Sutton Psychology customer privacy notice

This privacy notice tells you what to expect us to do with your personal information.

• Contact details
• What information we collect, use, and why
• Lawful bases and data protection rights
• Where we get personal information from
• How long we keep information
• Who we share information with
• How to complain

Contact details

Telephone

07772866883

Email

[email protected]

What information we collect, use, and why

We collect or use the following information to provide patient care, services, pharmaceutical products and other goods:

• Name, address and contact details
• Gender
• Pronoun preferences
• Date of birth
• Next of Kin details including any support networks
• Emergency contact details
• Health information (including medical conditions, allergies, medical requirements and medical history)
• Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions)
• Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)
• Payment details (including card or bank information for transfers and direct debits)
• Insurance policy details
• Records of meetings and decisions

We collect or use the following information for safeguarding or public protection reasons:

• Name, address and contact details
• Emergency contact details
• Health information (including medical conditions, allergies, medical requirements and medical history)
• Information about care needs (including disabilities, home conditions, dietary requirements and general care provisions)
• Relevant information from previous investigations
• Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)
• Records of meetings and decisions

We collect or use the following personal information to comply with legal requirements:

• Name
• Contact information
• Safeguarding information

We collect or use the following personal information for information updates, marketing or market research purposes:

• Names and contact details
• Addresses
• Marketing preferences
• Website and app user journey information
• IP addresses
• Personal information used for administration of the research
• Personal information used for the purpose of research
• Records of consent, where appropriate
• Information relating to the national data opt-out

We collect or use the following personal information for dealing with queries, complaints or claims:

• Names and contact details
• Addresses

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
• Your right to rectification- You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
• Your right to erasure- You have the right to ask us to delete your personal information. Read more about the right to erasure.
• Your right to restriction of processing- You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
• Your right to object to processing- You have the right to object to the processing of your personal data. Read more about the right to object to processing.
• Your right to data portability- You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
• Your right to withdraw consent– When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide patient care, services, pharmaceutical products and other goods are:

• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legitimate interests - we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Sutton Psychology collects and processes personal information to provide psychological therapy services and digital educational products. This is necessary for the following reasons: For therapy services, we collect personal information (name, contact details, GP details, and relevant health information) to assess suitability for therapy, provide safe and effective psychological treatment, maintain clinical records as required by our regulatory body (HCPC), communicate with clients about appointments, manage invoicing and payment, and liaise with insurance providers (BUPA, AXA, WPA) where applicable. Processing this information is essential to deliver a safe, personalised, and clinically appropriate therapy service. Without it, we would be unable to assess, treat, or maintain appropriate duty of care to our clients. For digital products, we collect personal information (name, email address, and payment details) to deliver purchased courses and resources, send transactional emails related to purchases, and send marketing communications where consent has been given. This processing is necessary to fulfil our contractual obligations when someone purchases or signs up for a product. The benefits of this processing include enabling individuals to access psychological support and educational resources that can improve their emotional wellbeing and quality of life. We minimise risk to individuals by collecting only the information that is necessary, storing data securely, limiting access to authorised personnel only, and never sharing personal data with third parties for marketing purposes. Individuals can request access to, correction of, or deletion of their data at any time.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Our lawful bases for collecting or using personal information for safeguarding or public protection reasons are:

• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • As a HCPC-registered psychologist, Dr Nicola Sutton has a professional and legal duty to safeguard clients and protect the public from serious harm. In rare and exceptional circumstances, it may be necessary to process and share personal information without consent for safeguarding or public protection purposes. This may include situations where there is a risk of serious harm to the client or to others, concerns about the safety or welfare of a child or vulnerable adult, a legal obligation to share information with statutory agencies such as social services, police, or the courts, or a requirement from our regulatory body (HCPC) in connection with fitness to practise proceedings. In these circumstances, we will only share the minimum information necessary and only with the relevant authority or professional body. We will always aim to discuss any disclosure with the client first, unless doing so would increase the risk of harm. The benefits of this processing are the protection of life, prevention of serious harm, and fulfilment of our legal and professional obligations. While we recognise that sharing information without consent has a significant impact on the individual concerned, these disclosures are only made where the risk of not sharing the information is greater than the impact of sharing it. This approach is consistent with HCPC standards of conduct, performance and ethics, and with relevant safeguarding legislation.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Our lawful bases for collecting or using personal information to comply with legal requirements are:

• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Sutton Psychology is required by law to collect, process, and retain certain personal information to comply with legal and regulatory obligations. These include: Regulatory requirements as set by the Health and Care Professions Council (HCPC), which requires registered psychologists to maintain accurate and up-to-date clinical records for all therapy clients. This includes records of assessments, treatment plans, session notes, and outcomes. These records must be retained for a minimum period as specified by professional guidelines. Tax and financial obligations under HMRC requirements, which require us to retain records of financial transactions including invoices, payments, and insurance claims for a minimum period as required by law. Insurance provider requirements from BUPA, AXA, and WPA, which may require us to share relevant client information to process claims and authorise treatment. This is limited to the information necessary to administer the insurance claim. Data protection legislation under UK GDPR and the Data Protection Act 2018, which requires us to maintain records of our data processing activities, respond to subject access requests, and report data breaches where required. Legal proceedings or court orders, which may require disclosure of personal information in connection with legal claims, complaints, or regulatory investigations. The benefits of this processing are compliance with the law, protection of both the client and the practitioner, and the maintenance of professional standards. We minimise the impact on individuals by only collecting and retaining information that is legally required, storing it securely, restricting access to authorised personnel, and deleting it when the legal retention period has expired. Individuals are informed about what data is held and can exercise their rights under UK GDPR at any time.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Our lawful bases for collecting or using personal information for information updates, marketing or market research purposes are:

• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Sutton Psychology collects and processes personal information for the purpose of sending information updates, marketing communications, and gathering feedback to improve our services and products. For email marketing, we collect names and email addresses when individuals voluntarily sign up for our mailing list, register for a free resource such as the 7-Day Yell Less Reset challenge, or purchase a digital product. This information is used to send educational content, updates about new products and services, and promotional offers that are relevant to the individual\'s interests. All marketing communications are sent with the individual\'s consent, and they can unsubscribe at any time via the link provided in every email. For transactional communications, we use contact details to send emails directly related to a purchase or sign-up, such as course access details, challenge emails, and order confirmations. These are necessary to fulfil our contractual obligations and are not considered marketing. For feedback and improvement, we may occasionally ask clients and customers for feedback on their experience of our services or products. Participation is always voluntary and responses are used solely to improve what we offer. The benefits of this processing include keeping individuals informed about resources and support that may be helpful to them, improving the quality and relevance of our products and services, and building a community of support around emotional wellbeing and parenting. We minimise the impact on individuals by only sending communications to those who have given consent, making it simple to unsubscribe at any time, never sharing personal data with third parties for their marketing purposes, and never selling personal data to any third party.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Sutton Psychology collects and processes personal information to respond to queries, manage complaints, and handle any claims that may arise in connection with our therapy services or digital products. For queries, we collect names, email addresses, phone numbers, and any details the individual chooses to share when they contact us via our enquiry form, email, phone, or social media. This information is used to understand their query and respond appropriately, whether that is providing information about our services, answering questions about a product, or directing them to the right support. For complaints, we may need to collect and retain personal information relating to the nature of the complaint, the individuals involved, and any communications exchanged during the complaints process. This is necessary to investigate the complaint thoroughly, respond fairly, and meet our professional obligations under HCPC standards. Records of complaints are retained in line with our regulatory and legal requirements. For claims, in the event of a legal claim, insurance claim, or regulatory investigation, we may need to process and retain personal information relevant to the matter. This may include sharing information with our professional indemnity insurer, legal advisors, or the HCPC where required. The benefits of this processing include ensuring that individuals receive timely and helpful responses to their queries, that complaints are handled fairly and transparently, and that any claims are managed appropriately to protect both the individual and the practitioner. We minimise the impact on individuals by only collecting information relevant to the query, complaint, or claim, storing it securely, restricting access to authorised personnel, and retaining it only for as long as is necessary or legally required.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Where we get personal information from

• Directly from you
• Insurance companies

How long we keep information

Sutton Psychology retains personal data for different periods depending on the type of data and the purpose for which it was collected. Clinical therapy records for adult clients are retained for a minimum of 7 years after the last contact, in line with British Psychological Society and HCPC guidance. Where therapy has involved a minor, records are retained until the individual's 25th birthday or 7 years after last contact, whichever is longer. Financial and tax records are retained for a minimum of 6 years as required by HMRC. Records relating to insurance providers are retained for the duration required by the provider or 7 years after the last session, whichever is longer. Records relating to complaints or claims are retained for 10 years from the date of resolution. Digital product customer data is retained for as long as the individual has an active account or subscription, and is deleted within 30 days of an unsubscribe request or deletion request, unless there is a legal obligation to retain it. Marketing and mailing list data is retained until the individual unsubscribes or requests deletion, and is deleted within 30 days of that request. Enquiry form data that does not lead to a therapeutic or commercial relationship is deleted within 12 months. When the relevant retention period expires, personal data is securely deleted or anonymised.For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

Who we share information with

Others we share personal information with

• Insurance companies, brokers and other intermediaries
• Organisations we need to share information with for safeguarding reasons
• Professional advisors
• Organisations we’re legally obliged to share personal information with

Duty of confidentiality

We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:

• you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);
• we have a legal requirement (including court orders) to collect, share or use the data;
• on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
• If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or
• If in Scotland – we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint