Privacy Policy
Bulby Psychology aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that Bulby Psychology collects when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016.
The policy describes how we manage your information when you use our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Instagram or Twitter). In respect of cookies the policy includes information about the type of cookies that we use and how you may disable those cookies.
Bulby Psychology uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Dr Shabana Bashir is the Data Controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.
If your questions are not fully answered by this policy, please contact Dr Shabana Bashir via shabana@bulbypsychology.com. If you are not satisfied with the answers from Dr Bashir you can contact the Information Commissioner's Office (ICO) https://ico.org.uk.
1. Why do we need to collect your personal data?
We need to collect information about you so that we can:
Know who you are so that we can communicate with you in a personal way. The legal basis for this is our contract with you in the case of clients and their parents/guardians and legitimate interest in the case of referrers, commissioners and other relevant parties. In the case of enquiries regarding potential clients the legal basis is legitimate interest.
Deliver goods and services to you or the person you refer to us. The legal basis for this is the contract with you or the person/family you refer to us.
Provide you/your child with the care you have asked us to provide. The legal basis for this is the contract with you.
Process your payment via invoices for the work. We do not store information relating to bank details etc. The legal basis for this is the contract with you.
Monitor our service delivery and optimise your care. To do this, we may use audio and/or video recordings or take digital photographs. The legal basis for this is your consent.
To support us in delivering training internal and external to Bulby Psychology e.g., audio/video recordings. The legal basis for this is your consent.
Verify your identity so that we can be sure we are dealing with right person. The legal basis for this is a legitimate interest.
Optimise your experience on our website. The legal basis for this is a legitimate interest.
Send you information about changes in our service. The legal basis for this is your consent.
Offer you free information and advice. The legal basis for this is your consent.
Provide you with a useful and relevant website. The legal basis for this is legitimate interest.
2. What personal information do we collect and when do we collect it?
For us to provide you with services, we need to collect the following information:
Basic personal information and contact information including; your name, a postal address, telephone number(s) and electronic contact such as email address. We may also communicate via social media (i.e., twitter, Instagram), if you choose to do so, in which case we will need to know your social media username.
Details of your/your child’s health and life experiences. We will collect this at various stages as it is relevant to your/your child’s care. Specifically, at enquiry, assessment and therapy or if we are conducting a consultation with parents and/or professionals about a child. This may include audio and/or video recordings and/or digital photographs. We will ask your consent about audio, video and any photography and various ways you would like us to use it.
Details about how you access our website such as the IP address, the browser you use, and which pages you access.
Your payment card/bank account details for the purpose of invoicing and Bills.
We may also collect information about you from third parties; for example, if we need to gather information from another health professional (such as your/your child’s GP) to provide a complete health assessment.
On our website, we use cookies to gather information about visitors which we use only to enhance your online experience. We do not identify you or any other individuals from this information (see section below for more information on how we use cookies). Similarly, we log the IP address of any user visiting the website; again, this is not used to develop a personal profile of you, it is used to ensure our website is providing useful and relevant information to anyone who uses it.
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
To communicate with you so that we can inform you about your or your child’s (or the child you have referred to us) appointments with us we use your name, your contact details such as your telephone number, email address or postal address.
To deliver the correct service to you we use your name, your contact details and clinical details.
To conduct assessments, therapy, consultation, training and research.
To produce reports about our work together.
To monitor the quality of our work via supervision.
To create your invoice using our accounting package we use commissioners’ name and email address.
To optimise our website so that users can find the information they need.
To make you aware of any service changes.
4. Where do we keep the information?
We keep your information in the stores described below.
On our company laptops: We use personal computers/laptops which are stored securely and are password protected and the hard drives are encrypted. Passwords are changed every 90 days and it is company policy that passwords are not shared. All laptop data is backup on our secure cloud.
In our accounts package: We use an online accounts package that stores the information in a data centre in New Zealand. The company that provides the accounts software has stated that they are compliant with GDPR. Our accountant has access to our accounting software which may include customer names, addresses and emails used for invoicing. Our accountant is also bound by GDPR and ICO for data protection.
Client File: A folder is created for each client we work with, which contains clients personal details and records (i.e., any notes and communications between Bulby Psychology and the client/referrer). These files are stored safely on encrypted hard drives and backed up onto our secure cloud.
Quotations/signed terms and conditions: A PDF document sent to referrers/commissioners to legally contract the work. These are prepared on our personal computers and transferred to the relevant client file and backed up on our secure cloud, if/when the work is commissioned.
Reports: We create assessment, mid and closure reports that contain all the information that we gather and our findings and conclusions. This is written on our personal computers and saved in the client file.
Safeguarding log: We keep an excel spreadsheet of all safeguarding concerns to ensure that safeguarding communication is optimal and to keep track of safeguarding referrals.
Emails: Emails including web contact forms are viewed via our personal computers. but moved to the secure client file as appropriate.
List of interested parties: We keep an Excel spreadsheet of contact details of those people who we think would like to know about service changes and receive free information and advice from us.
Video/audio recordings: Together we may decide to record sessions these are transferred from the camera SD card to the client file asap (within a maximum of 2 weeks) after the clinical session.
Digital photos: Together we may decide to take photos these are transferred from the camera SD card to the client file asap (within a maximum of 2 weeks) after the clinical session.
Transcriptions: Transcriptions of assessment sessions and research interviews can sometimes be made in order to provide the best quality work. In the event that a transcription service is used a data sharing agreement will be made.
Mobile devices: All clinical staff have mobile phones which may be used in relation to some of your clinical data. This may include the following: Voicemails, Text messages, Whatsapp, iPhone contact entry, Digital photos
Mobile data storage: SD cards and USB storage may be used. They will be transported in line with our data protection policy and encrypted to optimise data security.
Paper copies: We may use paper diaries and take hand-written notes when we meet you. These notes are used to create the reports that we provide to you and form the basis of the clinical notes that are stored in the secure client file.
5. How long do we keep the information?
We do not keep information for any longer than necessary.
Administrative data is retained for up to 6 years in line with HMRC guidance. Where it is not necessary to retain the data for 6 years, it is destroyed as soon as possible.
Personal data is retained for the duration of your work with us.
If you are over the age of 18 years old when we end our work together, we will continue to store your data using the methods outlined in this policy for 7 years from the date of our last contact with you in line with BPS Practice Guidelines (August 2017).
For clients who are 17 years old at the last contact with Bulby Psychology, data is retained until your 26th birthday.
For clients under the age of 17 years old at the last contact with Bulby Psychology, your data is retained until your 25th birthday in line with the BPS Practice Guidelines (August 2017) and the The Records Management Code of Practice for Health and Social Care (2020).
We have the right to retain your data for these periods so that we can respond effectively to any questions or complaints that may later be raised by you and/or your representatives. After these retention periods we will erase (delete) the information held about you securely.
6. Who do we send the information to?
We send your report to you and anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are encrypted and password protected.
We will get your consent to send any of your information to anyone else e.g. schools, commissioners.
7. How can I see all the information you have about me?
You can make a subject access request (SAR) by contacting Dr Shabana Bashir. We may require additional verification that you are who you say you are to process this request.
We may withhold such personal information to the extent permitted by law. In practice, this
means that we may not provide information if we consider that providing the information will violate your vital interests.
8. What if my information is incorrect or I wish to be removed from your system?
Please contact Dr Shabana Bashir. We may require additional verification that you are who you say you are to process this request.
If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format at the subject access request in section 7.
9. How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the data, for example in case it is in your child’s vital interests for it to be kept or if HMRC wish to inspect our records.
If we decide that we should delete the data, we will do so without undue delay.
10. Will we send emails and text messages to you?
As part of providing our service to you we will send your report to you via email. The report will be encrypted, and password protected. Also, as part of this service, between us we may decide that it is useful to contact each other via text message. To protect your information, we prefer to use an end-to- end encrypted messaging service (Whatsapp). If you are not able to use such a service we may use SMS (text messages); however, this does increase the risk of someone intercepting the message.
We will send emails and text messages to you about marketing and additional services that we provide only if we have your consent to do so.
If you want to opt out of receiving emails of text messages from us, you can unsubscribe at any time by letting us know your preference. When you unsubscribe (‘opt out’) from either text message or email communications, we will suppress your details on our system to ensure we have a record of your decision to not be contacted in a particular manner. We will not use your email address or mobile number again for such messages again unless you opt back in.
11. Use of Cookies
What is a Cookie?
A cookie is a small amount of data stored on a computer that contains information about the internet pages that have been viewed from that computer. They are commonplace on the internet and are used by websites to improve the user’s online experience by storing information about how the user navigated around and interacted with it. This information is then read by the website on the next occasion that the user visits.
Cookies are sent automatically by websites as they are viewed, but in order to protect a user’s privacy, a computer will only permit a website to access the cookies it has sent, and not the cookies sent by other sites. Furthermore, users can adjust the settings on their computer to restrict the number of cookies that it accepts, or notify them each time a cookie is sent. This should improve privacy and security but will generally mean that certain personalised services cannot be provided, and it may therefore prevent the user from taking full advantage of a website's features.
For further information on cookies, please visit www.aboutcookies.org.
What Cookies do we use?
We use two types of cookies: session cookies and stored cookies.
Session cookies expire at the end of the user's browser session and can also expire after the session has been inactive for a specified length of time, usually 20 minutes. Session cookies are stored in the computer's memory and are automatically deleted from the user's computer when the browser is closed.
Stored cookies are stored on the user's computer and are not deleted when the browser is closed. Stored cookies can retain user preferences for a particular website, allowing those preferences to be used in future browsing sessions.
Can I browse your website without receiving any cookies?
Yes. If you have set your computer to reject cookies, you can still browse our website However, certain functions may not be available to you unless you enable cookies.
You can usually adjust for yourself the number of cookies that your computer (or other device, such as a mobile phone) receives. How this is done, however, varies according to which device and what browser software you are using.
As a general rule, the more commonly used web browser software packages tend to have a
drop-down menu entitled ‘Tools’. One of the options on this menu is usually ‘Options’ – and if this is selected, ‘Privacy’ is usually one of the settings that may be adjusted by the user. In the case of any device other than a PC (e.g. mobile phone), you should always refer to the manufacturer’s instructions.
Alternatively, you may wish to opt-out from only the cookies used by third-party companies (acting on our behalf) to measure the traffic to our site. This has the advantage of leaving other cookies in place, thereby minimising the loss of functionality associated with blocking all cookies.
You may find the following websites useful for information on how to change cookie settings in a range of commonly used browsers: www.aboutcookies.org
Please note we only use cookies for the purpose of enhancing your online experience and no personal data is collected from you through this process.