Data Privacy NoticeVersion 1 (June 2018)
The Wilbury Clinic is committed to the protection of the privacy of all who come into contact with us. Your personal data is really important to us and we understand how important it is to you. Our aim is to be as clear and open as possible about what we do with your personal data and why we do it.
- “Processing” means anything that we do with your personal data – obtaining it, holding it, using it, or passing it on. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
- “You” means you as an individual. You are known as the data subject within the context of the GDPR and UK data protection law.
- “We” means The Wilbury Clinic. The directors are the data controller as defined within the context of the General Data Protection Regulation (GDPR) and UK data protection law. This means we decide how your personal data is processed and for what purposes and are legally responsible for making sure your information is processed correctly and lawfully.
- “Data processors” are the organisation or individuals who handle your data, for example the Directors, our administrator or other members of The Wilbury Clinic team.
- “Third party” means any individual or organisation outside of The Wilbury Clinic.
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.
What personal data do we process?
We process different personal information depending on how you come into contact with us:
- When people sign up for our news email
- When clients come for a consultation (to be allocated to another therapist)
We will record information such as your name, age, occupation, medications and treatments, mental health history, previous counselling experience and other sensitive information which will help us to most accurately match you with an appropriate therapist. We will keep a record of which therapist you have been allocated to and what day and time you will meet with them. We will send you a feedback form to complete at the end of your therapy, however this is optional.
- When clients undertake therapy or supervision directly with us
We will record information such as your name, age, GP details, emergency contact information, medications and treatments, mental health history, previous counselling experience and other sensitive information. We also have an obligation to keep notes after every session.
- When therapists add their details to our website
We will collect your name, contact details and information about your training, qualifications, experience and approach.
- When therapists hire our rooms
We will collect your name, contact details and information about your training, qualifications, experience and approach. We will also process your insurance details and information about your supervisor.
- When therapists book or attend training
We will collect your name and contact details.
- When people carry out freelance work for our organisation
We will process your contact details and financial information such as bank details.
- When people access our website
Our website is a WordPress site which is run by Circular Cube https://circularcube.co.uk.
What do we use your personal data for?
We use your personal data for the following purposes:
- To administer our website;
- For client consultations;
- To seek client feedback;
- To deliver therapy services;
- To provide supervision;
- To maintain financial records, invoices and payments made;
- To provide a list of Therapists on our website;
- To create a contract with therapists hiring our rooms;
- To maintain a room bookings diary;
- To process workshop applications and attendees;
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time;
- To maintain our own accounts and records;
- To inform you of news, events, training and activities;
- To fundraise;
- For personal, administrative and management purposes and to enable us to meet our legal obligations (eg paying freelance employees);
- To seek your views or comments.
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
What is our lawful basis for using your information?
The lawful basis for processing your information falls under 6 main categories; under each we have given an example.
- For the performance of a contract
For therapists wishing to hire our rooms, we enter into a contract, in which we require certain personal information. If you don’t want to supply these details we would not be able to hire a room to you.
- For compliance with a legal obligation
We have a legal obligation to keep assessment and session notes for clients attending therapy or supervision. We also have a legal obligation to keep financial records for HMRC.
- To protect the vital interests of you or another person
If you are physically or legally incapable of giving consent, but we need to protect your vital interests, in an emergency, we may use your personal information. For example, if you are taken seriously unwell whilst at The Wilbury Clinic, we may pass on next of kin details or medical information to emergency services.
- In the exercise of official authority or in the public interest
For example, if we felt there was a safeguarding issue, we would be required by law to inform the appropriate authorities/bodies.
- On the basis of legitimate interest
For example, where you have registered for a workshop we will use your information to communicate with you about that training, both before the event, and in follow up after the event.
- On the basis of Consent
For most communications we will only process your information if you have given us explicit consent. For example,
- Where you have subscribed to the news email list and explicitly consented to receiving our emails. You can unsubscribe from this list at any time using the unsubscribe link in the footer of those periodic emails.
- Where you have explicitly consented for us to publish your Therapist details on The Wilbury Clinic website.
Special Category data (highly sensitive personal data such as mental health history, sexual orientation or ethnic origin) needs more protection. We will only process such data if it meets one of the above categories and one of the conditions below:
- the data subject has given explicit consent to the processing of their personal data for one or more specified purposes (for example in a client consultation)
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- processing relates to personal data which is manifestly made public by the data subject (for example when processing personal data on therapists who already publish this information on their own website or a public body listing)
How secure is your information?
The Wilbury Clinic complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
Printed documents are stored securely in a locked filing cabinet and electronic files are kept encrypted. Highly sensitive documents, such as consultation reports, are coded so that they are anonymous. We will store all the personal information you provide for our website on secure password- and firewall-protected servers. However we must remind you that the transmission of information over the internet is inherently insecure and we cannot guarantee the security of data sent over the internet.
Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared outside The Wilbury Clinic if it is absolutely essential. In the following cases we will share information with others:
- If you come to see us for a consultation, we will complete an assessment form which will be kept electronically and passed to the therapist you are referred to.
- If you fill out the contact form on our website, our web developer will also be able to access this information.
We will only share your data with other third parties with your prior consent, or unless required to do so by law.
Transfer of Data Abroad
Whilst it is unlikely we will do so, any electronic personal data transferred outside the EU will be encrypted. We also require that those processing your data in countries outside of the EU, follow the requirements and responsibilities set out in this Privacy Notice. Our website is accessible from overseas so some personal data (eg a listing on the ‘’Therapists’ page) may be accessed from overseas.
How long do we keep your personal data?
We endeavour to maintain only data that is relevant, accurate and up to date. We have internal processes to periodically review the data we hold and delete data that is no longer relevant to our purpose for processing. We may keep some other records for an extended period of time and others permanently if we are required to do so. For example, we will keep contracts only until the contract ends but we will keep session notes for 7 years from the date therapy/supervision concluded (or from when the client turns 18) as per guidance from our legal and professional bodies.
Your rights and your personal data
You have the following rights with respect to your personal data:
- The right to access information we hold on you
- At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your subject access request and proof of your identity, we will respond within one month.
- There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.
- The right to correct and update the information we hold on you
- If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.
- The right to have your information erased
- If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold.
- When we receive your request, we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests or regulatory purpose(s)).
- The right to object to processing of your data
- You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims.
- The right to data portability
- You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
- The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
- You can withdraw your consent easily by telephone, email, or by post (see Contact Details).
- The right to object to the processing of personal data where applicable.
- Where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
- The right to lodge a complaint with the Information Commissioner’s Office.
- If you feel we have used your information incorrectly or without lawful basis, or you dispute our lawful basis, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
Please contact us if you wish to exercise any of these rights.
If you have any questions regarding how we process your data, or you would like to make a subject access request, please contact us in writing either by email firstname.lastname@example.org or by post: The Wilbury Clinic, 64 Wilbury Road, Hove, BN3 3PY.
We are registered with the Information Commissioners Office (registration number ZA153400). You can contact the ICO on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Changes to this notice
We keep this Privacy Notice under regular review and we will place any updates on our website: www.thewilburyclinic.co.uk