Privacy Policy

We do not sell personal information to anyone. We don’t share personal information with any third parties unless they are providing services to us under contract or disclosure is permitted by, or required by, law.

Your information is kept confidential within APS at all times and is only shared with staff when they need it to carry out their job. All staff are required to work to strict professional and contractual codes of confidentiality and where appropriate we will anonymise information so that individuals cannot be identified.

As a general rule we do not share your information however there are some exceptions (outlined below) for example if we become aware of your intent to cause harm to yourself or another person, the law may require that we inform an authority without seeking your permission.

Clients/Claimants (Therapy or self-funded assessment)
In most circumstances, we will not disclose personal data without consent.

Your information may be shared with outside organisations if they are directly involved in your care/case, for instance, your insurer if they are funding your treatment, your GP, or others involved in your care. We will discuss with you who we would discuss your care with, and what details we would share with them.

There are a number of circumstances where this confidentiality may not be possible or may not apply, for example, where your health, safety, security or welfare or that of someone else may otherwise be put at risk and if there are legal or safeguarding responsibilities. If your health is in jeopardy, we may share your contact information with an emergency healthcare service (e.g. Mental Health Crisis Team, your GP). If we believe someone else is at risk, we will inform the appropriate service (the Police, social services, GP).

 

You will have been informed at the beginning of your treatment about the limits of confidentiality.  If confidentiality is broken without your consent, we will endeavour to tell you what has been said and to whom, unless such disclosure may expose you or others to serious harm or is contrary to legal or safeguarding obligations.

 

When we investigate a complaint, we may need to share personal information with other relevant bodies (such as the HCPC, or the ICO).

If we do need to share your information, we will seek your permission for this. We may not be able to ask your permission under some circumstances e.g. where we are legally bound.

Claimants (Court Reports)
We share personal data internally strictly on a need to know basis.

We do not share personal data with anyone external to the organisation, other than with:

    • Those who have instructed us as an expert witness
    • Outsourced service providers such as photocopying companies and digital dictation services, pursuant to GDPR compliant written contracts
    • With others pursuant to a court order

Who are we and what do we do?

Applied Psychology Solutions (APS) is a company offering clinical psychology support services (specialising in court related work). APS provides expert witness services, psychological therapy and assessment services, and training. APS formed in 2012.

Our ICO registration number is Z1743521

Please contact our Data Protection Lead, Paul Newns, at information.security@apsy.co.uk with any questions or requests about the personal information we process.

Or write to us at;
Applied Psychology Solutions Ltd.
9 Hills Road
Cambridge
Cambridgeshire
CB2 1GE

Scope

This policy explains how we use any personal information we collect about you, as a past, present, future employee, contractor or affiliate, a client or claimant or when you use our website.

This privacy policy contains all information that we are obliged to provide data subjects in accordance with articles 13 & 14 of the General Data Protection Regulation (GDPR). It provides information about the personal information we process and our compliance with the GDPR and the Data Protection Act 2018 (DPA).

Definitions

Here are definitions of terms we use throughout this policy.

Data protection lead: this person is responsible for ensuring compliance with policies and procedures on data protection, for providing any staff training, for conducting audits, risk assessments and data protection impact assessments, for responding to requests from data subjects and dealing with data breaches. He or she also handles queries and complaints from data subjects about the processing of their data, including from any members of staff.

The name of the data protection lead at APS is Paul Newns.

Data subject: an individual whose personal data is processed. In this policy we also refer to;

Claimant: refers to individuals who are pursuing a legal claim. For example we will assess a claimant for the purpose of generating a court report.

Affiliate: refers to a clinical psychologist who has retained APS to provide support services

Instructing party: refers to the agency or legal representative instructing a affiliate to write a court report

Client: refers to an individual being treated by an affiliate.

Personal data: any information from which a living individual can be identified, either directly or indirectly. It is not limited to names and identification numbers, or to photographs or addresses.

Special category data: information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, health information and data in relation to a person’ s sex or sexual orientation.

Processing: covers any activity involving personal data, including holding, storage and destruction. The Information Commissioner says it is difficult to imagine an activity involving personal data that does not fall within the definition.

Data controller: decides the why and the how of personal data processing. A controller can be a sole trader, a partnership, a private or public limited company or a large multi-national organization. It decides why it needs to collect personal data and how to process it.

As a regulated profession APS considers that it is the data controller for personal data provided by instructing parties for the purpose of providing clinical support services.

Applied Psychology Solutions Ltd is the data controller for the purposes of this policy.

Data processor: processes personal data in accordance with the written instructions of the data controller.

Legitimising conditions: The processing of personal data is unlawful unless a legitimising condition, or lawful basis, applies.

Why do we handle personal information?

Under data protection legislation, APS is only allowed to use personal information if we have a proper reason or ‘legal basis’ to do so.

We may collect information about you because you are a client of ours. You may be an affiliate, employee or contractor. You might be a claimant who is part of a legal or litigation claim.

We process the data because it is in our legitimate interests as a support service to do so. We need to see and analyse documents containing this information in order to provide our expert advice, to carry out an assessment or to deliver psychological intervention.

We also process claimant data for legal purposes in these cases this will include processing special category data (health information). This is likely to apply if you are being assessed as part of a litigation claim.

We also process client data, including special category data, for the purposes of the provision of health or social care or treatment.

If you are an employee, contractor or affiliate of APS we will process your personal data for the performance of the contract we have with you.

Do we share personal information?

How do we protect your personal information?

Your privacy is very important to us, and we take all necessary measures to ensure personal information is properly protected and secured. This includes having appropriate technical and organisational arrangements to secure personal information. For more details on our security arrangements please see our Security Policy.

This data protection policy is designed to ensure that the rights to privacy of individuals are protected. Through its writing and review, we have examined our practices and ensured we are doing everything we can to safeguard your privacy. APS is committed to upholding, and where possible exceeding, the General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA).

We also protect your personal information through the following principles;

Accountability
This principle is designed to ensure that data protection is embedded in an organisation at all levels of decision making and becomes fundamental to its culture. Not only must APS comply with the GDPR but it must be able to show it complies. It is for this reason that this policy and related policies have been written.

Data protection by design
This is an aspect of the accountability principle. It means that data protection risks are evaluated and eradicated and reduced at the very earliest stage, whenever there is a significant change in processes or procedures which entail a risk to data subjects. For example, a substantial upgrade to an IT system, outsourcing such as engaging a new cloud provider. Data Protection Impact Assessments are carried out by the data protection lead in these and other circumstances where there is likely to be a risk to data subjects.

Data protection by default: minimisation
Another important principle is data minimisation. In other words, no more data should be collected, shared and stored than is strictly necessary.

What personal information do we hold?

The personal information we hold includes;

We collect information about you that may include personal or sensitive information, such as:

Contact information such as;

    • First name or given name
    • Family name or surname
    • Address
    • Telephone/SMS number
    • Email address
    • Telephone numbers

Demographic information such as;

    • Date of birth
    • Gender
    • Date of Birth and age
    • Relationships & children
    • Occupation

We process this data to provide support services, employment or training. We have a legitimate interest to process this personal data for the purposes of handling contact effectively e.g. to make sure that you are assessed and/or treated safely and appropriately, we record your personal information, such as your name, address, as well as all contacts you have with APS such as appointments and the results of assessments and letters relating to your care/assessment.

We also process personal data pursuant to our legitimate interests and performance of a contract to provide services such as;

    • Invoices and receipts
    • Accounts, VAT and tax returns

Clients (Therapy or self-funded assessment)

When you are a client of APS we record all your treatment and details of your appointment so that your clinician can plan your treatment correctly. In addition to the personal information above, we may also collect information regarding:

    • Medical conditions
    • Prescribed medication.
    • Psychological history and current difficulties
    • Offences (including alleged offences)
    • Financial information, including bank account details

We may collect some of this information from your insurance company if you have one, and some of this information will be collected directly from you.

We process this data to provide support/therapeutic services. We have a legitimate interest to process this personal data to provide treatment at a client’s request and to comply with legal obligations to retain information on treatment.

Claimants undertaking Court Reports

In the case of a court report, we retain the information as required by the courts or your solicitor.

In addition to the personal information above, we may also collect information regarding:

    • Medical conditions
    • Prescribed medication
    • Psychological history and current difficulties
    • Offences (including alleged offences)

We may be given some of this information from your solicitor or the party instructing us for the purposes of litigation, and some of this information will be collected directly from you.

In many cases, an individual has consented to the transfer of their personal data to us. Where an individual has consented, he or she may easily withdraw it by notifying the data protection lead.

We process this data to provide support services. We have a legitimate interest to process this personal data in the performance of a contract and to carry out legal process.

Job applicants, current and former APS employees and affiliates

When individuals apply to work at APS, we will only use the information you supply to us to process your application and to monitor recruitment statistics. Data that we collect about you, in addition to the above, may include:

    • Pay and bank details, payslips
    • Curricula vitae, contracts of employment, references and appraisals
    • Health information

We process this data as it is necessary for carrying out obligations and exercising rights connect to employment.

Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service we will not do so without informing you beforehand unless the disclosure is required by law.

Training events

When registering your interest in a training event run by APS, we will only use the information you supply to us to process your registration, to send you further information in relation to the event, and to monitor attendance statistics. Data that we collect about you, in addition to the above, may include:

    • Payment / bank details
    • Your Qualifications

We process this data to provide training services. We have a legitimate interest to process this personal data to provide our services.

Web access collection of information

We may collect information about you when you register with us or place any order for services. We also collect information when you voluntarily complete contact forms.

APS does not utilise cookies or tracking mechanisms on its website.

How do we obtain and use personal information?

The personal information we hold comes from the following places;

    • Letters of instruction from instructing parties
    • Information provided by the claimant or client in the form of questionnaires
    • Information provided by the claimant or client at assessment
    • Medical reports and records provided through the instructing party
    • Information provided by legal representatives for the claimant
    • Information provided by the affiliate in setting up an agreement with APS
    • Information provided by those registering for training events.
    • Recruitment application and the supporting information included with it
    • Pre-employment checks, vetting and references from external parties
    • Information provided when starting employment, (such as emergency contacts and bank account information)
    • Information created or received, by APS during the course of employment, such as performance or pay reviews, disciplinary records or occupational health information

Our data processing activities include, but are not limited to;

    • Compiling expert reports
    • Verifying identity (taking copies of identity documents)
    • Correspondence including invoicing
    • Filing receipts of payment
    • Uploading documents to 3rd party platforms (cloud)
    • Engaging with other 3rd party service providers
    • Creating and updating records in a customer relationship management (CRM) system
    • Employing and paying staff
    • Co-ordinating training events
    • Archiving and destroying data

How long do we hold information for?

We will hold different data for different lengths of time.

Information collected for the purpose of financial transactions will be held for 7 years.

    • To comply with financial regulations

Information collected for recruitment is held for 12 months unless the candidate is successful whereupon it will form part of the employment record (see below).

    • To respond to correspondence, concerns or complaints

Information collected for employment purposes will be held for the duration of employment and then for a further 7 years.

    • To respond to correspondence, concerns or complaints
    • To maintain records according to rules that apply to us (e.g. employment law, or financial regulations)
    • To establish and defend any legal rights

Information collected for the purposes of writing court reports will be held for the duration of the case or for 8 years.

    • To respond to correspondence, concerns or complaints
    • To maintain records according to rules that apply to us (E.g. financial regulations, legal process)
    • To establish and defend any legal rights

Information collected for the purposes of running training events will be held, with consent for marketing purposes, otherwise it will be deleted after 7 years.

How do we secure personal information?

APS has taken physical, organisational and technical measures to ensure that personal data is secure. Hard copy, as well as electronic data, is processed in accordance with APS’s security policy.

This security policy follows these principles;

    • Information is stored securely (both physical and virtual)
    • Information is protected against theft, loss or damage
    • Staff are trained and made aware of security procedures
    • Failure to follow security procedures is a disciplinary matter
    • Security processes are reviewed regularly

Data Protection Risk Management

In addition our security measures we monitor risk to data and carry out periodic audits, risk assessments and Data Protection Impact Assessments.

All personal data breaches, however minor, will be reviewed with a risk management approach to avoid future breaches.

Data Breaches

When there is a personal data breach, the ICO advises:

Tell it all. Tell it fast. Tell the truth.

Data breaches should be notified to the data protection lead as soon as possible.

Contacting the data protection officer

The data protection officer is Paul Newns.

The data protection officer should be telephoned where there is a data breach or near miss. However, if the data protection officer is unavailable the clinical director should be contacted, if the clinical director is unavailable the finance director should be contacted.

If all directors are planning to be absent at the same time an “on call data protection lead” shall be nominated to cover the period of absence.

In the event of a data breach; the data protection lead will;

    1. Investigate the breach – evaluates what the breach is and how it occurred, and the associated risk to data subjects and APS. A thorough investigation and corrective action are necessary so as to reduce the risks to data subjects arising out of any breach, and to make sure that something similar does not happen again in future.
    2. Record the breach – The breach, investigation and corrective actions must be documented. So, too, should the report made to the ICO.
    3. Notify cybersecurity insurers as necessary – Where a breach of Applied Psychology Solutions’ computer systems is suspected, the data protection lead will wish to engage the support of Applied Psychology Solutions’ IT provider in order to identify the nature of any breach of Applied Psychology Solutions’s computer systems. Applied Psychology Solutions has obtained cybersecurity insurance and any IT related breaches must be reported to insurers immediately. They may provide affected data subjects with free access to security measures to protect their identity.
    4. Notify the Information Commissioner as necessary – If there is a risk to data subjects, the breach must be reported to the Information Commissioners Office in 72 hours. If the report is late, an explanation must be given as to why. This must include a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again. The ICO will want to know how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in future. The initial report needs contain no more than a summary of the position. The data protection lead or Applied Psychology Solutions may wish to seek authority to obtain legal advice before submitting the initial and any subsequent reports.
    5. Notify the police as necessary – The theft of data, whether as a result of shortcomings in the physical security arrangements on the premises, or the hacking and penetration of computer systems, or theft by a member of staff, should be reported immediately to the police.
    6. Notify the data subjects. Where the risk to data subjects is high, the breach must be reported to them individually if at all possible. If not possible wider communication should be considered e.g. notification provided on the APS website.

Investigation

It is crucial that all data breaches and near misses are thoroughly investigated and discussed at the next management team meeting and action taken to mitigate future risks.

It is natural for a person to want to absolve themselves of responsibility for any errors however it is important that the investigation fully understands what happened, not to apportion blame but to rather identify systemic ways that we can lessen the risk of further breaches. It is important that the investigator bears in mind that those responsible may be feeling defensive and frightened and care should be taken to ensure full co-operation. However, where policy or procedure has not been followed that has led to a breach, disciplinary action should be considered.

Amending policy

We recognise that policy and procedure will need to be amended from time-to-time to reflect learning

Do we do any automatic processing and profiling?

Under data protection legislation we have to let you know when we use your personal information to do something ‘automatically’ using our computers or other systems, or use it to make an automated decision (without human intervention) that significantly affects you.

APS does not make any decisions based solely on the use of automated systems, databases or computer applications.

Is there any overseas processing of data?

APS and its service providers may process your personal information in countries both within, and outside, the European Economic Area (EEA). Our preference it to keep data within the EEA.

Any overseas data processing will be carried out in strict accordance with UK and EU privacy and data protection legislation and the appropriate contractual safeguards which APS has put in place.

What are your information rights?

We are committed to protecting your rights to privacy. They include:

    • Right to be informed about what we do with your personal data
    • Right to have a copy of all the personal information we process about you
    • Right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete
    • Right to be forgotten and your personal data destroyed
    • Right to restrict the processing of your personal data
    • Right to object to the processing we carry out based on our legitimate interest

APS tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under GDPR and DPA.

In many cases, an individual has consented to the transfer of their personal data to us. Where an individual has consented, he or she may easily withdraw it by notifying the data protection lead.

You may ask us to correct or remove information you think is inaccurate.

How do you request access to your data?

You may request access to your personal data in any way you like, these may be in writing or verbal but must be made to a member of staff. However, to assist with the identification and swift response to a request we ask that subject access requests are made to our data protection lead.

The data protection lead will manage requests. APS will acknowledge requests within 3 working days.

APS has 30 days to respond to the request. The period may be extended by a further two months if the request is complex. In these circumstances, the data subject must be informed within one month that more time is needed and given the reason why.

APS may seek further clarification on the data requested where this is unclear or ambiguous.

APS will seek to confirm the identity of the person making the request in such cases the response time is 30 days from receipt of proof of identity.

APS will conduct a search of relevant files, including email, shared, digital and physical file storage.

Claimants involved in litigation

If your concern is related to a case with a solicitor that we are working for, please refer the queries through them. We may not be able to comply with a request to correct information we hold about you where it pertains to a litigation claim – this would need to be discussed with your solicitor.

Complaints or Queries

APS tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. If you do have a complaint, contact the Data Protection Lead who will investigate the matter on your behalf.

If you are not satisfied with the response from APS or believe we are not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO)

Contact information ICO:
Website: https://ico.org.uk/concerns/
Email: casework@ico.org.uk
Telephone: +44 (0) 303 123 1113