The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we hold on you as a customer receiving music therapy services from the Company. It also explains how we use that information, how long we keep it for and other relevant information about your data. We would encourage you to read this policy carefully and contact the Company with any concerns about our privacy practices.
Who we are
The Company is a data controller, meaning that it determines the processes to be used when using your personal data.
The data controller details are as follows:
Chiltern Music Therapy,
Office A, Irfon House,
What information do we collect?
The Company collects both personal information and where relevant, sensitive data about you. Personal data means any information relating to an identified or identifiable person.
The Company collects information that includes:
- your personal data including your name, address, date of birth, email address, phone numbers
- medical history, current diagnosis and health
- name, addresses and contact email and telephone details for other professionals involved in your care (where included on the referral form)
- sensitive data explaining the reason for referral to our services
- session note records and sensitive data from therapy or community sessions you have attended.
- Photos, videos or other images
- other information that you, a family member or carer shares with us that is not strictly related to the care, treatment or other services we provide.
Personal data is collected when:
- you make a telephone, email or postal enquiry about our services
- you subscribe to email updates and newsletters from the Company
- you have consented to be filmed or photographed as part of receiving a service with the Company
Sensitive data is collected when:
- you, or someone on your behalf, sends the Company a completed referral form for a music therapy or community music service by post or email
- an assessment, progress or discharge report is written about the music therapy sessions you have received with one of our therapists (where applicable)
- we contact another health professional regarding your care
Personal data is kept within the Company’s secure, password protected, IT systems and some information may also be shared with our outsourced finance function in order to raise and send invoices to you. Sensitive data is kept within the Company’s secure, password protected Cloud storage system and is regularly backed up on a password protected storage drive.
How do we use personal information?
We use your personal information when:
- setting up and administering an account for you on our IT and where relevant, finance system
- processing your referral before you receive our services
- providing you with music therapy or community music services
- we carry out legal duties
- providing you or your referrer with written documentation or assessment reports and
- informing you of events of news relating to the Company if you have opted into this.
We do not need your consent if we use personal information in order to carry out our legal obligations. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. Consent, for the purposes of confidentiality, means that the you understand and do not object to:
- the information being disclosed or shared;
- the reason for the disclosure;
- the people or organisations the information will be shared with; and
- how the information will be used.
For consent to be valid, it must be voluntary and informed, and the person giving consent must have the capacity to make the decision.
As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.
In addition to using your personal information, we may need to use your sensitive data in order to:
- set up your account on our secure database upon first referral
- carry out an assessment of need for our services
- liaise with other health professionals regarding your referral to our services (where appropriate)
- assign you with an appropriate service
- carry out appropriate risk assessments ahead of receiving services
- keep a weekly record of sessions received
- manage your services received by us including ongoing recommendations and discharge into other services
When do we share personal data?
Your data will be shared with relevant staff members within the Company where it is necessary for them to undertake their duties and deliver services to you.
If you are in receipt of our services, we may also share your data with third party professional we may also share your data with third party professionals as part of delivering and monitoring the services we provide you with and in your best interests. This may include other health practitioners or legal representatives you have consented to us contacting, and for other reasons to comply with a legal obligation upon us.
When your information is shared with third parties, we make sure that:
- it is necessary to provide the information;
- we have your consent and permission to do so
- we only disclose the information that is relevant;
- the professional receiving the information understands why you are sharing it and that they have a duty to keep it confidential
- Third parties implement appropriate technical and organisational measures to ensure the security of your data.
In some cases in accordance with the law, we may disclose your information without your consent if it is justified as necessary to protect public safety or prevent harm to other people.
We may also take appropriate action and share your information with local authorities or police if we have concerns about your safety or well-being. In this situation, the information will be shared in accordance with the Company’s safeguarding policy.
We do not share your data with bodies outside of the European Economic Area.
Protecting and securing your data
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented secure processes to guard against such.
Personal information and sensitive data is treated confidentially, and staff at the Company who process your data have all undergone data security training in accordance with GDPR compliance guidelines. Practitioners at the Company who will be processing and storing your sensitive data are registered and regulated by the Allied Health Professionals. More information on the regulation of Arts Therapists can be found here:
In accordance with HCPC regulation, practitioners at the Company will take reasonable steps to keep information about you safe by;
- making sure that we have your consent if we are passing on your identifiable information or personal data (unless we need to protect public safety or prevent harm to others)
- getting express written consent if we are using your information for a reason not relating to the services you receive (i.e. teaching, education, supervision)
- only disclosing minimum amount of information if and when necessary
- telling you we have shared your information where practical and possible
- keeping session notes and disclosure records on secure cloud based and password protected devices such as laptops and iPads
- keeping up to date with relevant law and good practice guidance.
Google Storage and Mail
The Company uses G suite cloud storage and Gmail to transfer and protect your data. To ensure optimum protection and security, Google adhere to the following principles:
- Your data will be stored in Google's network of data centres. Google maintains a number of geographically distributed data centres.
- Google's computing clusters are designed with resiliency and redundancy, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.
Google’s application and network architecture is designed for maximum reliability and uptime. Data is distributed across Google's servers and data centres. If a machine—or even an entire data centre—fails, the Company’s data will still be accessible. Google owns and operates data centres around the world to keep the services running 24 hours a day, 7 days a week.
Google has processes in place to protect from attempts to compromise data. Google vigorously resists any unlawful attempt to access our customers’ data, whether it be from a hacker or a government body.
The Company ultimately has control over your data, not Google.
- Your data is logically protected as if it were on an exclusive server and unauthorised parties cannot access your data. Other customers cannot access your data, and you can’t access theirs. The Company’s account is further protected by Google’s secure architecture that ensures that one user cannot see another user's data.
- Google services provide the ability to access all data using HTTPS-encrypted tunnels. This helps ensure that no one except the Company can read their data. The mobile email application also uses encrypted access to ensure the privacy of communications. Google also requires encryption for access to mail data by third-party email clients.
- SSL (Secure Sockets Layer)/TLS (Transport Layer Security) connectivity is used with G Suite. Google’s data centres also use custom hardware running a custom hardened operating system and file system. Each of these systems has been optimised for security and performance. Because Google controls the entire hardware stack, they are able to quickly respond to any threats or weaknesses that may emerge.
- Google is the first major cloud provider to enable Perfect Forward Secrecy, which encrypts content as it moves between the servers.
- Google encrypts Gmail, Attachment, and Drive data while in transit. This ensures that the Company’s messages are safe not only when they move between the Company and Google's servers, but also as they move between Google's data centres.
For more information related to Google Cloud storage and mail please consult the following guidelines: https://support.google.com/googlecloud/answer/6057301
Zoom Meeting Platform
The Company often uses Zoom to run digital services. A Digital Session Consent Form must be completed before anyone under the age of 18 or a vulnerable person signs up for a digital session on Zoom with a practitioner. To ensure optimum protection and security, Zoom adhere to the following principles:
Meeting hosts can:
- Secure meetings with encryption
- Create waiting rooms for attendees
- Be present before the meeting starts
- Expel a participant or all participants
- Lock a meeting
- Use Screen sharing watermarks
- Use Audio signatures
- Enable/disable participants or all participants to record
- Temporary pause screen-sharing when a new window is opened
- Password protect a meeting
- Only allow individuals with a given email domain to join
Protecting your Data
- Chat Encryption allows for a secured communication where only the intended recipient can read the secured message. Zoom uses both asymmetric and symmetric algorithms to encrypt the chat session. Session keys are generated with a device-unique hardware ID to avoid data being read from other devices. This ensures that the session can not be eavesdropped on or tampered with.
- Recordings can be stored on the host’s local device with the local recording option or on Zoom’s cloud with the Cloud Recording option.
- Recordings stored locally on the host’s device can be encrypted if desired using various free or commercially available tools.
- Cloud Recordings are processed and stored in Zoom’s cloud after the meeting has ended; these recordings can be password protected or available only to people in Chiltern Music Therapy.
- The recordings are stored in both video/audio format and audio only format.
- If a meeting host enables cloud recording and audio transcripts, both will be stored encrypted. If a meeting host enables file transfer through in-meeting chat, those shared files will be stored encrypted as well.
- The meeting host can manage their recordings through the secured web interface.
- Recordings can be downloaded, shared, or deleted.
- Zoom Phone Voicemail recordings are processed and stored in Zoom’s cloud and can be managed through the secured Zoom client.
Protecting your Privacy
Zoom only stores basic information under user account profile information that includes:
- Email address
- User password - salted, hashed
- First name
- Last name
- Company name (optional to provide)
- Company phone number (optional to provide)
- Profile picture (optional to provide)
How long do we keep your personal data for?
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of you receiving our services. In most cases we will keep your data for a period after you have ceased receiving our services, in line with local law, contractual obligation and in line with the guidance from the Health and Care Professions Council.
Records and data will be kept within the Company’s secure, password protected, G Drive cloud storage systems and are regularly backed up on password protected storage drives.
At the point at which your data will be destroyed, the Company will follow steps to put your data beyond use. This means that the data controller:
- is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
- will not give any other organisation access to the personal data;
- surrounds the personal data with appropriate technical and organisational security; and
- commits to permanent deletion of the information if, or when, this becomes possible.
Your rights in relation to personal data
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
- the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
- the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request. You can read more about this in our Subject Access Request policy which is available from Laura Cook, Data Controller.
- the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
- the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
- the right to portability. You may transfer the data that we hold on you for your own purposes
- the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests.
- the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in ways that adversely affects your legal rights.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact Data Controller, Laura Cook on Laura.Cook@chilternmusictherapy.co.uk Tel: 01442 780541
Use of automated decision-making and profiling
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Linking to other websites / third party content
We do not take responsibility or endorse any information or content on linked third party or partner Company websites.
How to contact us?
If you have questions or concerns about the Company’s privacy practices, your personal information, or if you wish to file a complaint, you can get in touch:
Chiltern Music Therapy
Office A, Irfon House,
For more information
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights and has produced guidance which can be accessed here: