Paint-ability follows the regulations set out by the ICO to ensure data is fairly and lawfully processed. Personal data, sometimes called personal information, includes your name, address, date of birth and anything else someone could use to identify you as an individual, such as medical details or other key personal characteristics. Privacy, as distinct from confidentiality, refers to information about any individual attending counselling, and Paint-ability acts as custodian for all of its’ personal data relating to clients. Paint-ability also acts as a controller and processor for processing your data to and/or from other healthcare or educational providers, such as a GP, only where this is necessary for your care and with your consent. Paint-ability does not store or transfer any personal information outside of the European Economic Area (EEA).
Under the May 2018 General Data Protection Regulation (GDPR) rules and regulations, you have more control over how and where your personal information is used. Consequently, you have the right, with regard to any personal data held by Paint-ability: (i) to be informed; (ii) of access; (iii) to rectification; (iv) to erasure; (v) to restrict processing; (vi) to data portability; (vii) to object; and (viii) not to be subject to automated decision-making including profiling. GDPR is designed to give you confidence that the personal information Paint-ability holds about you is accurate, up to date and well managed, and to give you easier access to that data if you wish to check or change it. Additionally, at least one of the following six legal reasons must apply whenever Paint-ability processes your personal data: consent; contract; legal obligation; vital interests; public task; and legitimate interests.
Paint-ability may collect contact details and process information you provide through its’ website (www.paint-ability.co.uk), by telephone and via email correspondence (email@example.com) – including communications plus reports prepared at your request with regard to your ongoing care – the latter communications which are periodically deleted if you are not a client, and which are stored in Outlook folders if you are a client. Paint-ability uses anonymised data for any personal notes or records, so that it is not possible to identify individuals from these. Personal information is not disclosed either verbally or in writing, or otherwise, to any unauthorised third party.
Paint-ability works hard to keep your personal data secure, including regularly reviewing its’ Privacy Notice, this last being May 2018 in order to coincide with the new GDPR coming into effect on 25th May 2018 (replacing the Data Protection Act 1998). This new regulation supports your right to have your privacy respected and your data protected. It is a really positive step towards you having more control over how your data is used and how you are contacted, as well as better protecting your personal information. You may request any additional explanation by email from Paint-ability at any time.
Paint-ability uses only the data you have provided in order to deliver the Service you have requested. This means that the legal basis of holding your personal data is for legitimate interest. Any additional information kept would only be with your express consent (freely given, specific, informed and unambiguous), in which case the legal basis of holding this information is consent. Consent will not be inferred as a result of silence or inactivity. Retaining your data allows any complaints you make to be processed, in which case the legal basis of holding your personal data is for contract administration.
Communications between Paint-ability and clients are retained for no longer than is necessary, this being two years. At the end of the period of two years following the ending of the requested Service, your personal data and notes will be securely destroyed. All paper data records will be destroyed on site or through the contracted secure service (via their own Data Security Scheme), and all electronic data held will be irretrievably deleted from devices.
Paint-ability ensures that personal data held, either in paper or electronic format, is kept in a secure location with restricted access to authorised personnel only. Suitable physical, electronic, managerial and reasonable security procedures are in place to safeguard and secure any stored information. External data processors that are used are legally and contractually bound to operate and prove security arrangements where processing data could or does identify a person. Your personal and confidential information held on equipment, such as laptops or handheld devices, is protected with encryption and/or secure passwords.
The security of the Paint-ability website and computer systems are of utmost importance. The website uses software to provide high level encryption technology, including any back-ups. Although advanced security measures are in place to protect your information against loss, misuse and alteration, as is the case with all computer networks linked to the internet, including for cloud data storage such as Dropbox, Paint-ability cannot make absolute guarantees over the security of these Processors, and as such cannot be held responsible for it.
Every Paint-ability client has the right to see, and have a copy of, personal data that can identify them individually. A “Data Subject Access Request” needs to be made in writing, and for which there is no charge. A response will be provided within one month from the date the written request is received, and it will include the details of the personal data held, including how the information was acquired; how it has been processed; why it has been kept; for how long it has been retained; and with whom it has been shared if this was subject to your consent. You have the right to ask to have your information corrected or updated where it is no longer accurate. You also have the right to ask for any processing of your personal data to be limited or to be ceased, provided it is not required to be kept by law or in accordance with the Professional Regulatory Guidelines. Paint-ability can refuse or charge for requests that are manifestly unfounded or excessive, and it will then advise the individual of the reasons for this course of action.
Paint-ability follows the common law duty of confidence, which means that where identifiable information about you has been given, it is treated as confidential and only shared for the purpose of providing direct care. There is a commitment to ensuring that your information is secure and not disclosed to third parties, in accordance with the requirements of GDPR. Your data is therefore only shared with your consent, except in the event of a complaint when information may be required by a Registrant Body. Your express consent will be confirmed before sharing your information with a GP or other healthcare provider. Data may be shared with other agencies if, as an example, there presents an immediate risk of substantial harm to the self or to others; or under a legal requirement, such as terrorism or drug money laundering; or via court order for disclosure.
Paint-ability does not collect, share and use your personal data for personalisation of marketing, advertising, profiling or other services. Information that may identify you is used in accordance with GDPR. Consequently, your personal data is processed only if there is a legitimate basis for doing so, and any processing must be fair and lawful. If, at any time, Paint-ability wanted to use your data for marketing purposes, such as newsletters or research, this would be subject to your express consent. Your information is protected, and only you can decide if and how this may be shared, if we inform you of how your personal data may be used.
Data breaches may occur if there is a deliberate attack which compromises the integrity of Paint-ability, or if there is unauthorised access or an accidental loss of integrity. The ICO only have to be notified if a breach is likely to result in a risk to the rights and freedoms of individuals – if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Paint-ability will notify any individual if it is made aware of any such breach. All possible data breaches will be recorded and by law must be reported to the ICO within 72 hours of the breach being identified. Information on how to report a breach is available at www.ico.org.uk. No breach should be reported without first advising and consulting Paint-ability. If there is no harm caused, or if there is only a minimal effect resulting, this will not qualify as a breach – however, a review of security measures will still be undertaken by Paint-ability, the results of which will be clearly documented to the relevant parties concerned.
If you have a complaint regarding the use of your personal data by Paint-ability, you can email firstname.lastname@example.org in the first instance. If your complaint is not resolved to your satisfaction, you can contact the ICO on 01625 545745 or on 0303 1231113.