at least 128-bit encryption. All clinical data is encrypted using the industry-standard AES-256 cipher and stored in Microsoft Azure, on secure servers in the UK, managed by ieso.

We have achieved the International Standard certification for information security (ISO 27001), Cyber Essentials Plus certification, and satisfy the requirements of the NHS Data Security and Protection Toolkit requirements.

Remember also that you are responsible for keeping your password secret at all times when accessing and using the Service.

ieso’s headquarters are in the United Kingdom (UK), and information about you submitted via the Services is stored securely in the UK/European Union and managed by ieso. Until our change of patient management system is complete, the storage will be hosted by Microsoft Azure; after a successful integration and migration stage, your patient file will be stored in the iaptus patient management system (used by over 200 NHS customers and vetted by ieso) which is hosted by Amazon Web Services (in the UK). We will continue to use Microsoft Azure for storage of our research and service evaluation data. Both software providers may access your data in specific, approved circumstances and we have Data Processor Agreements in place with Mayden House who develop and own iaptus, and Microsoft. As detailed in the Security section of this Privacy Notice, such information is stored in an encrypted state, both in transit and at rest.

We also use a small number of well-known SaaS (Software as a Service) providers to store smaller subsets of your Personal Data and enable the uses of the Personal Data as described in this privacy notice. We have Data Processor Agreements in place with each SaaS provider. Where possible these providers store the Personal Data in the UK or EEA. Where they are located outside the UK / EEA we ensure they are either party to an adequacy decision or have in place one of the additional safeguards necessary to make the transfer such as Binding Corporate Rules or Standard Contractual Clauses (with additional technological and organisational controls as necessary or appropriate) to uphold your legal data protection rights. 

We retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

‍In particular, we retain records in accordance with NHSX Records Management Code of Practice:
‍

• We retain your health records for 20 years post discharge. This can help you remember coping strategies, techniques or processes that you learnt in therapy. If you were to experience a setback between sessions or after you’ve completed treatment, you may find it useful to refer to the transcripts/ audio recordings of your therapy sessions and messages. It also supports our legal obligations to be accountable for your care.
  ‍
• We retain your health records for 2 years if your referral is not accepted, incomplete, or your account is not activated; or for 3 years where you may have received a triage or messaged your therapist but did not actually commence treatment.
  ‍
• We retain research records for up to 20 years.
  ‍

When we no longer require the Personal Data we have collected about you, we will either delete or anonymise it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymise your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

You can access specific details relating to your treatment through the Service online at any time directly through your account, these will therefore remain resources available to you after the conclusion of your treatment. These include messaging between you and your therapist between sessions, the sessions themselves, the ‘homework’ activities, questionnaires completed, and any goal setting activities. The sessions comprise a verbatim record of conversation between you and your therapist that are retained in the form of a transcript for text therapy or an audio file for video therapy. You can also update or amend some key registration and contact details directly through your account.

If you feel there is an error of fact on your health record held by us, you can contact us, or in respect of your wider medical record your referring healthcare service or GP. If we or they agree the information is incorrect, the alteration will be made. If we or they are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.

Data protection law also includes the right to data portability and to make other requests to seek to erase, object to and restrict Personal Data processing where certain limited grounds apply. Note however that Personal Data processed for health/treatment and legal purposes, or where other legitimate grounds for the processing apply, are examples of circumstances where some of these rights can be restricted or not apply in practice. Specifically, the right to erasure does not apply when processing is necessary for the provision of healthcare or the management of healthcare systems or service.

If you need assistance or have an enquiry about accessing, updating or amending your records, or where applicable, about receiving or transmitting a file of the Personal Data you have provided (for example to your GP) please contact us.

Our complaints procedure is available on the site, and there is a link to it here. If you remain unhappy with a response you receive, you can also refer the matter to the Information Commissioner's Office.

We use cookies or similar technologies such as device IDs and web beacons (collectively described here as 'cookies') to collect information about the access to and use of the Site and Service. These typically include a unique reference code that relates to, or is accessed from, a user's device and that enables that device to be remembered when next visiting the Site or using the Service and that sometimes track information about a user.
‍
We use cookies for the following reasons:
‍

• Secure login and navigation - we use necessary session cookies to help verify and authenticate your access to the Services and to let you smoothly navigate the Service and use its features.
  ‍
• Functionality - these cookies allow us to optimise the Service to you. For example, you can shut your browser but not be logged out, as long as an hour of inactivity does not pass, to enable you to complete questionnaires, ‘homework’ etc.
  ‍
• https://tools.google.com/dlpage/gaoptout
  ‍

Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the site or Service.
‍
You can also learn more about our use of cookies by visiting our cookies policy.

Our Services are not intended for use by anyone under 16 years old. Our contract with your healthcare provider determines the lower age limit for our Services. As standard it is 18, but specific contracts also include 16 and 17 year olds.

If you have any questions or comments about this privacy notice, please let us know:
‍
By email: privacy@iesohealth.com (or for technical support questions contact our technical support team: support@iesohealth.com)
‍
By telephone: on 0800 074 5560
‍
Or by post to: Ieso Digital Health, Jeffreys Building, Cowley Road, Cambridge, CB4 0DS

To reach our data protection officer please use the above details and mark your communication for the attention of: Helen Simpson
‍
In an emergency regarding your health please contact:
‍

• Your GP surgery or local A&E
• Your referring healthcare provider
• Urgent Care (for out of hours access to GP): 111
• The Samaritans 116 123 or jo@samaritans.org
• Emergency Services 999

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.