Privacy policy

Neurolink Psychology Ltd is committed to providing the highest quality care. This includes the protection and security of the personal and often sensitive information patients share with us. This updated policy reflects new responsibilities under the General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 alongside the updated Data Protection Act 2018.

Neurolink Psychology Ltd operates as the Data Controller. This means we determine why and  how data is processed. Neurolink Psychology is registered with the Information Commissioners Office (ICO Registration Number: Z1825774). If you have any further questions after reading this document, please contact:

Dr Sonja Soeterik
Clinical Director
Neurolink Psychology Ltd
email: DataController@neurolinkpsych.co.uk or telephone: 02074671509.
Address: Neurolink Psychology, 10 Harley St, London, W1G 9PF

If you are not satisfied with the answers from the Neurolink Psychology you can contact the Information Commissioner’s Office (ICO) at www.ico.org.uk.

Why does Neurolink Psychology need to collect personal data?

We collect sensitive and personal data to assess patient’s needs, provide psychological interventions and to communicate with patients, referrers, relevant health and social care providers and their legal teams.

The lawful basis for collecting and processing patient data is to fulfil the performance of the contract for which the patient or a third party representing the patient have entered into, or in order to take steps at the request of a patient or a third party representing the patient to
enter into such a contract. Information relating to health is defined as ‘special category data’ under the GDPR. It is necessary for Neurolink Psychology Ltd to process special category data for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the
employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

What personal data does Neurolink Psychology collect?

We collect contact information including name, date of birth, gender, address and contact details of the patient, next of kin and associated healthcare and legal teams; and special category data such as relevant medical and psychological health information. 

This information may be collected directly from the patient, a family member/carer acting on the patient’s behalf, from the agency referring to us on the patient’s behalf (including case managers, solicitors, treatment funders and health professionals) and from health and social care providers working with a patient. Where voluntary work, employment or educational goals are part of the rehabilitation plan, we may collect information from relevant parties with patient’s consent. In the context of a legal case, we may receive information from the courts, the police, the Crown, the patient’s legal team, insurance companies and medical providers. In this case, the release of information to Neurolink Psychology is made on the patient’s behalf by parties the patient has authorised.

Neurolink Psychology may collect financial information with regard to payment of our services including bank account details.

How does Neurolink Psychology use personal data?

We use the information we collect to:

• Provide psychological assessment, recommendations and interventions
• Provide consultation and training to health and social care professionals working with the patient and where relevant, to employers, voluntary sector organisations and education professionals
• Communicate with patients, referrers and relevant healthcare and legal teams
• Provide assessment, progress and discharge reports
• Keep healthcare records as required by our professional bodies (BPS and HCPC)
• Maintain a record of face to face contacts to support NHS Test and Trace in relation to
• the COVID-19 pandemic.

We may use patient information in our accounting system to bill for services (where applicable). Once our financial relationship is concluded we will continue to hold that information until no longer required by HMRC or any other party with a legitimate interest.

Who might Neurolink Psychology share your information with?

Patients are entitled to expect information they give to psychologists about themselves will remain confidential. We are committed to upholding our professional standards and legal obligations as outlined in British Psychological Society (BPS) Code of Ethics and Conduct (2018), BPS Practice Guidelines Third Edition (2017), HCPC Standards of Performance and Ethics (2016), UK Data Protection Act (2018) and GDPR.

• Information will only be shared where there is a clear identified purpose and will be restricted only to information which is necessary to meet the identified purpose.
• We may share data with a patient’s health and social care team (including case manager). In order to meet psychological assessment and treatment aims and/or recommendations
• Where patients are progressing a legal claim, Clinical Records may be requested by the patient to be sent directly to their legal team (with patient’s consent or a determination will be made as to whether this is in a patient’s best interests where the patient lacks capacity to consent under the Mental Capacity Act (2005) or because of a court order to release records). Neurolink Psychology is not be able to control the access or confidentiality of these records once released securely.
• Where there is judged to be at risk of immediate, significant harm or where there are sufficient safeguarding or vulnerability concerns, we may need to share information without a patient’s consent to healthcare services, social services or emergency services. This is a legal obligation and professional duty placed on all healthcare professionals and will be explained to patients at the first meeting with a member of the Neurolink Psychology Ltd team.
• We may be required by law to disclose information by a Court or Tribunal. We will take reasonable efforts to communicate with patients prior to doing so unless we are legally restricted from doing so.
   

Patients’ information will never be disclosed to anyone who is not involved in a patient’s care or legal team (if applicable) unless there is a court order to do so, a valid subject access request has been received (i.e. the patient’s consent) or a determination of a best interests decision where a patient lacks capacity to consent under the Mental Capacity Act (2005).

At present, Neurolink Psychology Ltd maintains a separate record of all face to face contacts to assist NHS Test and Trace. This record contains only the name and telephone number/email of a patient and the date contact with a clinician took place. The reason for the contact with
the clinician is not registered on this record. Information regarding a face to face contact is stored on this record for 21 days. 

Patient details will never be used for marketing processes. Personal data used for audit or research purposes will be anonymised or pseudonymised to prevent patients from being identified.

How does Neurolink Psychology keep personal data secure?

We are committed to protecting the sensitive and personal information that we collect. We have appropriate technical and organisational, physical, electronic, and procedural safeguards to protect the personal information that patients provide to us against unauthorised or 
unlawful processing and against accidental loss, damage or destruction. 

We ensure cloud storage providers are based in the European Economic Area (EEA) or are covered by an European Union Commission adequacy decision. We use a cloud storage provider that has achieved the following International Organization for Standardisation (ISO)
certifications which are internationally recognised standards for information security and data governance:

ISO 27001 (Information Security Management)
ISO 27017 (Cloud Security)
ISO 27018 (Cloud Privacy and Data Protection)
ISO 22301 (Business Continuity Management)
ISO 27701 (Privacy Information Management)

Email applications use private (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. 

How long does Neurolink Psychology retain records for?

Neurolink Psychology Ltd record retentions schedules are in line with NHS record management retention periods and British Psychological Society Practice Guidance (2017). Basic adult healthcare records are retained for a minimum period of 8 years aft er discharge. Where a patient has a long-term illness or an illness that may re-occur, records are retained for a minimum of 20 years following discharge for the purpose of continuity of clinical care or 8 years after a patient has died. Where expert witness services are provided, records will be retained for 10 years. Following the retention period, records are reviewed and if no longer needed are destroyed confidentially. HMRC dictates the period of records that must be kept
in relation to accounting and financial functions.

Data Protection Rights

Individuals have rights over the data we hold about them. Under data protection law individuals have the following rights:

1. The right to be informed.
Individuals have a right to know what information we hold, how we use it and why. This privacy notice together with associated policies provides transparency regarding our processing of personal information.

2. The right of access.
Individuals are able to obtain a copy of Neurolink Psychology Ltd’s Subject Access Request policy that outlines our process for responding to a request for data access by contacting the Data Protection Controller. We may withhold personal information to the extent permitted by law.

3. The right to rectification.
Rectification means correcting inaccurate or incomplete data. This applies to factual data. Where the data concerned is a professional opinion, Neurolink Psychology Ltd will take all reasonable steps to review the information. Where the Clinical Psychologist continues to
consider their opinion to be an accurate reflection of circumstances based on their professional knowledge and training, the opinion will not be revised but a note will be made on the record that the opinion is disputed.

4. The right to erasure.
Neurolink Psychology Ltd is required to maintain special category data (health) records by our professional bodies (BPS and HCPC) and we work in accordance with statutory guidance in NHS Records Management Code of practice (2020) https://www.nhsx.nhs.uk/media/documents/NHSX_Records_Management_Code_of_Practic
e_2020_3.pdf The right to erasure of information we hold only applies if the processing is based on consent which has been withdrawn, for example, if we ask for consent to use data for research purposes.

5. The right to restrict processing.
This means that if a patient has disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a
legal claim, patients can have the data stored by Neurolink Psychology Ltd but not allow other uses until the dispute is settled.

6. The right to data portability.
This allows patients to obtain and reuse their personal data for their own purposes across different services. This applies to data that the patient has provided to Neurolink Psychology Ltd and data processed by automated means (i.e. not paper files). We
may withhold personal information to the extent that we are permitted by law. Please be aware that once data has been transferred securely, Neurology Psychology Ltd has no control or responsibility regarding the security of data in the new location.

7. The right to object.
Patients do not have the general right to object to Neurolink Psychology
Ltd processing personal data due to the lawful basis of processing. However, where processing is based on consent only, for example, where we have asked for consent to use data for research purposes and consent can be withdrawn. 

8. Rights in relation to automated decision making.
Neurolink Psychology Ltd does not conduct any solely automated decision-making.

For further information; to exercise your rights above; or to make a complaint please contact 
Dr Sonja Soeterik, Clinical Director Neurolink Psychology:
DataController@neurolinkpsych.co.uk

You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
This privacy policy is reviewed periodically. Last review date: March 2022