Privacy Policy
INTRODUCTION AND SCOPE
-
This Data Protection Policy sets out Hopscotch Children’s Therapy Centre (HCTC) obligations when it processes personal data. It also sets out what HCTC employees and contractors must do when they handle HCTC personal data.
WHAT IS PERSONAL DATA AND WHAT IS A DATA SUBJECT
-
Personal data is any information about an identifiable living individual. You may see documents which talk about “data subjects”: this is what data protection law calls individuals. An individual is identifiable where:
-
HCTC holds clear direct identifiers – such as, name or full postal address; and/or
-
It is reasonably likely that HCTC can identify the individual by other reasonable means. For example, an employee ID number where HR can link this to employee name, or customer reference number, where customer support can link this to name or address.
-
Online identifiers – such as cookie IDs and device IDs – are also covered by the law, as are, decisions made about individuals and subjective opinions held about people.
-
Sensitive personal data is any information about health, used to uniquely identify a person.
-
We may collect personal data in a variety of ways, such as: from recruitment agents, correspondence with employees, with customers or other practicing professionals.
WHAT IS PROCESSING
Processing is any use that HCTC makes of personal data. This includes obtaining or creating personal data, amending it, storing it, sharing it, or even accessing, anonymising or deleting it.
WHAT OBLIGATIONS DOES HCTC HAVE
HCTC complies with the General Data Protection Regulation (“GDPR”) and laws such as the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 in the UK. HCTC’s obligations under these laws are set out in this Policy.
WHAT ARE HCTC OBLIGATIONS
All employees and, where applicable, contractors of HCTC comply with this Data Protection Policy and any additional policies which HCTC introduces. Failure to comply with this Policy may result in disciplinary action. The Annexes to this Policy contain supplemental notes.
CORE DATA PROTECTION PRINCIPLES
HCTC follows these data protection principles when processing personal data:
​
-
Lawfulness, Fairness and Transparency
HCTC always processes personal data fairly – in line with individual’s reasonable expectations – and lawfully.
Informing individuals how HCTC will use their personal data
-
Individuals understand how their personal data will be collected and used. When developing a new product or activity that will involve personal data, HCTC considers how individuals will be informed.
-
When HCTC collects personal data directly from individuals, it provides notice at the time of such collection.
-
When HCTC collects personal data from another source, it provides notice within a reasonable period, but no later than a month, after the data was obtained by HCTC. If HCTC intends to communicate with the individual, or disclose the data to a third party, then the information is provided no later than that communication or disclosure.
-
The privacy notice contains the information listed in Annex 1.
-
HCTC ensures that privacy notices are: concise, intelligible, use clear and plain language, which is suitable for the audience; easily accessible; and provided in writing (which can include electronic means), unless the individual asks for the information to be provided orally.
-
If the purposes for processing personal data change, HCTC provides a further privacy notice before the new processing takes place – please contact us at info@hopscotchtherapy.co.uk if you think that a purpose for which you process personal data is not already covered by the applicable privacy notice.
Lawful justification for processing
-
HTC only processes personal data where it can meet one of the grounds for processing in the legislation. These include:
-
The individual has given consent to the processing;
-
The processing is necessary to perform a contract with the individual, or to take steps at the request of the individual before entering into a contract;
-
The processing is necessary for compliance with a legal obligation to which HCTC is subject; or
-
The processing is necessary for HCTC’s legitimate interests or those of a third party, unless the interests of the individual override those interests.
-
-
The Annexes have guidance on the relevant grounds for each HCTC business area.
-
HCTC only processes sensitive personal data if it can satisfy one of the additional sensitive data grounds. Suitable grounds for each HCTC business area are listed in the Annexes.
b. Purpose Limitation
-
HCTC only processes personal data for purposes which are legitimate and which HCTC has told the individual about, as part of the Transparency principle and in the Record of Processing.
-
HCTC does not process personal data for any incompatible purpose.
c. Data Minimisation and Accuracy
-
HCTC makes sure that personal data is adequate and relevant for the purposes for which it is processed and limited to what is necessary for the purpose of processing. It does not collect more personal data than needed just because it may turn out to be useful later.
-
It also makes sure that personal data is accurate and, where necessary, kept up to date; and takes all reasonable steps to correct or delete inaccurate personal data.
d. Storage Limitation
-
HCTC determines for how long it needs to process personal data for a particular purpose and only keep personal data for this period. At the end of this period, HCTC erases the personal data, or ensures that the data doesn’t allow individuals to be identified. Generally, HCTC maintains the personal data it collects based on the NHS Records Management Code of Practice, whilst keeping in consideration other obligations set out in the HCPC Standards of Proficiency.
e. Integrity and Confidentiality
-
HCTC keeps all the personal data it processes secure, and protected against ‘unauthorised or unlawful processing and accidental loss, destruction or damage’. It does this by implementing various security measures such as encryption and data anonymisation; and also implementing the measures which it imposes on its data processors.
-
HCTC also implements a data breach response programme so that it can log, remediate and report any data breaches as required by law.
f. Accountability
-
Privacy by Design and Default: HCTC can demonstrate its compliance with this Policy and with applicable data protection law. HCTC ensures that privacy issues have been considered from an early stage in implementing services and procedures (privacy by design), and that, by default, only the minimum amount of personal data necessary is being processed (privacy by default). HCTC has drafted a New Project Checklist and guidance to ensure that these requirements are considered at the outset of any new project or initiative.
-
Data Protection Impact Assessment: In certain cases – high risk processing – HCTC may be required to carry out a data protection impact assessment (DPIA). A DPIA is a check conducted on a specific area of an organisation’s operations to identify and minimise non-compliance risks. The New Project Checklist and guidance also considers DPIAs.
-
Record of Processing: HCTC keeps a formal record of its processing activities.
INDIVIDUAL RIGHTS
HCTC deals promptly with requests from individuals to exercise their data protection rights. If you receive a request from an individual please forward it to info@hopscotchtherapy.co.uk.
Individuals have the following rights:
-
Access: to obtain (i) confirmation whether HCTC processes their personal data; (ii) a copy of the personal data (in a commonly-used electronic form, if the request is made electronically); and (iii) provision of supporting explanatory information.
-
Portability: to request that their personal data is “ported” (i.e. transferred) to a specified third party, or to the individual him or herself, in a machine-readable and structured format (e.g. CSV files). There are exemptions – for example, this only applies to personal data which has been provided by the individual or collected automatically from the individual, which is held in digital format, and which HCTC processes with the individual’s consent or to fulfil a contract with that individual.
-
Rectification: to request correction of inaccurate personal data.
-
Objection: to object to: (i) processing for direct marketing purposes; (ii) profiling based on direct marketing; and/or (iii) processing based on HCTC’s legitimate interests.
-
Erasure (a.k.a. the “right to be forgotten”): to request that personal data is erased in certain situations, for example, where: (i) the processing is based on consent and the consent is later withdrawn; or (ii) the individual has validly exercised a right to object and wishes the data to be erased.
-
Restriction: to request that personal data is “restricted” (i.e. block/pause) whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.
Individuals also have rights not to be subject to decisions taken solely on the basis of automated processing of personal data of an individual (i.e. no human involvement in the decision) which produce legal effects, or have similarly significant effects, unless taking such decisions is permitted by law. There are limited exceptions to this. HCTC does not use automated individual decision-making technology. All processing activities take place with meaningful human involvement.
SHARING PERSONAL DATA WITH THIRD PARTIES AND INTERNATIONAL TRANSFERS
-
Data processors are other organisations which process personal data on behalf of a controller. HCTC may appoint processors to help it process personal data (e.g. a payroll provider, recruiters, other practitioners).
-
When appointing any data processor to collect, store or use personal data on HCTC’s behalf, HCTC:
-
Before Engagement: Ensures that the data processor provides satisfactory assurances about their data protection practices.
-
On Engagement: Signs the data processor up to specified data processing terms; and
-
Post Engagement: Confirms on an appropriate periodic basis that the assurances provided before engagement about their data protection practices remain valid.
-
-
Where HCTC transfers personal data to data processors or data controllers which are based outside the EEA (which includes data processors accessing the personal data from outside the EEA e.g. in order to provide IT support services), a data transfer mechanism is put in place unless that country has been deemed adequate by the European Commission.
TRAINING
-
HCTC provides training on this Policy and HCTC’s other data protection-related policies, procedures and obligations to all employees and contractors when they join HCTC, and then on an annual basis.
AUDITS AND MONITORING
-
HCTC audits compliance with this Policy and other data protection-related policies; and will implement appropriate corrective actions to rectify any non-compliance. If you think that this Policy is not being complied with in any way at HCTC, please bring this to the attention of our Data Protection Officer, at info@hopscotchtherapy.co.uk
UPDATES OF THE POLICY
-
PDG is responsible for communicating changes to this Policy and will also provide a brief explanation of the reasons for any notified changes to this Policy.
PUBLICATION AND FINAL PROVISIONS
-
HCTC will publish this Policy and any other amendments to it.
EFFECTIVE DATE: 16/November/2024
-
Contact: You can raise any questions or concerns in relation to this Policy by contacting: info@hopscotchtherapy.co.uk You should also contact DPO if you think you need an exception to a rule in this Policy.
ANNEX 1
-
Information which must be provided to individuals when collecting their personal data directly from them:
-
The identity and the contact details of HCTC and of HCTC’s DPO;
-
The purposes and the legal basis for the processing;
-
The legitimate interests of HCTC, where applicable;
-
The recipients or categories of recipients of the personal data;
-
Any international data transfers, including the location of any recipients and the methods used to ensure the adequate protection of those transfers (and how to obtain details of those methods);
-
Data retention periods;
-
Their rights under data protection rules;
-
The process available to individuals to withdraw any consent;
-
Whether the individual is obliged to provide the personal data and the possible consequences of failure to provide such data; and
-
The existence of automated decision-making, including profiling, and the logic involved.
-
Information which must be provided to individuals when collecting their personal data another source:
-
All of the information stated in paragraph 1 of this Annex 1 above;
-
The categories of personal data obtained from the third party; and
-
The sources of the personal data – information must be as precise as possible (e.g. identify whether this source is a private or public source; and the type of organisation/industry/sector).
ANNEX 2
Grounds for processing personal data
-
HCTC HR can collect and process personal data where it is necessary for the following purposes:
2. Transparency
HCTC has prepared privacy notices for applicants and employees.