General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European union that comes into effect from 25 May 2018. This document explains how Inner Citadel Ltd uses any personal information they collect about you, as a past, present, future service user (client or patient) or when using the website www.icinstitute.co.uk
Inner Citadel Ltd is the data controller for www.icinstitute.co.uk.
Associate staff (psychologists and other therapists) who might take on referrals and work for Inner Citadel Ltd will be additional data controllers for the clients they work with.
Inner Citadel Ltd is committed to protecting your rights to privacy. They include:
right to be informed about what we do with your personal data;
right to have a copy of all the personal information we process about you;
right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete;
right to be forgotten and your personal data destroyed;
right to restrict the processing of your personal data;
right to object to the processing we carry out based on our legitimate interest.
REASONS FOR COLLECTING AND PROCESSING INFORMATION ABOUT YOU
Inner Citadel Ltd may collect information about you because you are a patient or client of hers. She processes the data because it is in her legitimate interests as clinical psychologist to do so. As a psychologist, she needs to see and analyse documents containing this information to provide her expert advice, to carry out an assessment or to deliver psychological intervention.
Another lawful reason for her processing your data may be Legal Obligation. If Inner Citadel Ltd is processing special category data about you, this is her second lawful reason to do so. This is likely to apply in regards to a litigation claim.
As a client or patient of Inner Citadel Ltd its lawful reason for processing special category data is that it is necessary for the purposes of the provision of health or social care or treatment.
WHAT TYPE OF PERSONAL DATA IS COLLECTED AND PROCESSED
Inner Citadel Ltd collects information about you that may include personal or sensitive information, such as:
Personal information: name or given name, family name or surname, address, telephone numbers, date of birth, gender (or preferred identity), age, relationships and children, occupation, telephone/SMS number, email address, video conference ID (if online therapy), GP contact details, school details (for children);
Sensitive information: medical conditions (if relevant), prescribed medication, psychological history and current difficulties, sexuality, financial information, including bank account details (if you are a private patient);
Sensitive personal data: signed therapy client agreement, therapy records (therapist notes, letters, reports and/or outcome measures).
To make sure that you are assessed and/or treated safely and appropriately, Inner Citadel Ltd records your personal information, as well as all contacts you have with her such as appointments and the results of assessments and letters relating to your care/report.
Inner Citadel Ltd will also process personal data pursuant to her legitimate interests in running her business such as invoices and receipts, accounts, VAT and tax returns.
WEB ACCESS COLLECTION OF INFORMATION
When you complete an online contact form Inner Citadel Ltd will collect information about you and your internet protocol (IP) address. This is automatically supplied by the website software used to offer the form. Inner Citadel Ltd always tries to minimise the amount of personal information that she requires to provide a specific service or feature. All web services used by Inner Citadel Ltd are GDPR compliant.
HOW YOUR PERSONAL INFORMATION IS STORED
Inner Citadel Ltd takes your privacy very seriously. She is committed to taking all reasonable steps to protect any individual identifying information that you provide to her. Once we receive your data, she makes best efforts to ensure its security on our systems. All personal information provided is stored in compliance with EU General Data Protection Regulations rules.
HOW LONG YOUR PERSONAL INFORMATION IS STORED FOR
Inner Citadel Ltd does not keep your data for longer than is necessary. Basic contact information held on a therapist’s mobile phone is deleted within 6 months of the end of therapy and the sensitive personal data defined above is stored for a period of 7 years after the end of therapy. After this time, this data is deleted at the end of each calendar year.
Administrative data is retained for up to six years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible.
WHAT WE DO WITH YOUR PERSONAL INFORMATION
Inner Citadel Ltd takes your privacy seriously. We will only use your personal information to provide the services you have requested from us. If you do not provide the personal information requested, then we may be unable to provide a therapy service to you.
HOW YOUR PERSONAL INFORMATION IS USED
Inner Citadel Ltd uses the information we collect to provide our services to you, process payment for such services and send you information.
Who we might share personal information with
Inner Citadel Ltd holds information about her clients and the therapy they receive in confidence. However, in some circumstances she may need to share information and liaise with other parties, as outlines below:
If you are referred by your health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation for the purposes of billing. She may also share information with that organisation to provide treatment updates.
In cases where treatment has been instructed by a solicitor or a rehabilitation agency, relevant clinical information from therapy records will be shared with legal services as required and with your written consent.
In exceptional circumstances, she might need to share personal information with relevant authorities:
When there is need-to-know information for another health provider, such as your GP.
When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
When the information concerns risk of harm to the client, or risk of harm to another adult or a child. She will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or to someone else.
WHAT WE WILL NOT DO WITH YOUR PERSONAL INFORMATION
We will not share your personal information with third-parties for marketing purposes.
HOW WE ENSURE THE SECURITY OF PERSONAL INFORMATION
Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients in an email attachment that is password protected. Email applications use private (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. Inner Citadel Ltd will never use open or unsecure Wi-Fi networks to send any personal data.
Personal information is also stored on file and an office computer owned by Inner Citadel Ltd. These are locked in a secure location and password protected. Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode/thumbprint scanner, mobile security and antivirus software.
YOUR RIGHT TO ACCESS THE PERSONAL INFORMATION WE HOLD ABOUT YOU
You have a right to access the information we hold about you.
This will usually shared this with you within 30 days of receiving a request.
There may be an admin fee for supplying the information to you.
Further evidence from you to check your identity might be requested.
A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy).
You have a right to get your personal information corrected if it is inaccurate.
You can complain to a regulator. If you think that Inner Citadel Ltd has not complied with data protection laws, you have a right to lodge a complaint with the Information Commissioner’s Office (ICO).
Inner Citadel Ltd reserves the right to refuse a request to delete a client’s personal information where this is therapy records. Therapy records are retained for a period of 7 years in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000)  and The Health and Care Professions Council (HCPC; 2017) .
Inner Citadel Ltd’s ICO registration number is C1158494
More information can be found at the following weblink: ico.org.uk