Data Protection and Privacy Policy
The purpose of this policy is to ensure that everyone conducts their business practices in a manner compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and their principles to ensure that all Personal Data is suitably protected, secure, accurate and up-to-date at all times and is only used in a manner for which it was intended.
The objective of this policy is to protect the rights of individuals with regards to the personal information known and held about them by us, in the course of therapeutic practices, and ensure that every task and process carried out by us, is compliant with relevant Data Protection laws.
Our aim is to ensure that staff are aware of the guiding principles behind Data Protection of Personal Data, which are to ensure;
Philippa Weitz Training Limited, trading as Harley Street Online Therapy Centre, is classed as a Data Controller under the General Data Protection Regulation (GDPR). Our obligations to ensure appropriate controls are in place irrespective of classification is of critical importance.
This policy confirms our commitment to protect the privacy of Personal Data of our customers, clients, employees and other interested parties. Philippa Weitz Training Ltd. have engaged in a programme of Information Security Management which is aligned to industry best practice to ensure that the processing of personal information is conducted using pragmatic processes.
GDPR sets out a set of six guiding principles, which outline the responsibilities for organisations handling Personal Data. Article 5(2) of GDPR states that the Controller shall be responsible for, and be able to demonstrate, compliance. This is known as the ‘Principle of Accountability’. The remaining principles state that Personal Data must be;
a. Lawfulness, Fairness and Transparency
Processed lawfully, fairly and in a transparent manner in relation to individuals
b. Purpose Limitation
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be
considered to be incompatible with the initial purposes
c. Data Minimization
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
d. Accuracy
Accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are erased or rectified without delay.
e. Storage Period Limitation
Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposed for which the Personal Data
are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes
in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate
technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals.
f. Integrity and confidentiality
Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and
confidentiality').
a. Transmitting Personal Data
Where Personal Data is to be transmitted (either electronically or in hard copy), staff are required to ensure that any such data is secured
using appropriate measures (e.g. Use of encryption, passwords for electronic transmissions or using secure couriers).
Personal Data will only be transmitted in accordance with best practice and processes noted as part of the ISMS.
Personal data is only transmitted to a person authorised to receive it in compliance with these Data Protection principles.
b. Storing Personal Data
Personal Data in hard copies (e.g. paper medical records, copy passport etc) are retained only for as long as is essential to the account
and/or customer, employee or other interested party that they refer to.
Personal Data in hard copy or electronic formats will be stored in accordance with best practice and in line with processes, which are part
of a broader Information Security Management System (ISMS).
The management of Personal Data is controlled through this standard and Philippa Weitz Training Ltd. have committed to ongoing audit
and review of policies, processes and practices associated to holding information in all its form.
c. Breaches of Personal Data
If any breach of the DPA or its Principles occurs, staff are required to inform their line manager, who will report the details to the Compliance
& Risk Manager to be logged and investigated, in line with Philippa Weitz Training Ltd. Incident Management processes.
Upon notification and initial investigation Philippa Weitz Training Ltd. will ensure that when deemed necessary, both the Information
Commissioner's Office and the Data Subjects affected will be informed without undue delay.
Philippa Weitz Training Ltd. recognises it has a responsibility to ensure that PI is protected using appropriate technical and operational measures and as such has implemented a security framework which focuses on both operational and technical aspects of Data Protection. In this regard Philippa Weitz Training Ltd. have:
Philippa Weitz Training Ltd. also recognises it is responsible for ensuring that the Data Subjects data ‘rights’ are considered, when processing data.
Section 3 of GDPR states that Data Subjects have rights in relation to their data, including;
Individuals have the right to be informed about how we use their Personal Data. This includes:
a. The right of access
Individuals have the right to obtain:
b. The right to rectification
Individuals have the right to have their Personal Data rectified if it is inaccurate or incomplete.
c. The right to erasure (the right to be forgotten)
Individuals have the right to request the deletion or removal of their Personal Data, where there is no compelling reason for its continued processing,
such as at the end of their contract.
d. The right to restrict processing
Individuals have the right to request that we restrict further processing of their Personal Data where:
• They contest the accuracy of the Personal Data we hold on them, until it has been rectified and verified;
• They have objected to us processing their Personal Data (where there is a legitimate reason for the processing such as a performance of a contract)
until their objection has been fully considered and a decision made;
• Processing is unlawful, and they request the process of their data be restricted instead of erased.
e. The right to object
Where we process an individual’s Personal Data for the performance of their contract, they have the right to object to the processing however, this
must be on grounds relating to their particular situation. In these circumstances, we will stop processing their Personal Data unless:
• We can demonstrate compelling legitimate grounds for the processing, or
• The processing is for the establishment, exercise or defence of legal claims.
Where we process an individual’s Personal Data for direct marketing purposes, they have the right to object at any time.
If they object to their Personal Data being processed for direct marketing purposes:
• We will stop the processing as soon as we received their objection;
• We will deal with their objection at any time and free of charge.
f. Rights in relation to automated decision making and profiling
Individuals have the right not to be subject to a decision when:
• It is based on automated processing, and
• It produces a legal effect or a similarly significant effect on them.
We will not use individuals’ personal information for any automated decision-making or profiling purposes.
When acting as a Data Controller, Philippa Weitz Training Ltd. is responsible for providing Data Subjects with a reasonable access mechanism to enable them to exercise these rights.
Article 6 of GDPR provides the legal basis under which Personal Data can be processed, and Philippa Weitz Training Ltd. uses the following, legal basis:
• Employee Data - Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the
request of the Data Subject prior to entering into a contract;
• Marketing and Promotional Material – The ‘Legitimate Interests’ of individuals will be considered for marketing purposes, and only where clear
Consent has been obtained or where previous indications of interest have been shown.
Under these conditions, Philippa Weitz Training Ltd. will apply the following legal basis for processing Personal Data:
• Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require protection of Personal Data, in particular
where the Data Subject is a child.
In all other circumstances, Philippa Weitz Training Ltd. apply the following legal basis for processing Personal Data:
• The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes.
Where consent is obtained from individuals directly, GDPR states:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subject’s agreement to the processing of Personal Data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the Data Subject’s acceptance of the proposed processing of his or her Personal Data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the Data Subject’s Consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Where required, Philippa Weitz Training Ltd. obtains consent from individuals at the Registration Stage, via appropriate means. This is gained through the individual ticking a box or signing a ‘Consent form’ and making a conscious decision to ‘opt in’.
Under Article 15 of GDPR, an individual has ‘The Right to Access’ personal information which is being held about them by Philippa Weitz Training Ltd. This information is to be provided free of charge and individuals have the right to obtain:
· the purposes of the processing;
· the categories of Personal Data concerned;
· the recipients or categories of recipient to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or
international organisations;
· where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
· the existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of processing of Personal Data
concerning the Data Subject or to object to such processing;
· the right to lodge a complaint with a Supervisory Authority;
· where the Personal Data are not collected from the Data Subject, any available information as to their source;
Although the information will be provided free of charge, where there is an excessive request for data, or repetitive requests a ‘reasonable fee’ can be charged.
Any fee charged must be based on the administrative cost of providing the information and information must be provided without delay and at the latest within one month of receipt.
We are able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
It is important that we verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, we will provide the information in a commonly used electronic format (e.g. CSV, or PDF).
To ensure Philippa Weitz Training Ltd. understands its obligations to the protection of Personal Information, the following definitions apply and are based on current understanding of these terms within UK and European law, and specifically in Article 4 of GDPR.
a. Personal Data
Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b. Sensitive Personal Data
Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those Personal Data include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
c. Data Controller
The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
d. Data Processor
A natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of a Data Controller.
e. Processing
An operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
f. Anonymization
Irreversibly de-identifying Personal Data such that the person cannot be identified by using reasonable time, cost, and technology either by the Controller or by any other person to identify that individual. The Personal Data processing principles do not apply to anonymized data as it is no longer Personal Data.
This policy is reviewed on an annual basis by the senior managers of this organisation is signed off by Philippa Weitz on behalf of Philippa Weitz Training Ltd
.© 2022 Philippa Weitz Training Ltd T/A Harley Street Online Therapy Centre