Website privacy notice for a Private Therapy Practice
This is the privacy notice of Pauline Hawkins Hume at North Star Coaching. In this document, “we”, “our”, or “us” refer to Pauline Hawkins Hume at North Star Coaching.
Our registered office is at Blackburn, Aberdeenshire.
This is a notice to inform you of our policy about all the information that we record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means to collect, store, transfer, use or otherwise act on information.
We regret that if there are one or more points below with which you are not happy, your only recourse is to leave our website immediately.
We take seriously the protection of your privacy and confidentiality. We understand that all our clients and visitors to our website are entitled to know that their personal data will not be used for any purpose unintended by them, and will not accidentally fall into the hands of a third party.
We undertake to preserve the confidentiality of all information you provide to us, and hope that you reciprocate.
Our policy complies with UK law accordingly implemented, including that required by the EU General Data Protection Regulation (GDPR).
The law requires us to tell you about your rights and our obligations to you in regards to the processing and control of your personal data. We do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org
Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website.
The bases on which we process information about you
The law requires us to determine under which of six defined bases we process different categories of your personal information, and to notify you of the basis for each category.
If a basis on which we process your personal information is no longer relevant then we shall immediately stop processing your data.
If the basis changes then if required by law we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.
Information we process because we have a contract with you
When you become our client, a contract is formed between you and us.
The service we provide to you as a client necessarily entails you providing us with personal information.
We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract.
Additionally, we may aggregate this information generally use it to provide class information, for example to monitor the performance of a particular service we provide. If we use it for this purpose, you as an individual will not be personally identifiable.
We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.
Information we process with your consent
Through certain actions when otherwise there is no contractual relationship between us, such as when you browse our website or ask us to provide you with more information about our services, you provide your consent to us to process information that may be personal information.
Wherever possible, we aim to obtain your explicit consent to process this information.
Sometimes you might give your consent implicitly, such as when you write to us requesting a response.
Except where you have consented to our use of your information for a specific purpose, we do not use your information in any way that would identify you personally. We may aggregate it in a general way and use it to provide class information.
If you have given us explicit permission to do so, we may from time to time pass your name and contact information to selected associates whom we consider may provide services or products you would find useful.
We continue to process your information on this basis until you withdraw your consent or it can be reasonably assumed that your consent no longer exists.
You may withdraw your consent at any time by writing to us at our registered office or by email. If you do so, we shall not be able to provide our services further.
Information we process for the purposes of legitimate interests
We may process information on the basis there is a legitimate interest, either to you or to us, of doing so.
Where we process your information on this basis, we do after having given careful consideration to:
- whether we could achieve the same objective by other means
- whether processing (or not processing) might cause you harm
- whether you would expect us to process your data, and whether you would, in the round, consider it reasonable to do so
For example, we may process your data on this basis for the purposes of:
- record-keeping for the proper and necessary administration of our business
- protecting and asserting your rights, our rights, or the rights of any other third party
- insuring against or obtaining professional advice that is required to manage business risk
- protecting your interests where we believe we have a duty to do so
Information we process because we have a legal obligation
We are subject to the law like everyone else. Sometimes, we must process your information in order to comply with a statutory obligation.
For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order.
This may include your personal information.
Specific uses of information you provide to us
Information relating to your method of payment
Your debit or credit card number and other payment information is never taken by us or transferred to us either through our website or otherwise. Our employees and contractors never have access to it.
OR Second option:
We store information about your debit or credit card or other means of payment when you first provide it to us.
We store this payment information in order both to make repeat purchasing of our services easier, and to help us prevent fraud.
We take the following measures to protect your payment information:
- We keep your payment information encrypted
- We do not keep all your payment information so as:
- to prevent the possibility of our duplicating a transaction by accident
- to prevent any other third party from carrying out a transaction without your consent
- Access to your payment information is restricted to authorised staff only.
We automatically delete your payment information [after 28 days or when a credit or debit card expires].
Payments by Direct Debit
If you pay us by Direct Debit, the information you give to us is passed to our own bank for processing according to our instructions.
We only keep this information only for the duration of the Direct Debit arrangement.
We are registered under the Direct Debit guarantee scheme. This provides for the customer’s bank to refund disputed payments without question, pending further investigation. Direct Debits can only be set up for payments to beneficiaries that are approved originators. In order to be approved, these beneficiaries are subjected to careful vetting procedures. Once approved, they are required to give indemnity guarantees through their banks.
Job application and employment
If you send us information in connection with a job application, we may keep it for up to [three years] in case we decide to contact you at a later date.
If we employ you, we collect information about you and your work from time to time throughout the period of your employment. This information will be used only for purposes directly relevant to your employment. After your employment has ended, we will keep your file for [six years] before destroying or deleting it.
When you contact us, whether by telephone, by post, through our website or by e-mail, we collect the data you have given to us in order to reply with the information you need.
We record your request and our reply in order to increase the efficiency of our business.
We may keep personally identifiable information associated with your message, such as your name and email address so as to be able to track our communications with you to provide a high quality service.
When we receive a complaint, we record all the information you have given to us.
We use that information to resolve your complaint.
If your complaint reasonably requires us to contact some other person, we may decide to give to that other person some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.
We may also compile statistics showing information obtained from this source to assess the level of service we provide, but not in a way that could identify you or any other person.
If you complain about any of the content on our website or in any brochure, we shall investigate your complaint. If we feel it is justified or if we believe the law requires us to do so, we shall remove the content while we investigate.
If we think your complaint is vexatious or without any basis, we shall not correspond with you about it.
Use of information we collect through automated systems when you visit our website
Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved.
Some cookies may last for a defined period of time, such as one day or until you close your browser. Others last indefinitely.
Your web browser should allow you to delete any you choose. It also should allow you to prevent or limit their use.
- to track how you use our website
- to record whether you have seen specific messages we display on our website
- to keep you signed in our site
- to record your answers to surveys and questionnaires on our site while you complete them
- to record the conversation thread during a live chat with our support team
Personal identifiers from your browsing activity
Requests by your web browser to our servers for web pages and other content on our website are recorded.
We record information such as your geographical location, your Internet service provider and your IP address. We also record information about the software you are using to browse our website, such as the type of computer or device and the screen resolution.
We use this information in aggregate to assess the popularity of the webpages on our website and how we perform in providing content to you.
If combined with other information we know about you from previous visits, the data could possibly be used to identify you personally, even if you are not signed in to our website.
Disclosure and sharing of your information
Information we obtain from third parties
Although we do not disclose your personal information to any third party (except as set out in this notice), we sometimes receive data that is indirectly made up from your personal information from third parties whose services we use.
No such information is personally identifiable to you.
To assist in combating fraud, we share information with credit reference agencies, so far as it relates to clients or customers who instruct their credit card issuer to cancel payment to us without having first provided an acceptable reason to us and given us the opportunity to refund their money.
Access to your own information
Access to your personal information
- At any time you may review or update or request that we remove personally identifiable information that we hold about you. To obtain a copy of any information that is not provided on our website you may send us a request at email@example.com
- After receiving the request, we will tell you when we expect to provide you with the information, and whether we require any fee for providing it to you.
- When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
- If a dispute is not settled then we hope you will agree to attempt to resolve it by engaging in good faith with us in a process of mediation or arbitration.
- If you are in any way dissatisfied about how we process your personal information, you have a right to lodge a complaint with the Information Commissioner’s Office. This can be done at https://ico.org.uk/concerns/
Retention period for personal data
Except as otherwise mentioned in this privacy notice, we keep your personal information only for as long as required by us:
- to provide you with the services you have requested;
- to comply with other law, including for the period demanded by our tax authorities;
- to support a claim or defence in court.
Compliance with the law
We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to print a copy for your records.
The EU Data Protection Directive (95/46/EC), implemented as the General Data Protection Regulation, or the GDPR, comes into force from May 2018.
In the UK, the Data Protection Bill enshrines the law in the GDPR, making it applicable even after the UK leaves the European Union.
The requirements under the new law are similar in extent to existing data protection law in the UK. If your practice complies with existing law, then the changes you need to make are likely to be small.
The possible implications for non-compliance are now much more severe. In theory, the Information Commissioner’s Office (the ICO) has the power to fine a business 4% of its annual worldwide turnover.
However, as with other EU law regarding selling to consumers we believe that the ICO in practice is unlikely to fine any small business without having first given a warning. Having a privacy notice that shows effort to comply with the law is likely, in our opinion, to generate enough goodwill with the ICO to avoid a fine in the first instance.
Updating your website privacy notice is not the only requirement for compliance with the GDPR. You are also likely to need to change how customers and website visitors can access personal data held about them, and create new procedures for obtaining compliance to collect and use personal data.
You may also need to update other legal documents, in particular, your website terms and conditions. Free versions of these are also available from Net Lawman’s website at www.netlawman.co.uk.
More information about GDPR can be found at: https://www.netlawman.co.uk/ia/gdpr
Using this template as the basis for your privacy notice
We aim to balance those qualities in this document. However, we cannot know exactly how your business works, so you may need to edit the document in certain places.
Text in blue indicates where a choice is required, either to include the text or not, or between two sets of text. Text in blue marking surrounded by square brackets indicates where you need to change our default text to suit your business.
This template has been drawn by Net Lawman. It asserts its copyright in the document and its standard licence terms apply.
In addition to these paragraph specific guidance notes to help you edit the template, we also publish a free, more general guide to editing our legal documents, which we recommend that you download at: https://www.netlawman.co.uk/uploads/Editing Legal Document Templates.pdf
If you have any questions, please contact us at firstname.lastname@example.org
Paragraph specific notes
Numbered notes refer to specific numbered paragraphs in the template.
Identification of the owner of the website
The GDPR requires that you identify your business. Using your domain name is not enough. You need to provide your business name and an address.
If you run your practice through a company, provide your company registration number as well.
Leave these items in place unless there is a good reason to edit or remove. Each of these items has been carefully considered in the context of this document and has been included for a purpose.
This paragraph sets out the purpose of the document and explains terms used throughout it.
This is a statement of intent, designed to reassure visitors, but also any regulator.
This statement demonstrates awareness of the GDPR and compliance. It should also reassure visitors.
A key requirement of the law is that you tell your visitors and customers that they have rights with respect to how their personal information is processed. Rather than cluttering your privacy notice with an explanation of the law, we recommend linking to this explanatory website.
A statement designed to reassure clients and website visitors.
The bases on which we process information about you
A requirement of the GDPR is that you tell the data subject why you process the data and which legal basis you have chosen to use as the justification to process his or her data.
Most websites will process different types of data on different bases. The two most likely to apply are “Contract” (after the client has accepted your terms and conditions) and “Consent” (after the person has agreed to your use of his or her data – usually by taking some affirmative action). Some data may also be processed because of a legal requirement or a legitimate interest.
All the bases are described at: http://www.knowyourprivacyrights.org/legitimate-uses/
The reasons why you process the data arise as a result of the basis. If there is a contract, there is a contractual obligation to carry out the service. If the basis is consent, then there will probably be some benefit to the data subject of you using the information.
This section shouldn’t need editing, except in minor ways if appropriate. Certainly do consider whether to leave or remove paragraphs that we have highlighted in blue.
Legitimate Interests is a basis that is fairly subjective. For it to be used, you must have decided that there is a legitimate interest, that processing the data is necessary to protect that interest, and that the data subject’s interests (or other interests) do not override it. In some circumstances, it is most appropriate, but if possible, we would recommend using Contract or Consent as better alternatives. The reason is simply that the data subject is less likely to complain if he or she has clearly asked you to process his or her data.
Data subjects have a legal right to see the personal information you hold about them. You need both an internal process as to how to provide this, and a means for the data subject to request the information.
Lastly, for each basis you need to state when you stop processing the data. We suggest that you don’t edit our text.
Specific uses of information you provide to us
This section provides more information about specific types of information. The paragraphs within it are as much designed to reassure a visitor reading your policy than to aid compliance with the law.
5 Information relating to your method of payment
There are two options here. Delete whichever is not relevant.
You may also need to edit the paragraphs slightly to reflect exactly how your practice operates.
6 Information about your direct debit
If you do not take payment by direct debit, delete this paragraph. Otherwise edit the wording in blue appropriately.
7 Job application and employment
The purpose of this paragraph is to set out for how long personal information is processed. It is a requirement of the GDPR.
8 Contacting us
We suggest you keep this paragraph in your notice. We hope that you shouldn’t need to edit it.
This paragraph deals with both how to complain and how information collected as a result of a complaint is used. We suggest you leave this paragraph as is.
The start of this paragraph is an explanation of what cookies are.
We take the approach here of not listing every single cookie.
The reason is that you not know this information yourself, especially if you use third party add-ons or plug-ins to your website. For example, Google provides visitor tracking software (Analytics) that is popular. It could at any point change the name or purpose of the many cookies it uses without telling you.
There are so many cookies that software you use is likely to place that to list them here would increase the size and complexity of the notice, and to keep the notice up-to-date as they change would be time consuming.
Listing every cookie’s file name, purpose and expiration period could be done in a separate cookie notice, linked from this paragraph.
We prefer the approach of explaining in what ways they are used. Add or delete to this list as appropriate.
11 Personal identifiers from your browsing activity
Most web servers log requests for pages. We suggest you leave this paragraph as is, even if you don’t use this information.
Disclosure and sharing of your information
12 Information we obtain from third parties
This paragraph is a reminder to visitors that you may use third party information provision services. Delete if not appropriate to your practice.
13 Credit reference
We suggest that you leave this paragraph in place even if you have no immediate intention of liaising with debt collectors. It may be a useful “reminder” to clients.
14 Access to your own information
Under the GDPR, a data subject has a right to access information about him or her, and a right for that information to be kept up-to-date and only for as long as required.
You should leave these three paragraphs in place, editing the addresses.
This paragraph sets out standard wording that tells visitors how to make a complaint.
It gives you a stronger argument to use arbitration or mediation as a means of resolving a complaint, rather than going to court.
In any case, you must tell visitors to your site about their right to complain to the supervisory body, the Information Commissioner’s Office.
16 Retention period for personal data
It is a requirement of the GDPR to tell data subjects for how long personal information will be kept. This paragraph is a catch-all if the information is not provided elsewhere.
Basic UK law relating to limitation for bringing a claim, contract matters, tax and other areas often requires data to be retained for six years. You will be “safe” if you specify that period for commercial transactions.
17 Compliance with the law
Leave this paragraph in place.
Leave this paragraph in place.