Introduction

The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we hold on you as a customer receiving music therapy services from the Company. It also explains how we use that information, how long we keep it for and other relevant information about your data. We would encourage you to read this policy carefully and contact the Company with any concerns about our privacy practices.

Who we are

The Company is a data controller, meaning that it determines the processes to be used when using your personal data.

The data controller details are as follows:

Laura Cook
Chiltern Music Therapy,
Office A, Irfon House,
High Street,
Stones Courtyard,
Chesham,
Buckinghamshire,
HP5 1DE

01442 780541
www.chilternmusictherapy.co.uk

What information do we collect?

The Company collects both personal information and where relevant, sensitive data about you. Personal data means any information relating to an identified or identifiable person.

The Company collects information that includes:

Personal data is collected when:

Sensitive data is collected when:

Personal data is kept within the Company’s secure, password protected, IT systems and some information may also be shared with our outsourced finance function in order to raise and send invoices to you. Sensitive data is kept within the Company’s secure, password protected Cloud storage system and is regularly backed up on a password protected storage drive.

How do we use personal information?

We use your personal information when:

We do not need your consent if we use personal information in order to carry out our legal obligations. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. Consent, for the purposes of confidentiality, means that the you understand and do not object to:

For consent to be valid, it must be voluntary and informed, and the person giving consent must have the capacity to make the decision.

As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

In addition to using your personal information, we may need to use your sensitive data in order to:

When do we share personal data?

Your data will be shared with relevant staff members within the Company where it is necessary for them to undertake their duties and deliver services to you.

If you are in receipt of our services, we may also share your data with third party professional we may also share your data with third party professionals as part of delivering and monitoring the services we provide you with and in your best interests. This may include other health practitioners or legal representatives you have consented to us contacting, and for other reasons to comply with a legal obligation upon us.

When your information is shared with third parties, we make sure that:

In some cases in accordance with the law, we may disclose your information without your consent if it is justified as necessary to protect public safety or prevent harm to other people.

We may also take appropriate action and share your information with local authorities or police if we have concerns about your safety or well-being. In this situation, the information will be shared in accordance with the Company’s safeguarding policy.

We do not share your data with bodies outside of the European Economic Area.

Protecting and securing your data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented secure processes to guard against such.

Personal information and sensitive data is treated confidentially, and staff at the Company who process your data have all undergone data security training in accordance with GDPR compliance guidelines. Practitioners at the Company who will be processing and storing your sensitive data are registered and regulated by the Allied Health Professionals. More information on the regulation of Arts Therapists can be found here:

http://www.hpc-uk.org/aboutregistration/professions/index.asp?id=1#profDetails

In accordance with HCPC regulation, practitioners at the Company will take reasonable steps to keep information about you safe by;

Google Storage and Mail

The Company uses G suite cloud storage and Gmail to transfer and protect your data. To ensure optimum protection and security, Google adhere to the following principles:

Compliance
Reliability

Google’s application and network architecture is designed for maximum reliability and uptime. Data is distributed across Google's servers and data centres. If a machine—or even an entire data centre—fails, the Company’s data will still be accessible. Google owns and operates data centres around the world to keep the services running 24 hours a day, 7 days a week.

Security

Google has processes in place to protect from attempts to compromise data. Google vigorously resists any unlawful attempt to access our customers’ data, whether it be from a hacker or a government body.

Privacy

The Company ultimately has control over your data, not Google.

For more information related to Google Cloud storage and mail please consult the following guidelines: https://support.google.com/googlecloud/answer/6057301

Zoom Meeting Platform

The Company often uses Zoom to run digital services.  A Digital Session Consent Form must be completed before anyone under the age of 18 or a vulnerable person signs up for a digital session on Zoom with a practitioner. To ensure optimum protection and security, Zoom adhere to the following principles:

Protecting Meetings

Meeting hosts can:

Protecting your Data
Protecting your Privacy

Zoom only stores basic information under user account profile information that includes:

For more information about Zoom privacy please visit the Privacy Policy here: https://zoom.us/privacy

How long do we keep your personal data for?

In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of you receiving our services. In most cases we will keep your data for a period after you have ceased receiving our services, in line with local law, contractual obligation and in line with the guidance from the Health and Care Professions Council.

Records and data will be kept within the Company’s secure, password protected, G Drive cloud storage systems and are regularly backed up on password protected storage drives.

At the point at which your data will be destroyed, the Company will follow steps to put your data beyond use. This means that the data controller:

Your rights in relation to personal data

The law on data protection gives you certain rights in relation to the data we hold on you. These are:


Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact Data Controller, Laura Cook on Laura.Cook@chilternmusictherapy.co.uk  Tel: 01442 780541

Use of automated decision-making and profiling

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.


Linking to other websites / third party content

We do not take responsibility or endorse any information or content on linked third party or partner Company websites.

How to contact us?

If you have questions or concerns about the Company’s privacy practices, your personal information, or if you wish to file a complaint, you can get in touch:

Laura Cook
Chiltern Music Therapy
Office A, Irfon House,
Stones Courtyard,
High Street
Chesham
Buckinghamshire
HP5 1DE

01442 780541
info@chilternmusictherapy.co.uk
www.chilternmusictherapy.co.uk


For more information

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights and has produced guidance which can be accessed here:
https://ico.org.uk/