When you use our website or services we may collect personal information about you. We have written this statement to tell you:

our legal basis for processing information about you
what information we collect about you
how we collect that information
what we use your information for
what choices you have about what we can do with your information
how to access and update your information

We are Roots Psychotherapy Services Ltd and our registered office and address for correspondence is:

Roots Psychotherapy Services Ltd
85 Great Porltand Street, First Floor
London
W1W 7LT

Legal basis for processing
The General Data Protection Regulation (“GDPR”) requires that your personal data be kept private unless we are legally obliged or required to disclose it to authorised parties. In such cases we will make such disclosures.

We can lawfully process personal information about you because we have a contract with you to make available our service. Your personal information is required to enable us to meet our obligations under the contract. Where you have given us explicit consent to do so we will process ‘sensitive personal information’ (see below) relating to your health and medical records, in line with this Privacy Statement.

Information we collect about you
How we collect personal information
We collect personal information from you and from third parties (anyone acting on your behalf, for example healthcare providers).

We collect personal information from you through your contact with us, including by phone (we may record or monitor phone calls to make sure we are keeping to legal rules, codes of practice and internal policies, and for quality assurance purposes), by email, through our website, through our app, by post, by filling in application or other forms, through social media or face-to-face (for example, in consultations).

We also collect information from other people and organisations.

For all our service users, we may collect information from:

a family member, or someone else acting on your behalf; your parent or guardian, if you are under 18 years old; doctors, other clinicians and health-care professionals, hospitals, clinics and other health-care providers; any service providers who work with us in relation to your product or service, if we don’t provide it to you direct, such as providing you with apps, medical treatment, or health assessments; fraud-detection and credit-reference agencies; and sources which are available to the public, such as the edited electoral register or social media.

Categories of personal information
We process two categories of personal information about you and (where applicable) your dependants:

standard personal information (for example, information we use to contact you or identify you); and special categories of information (for example, health information, information about your race, ethnic origin and religion that allows us to tailor your care, and information about crime in connection with checks against fraud or anti-money-laundering registers).
For more information about these categories of information, see below.

Standard personal information includes:

contact information, such as your name, username, address, email address and phone numbers; the country you live in, your age, your date of birth and national identifiers (such as your National Insurance number or passport number);
information about your employment; details of any contact we have had with you, such as any complaints or incidents; financial details, such as details about your payments and your bank details; the results of any credit or any anti-fraud checks we have made on you; and information about how you use our website, app or other technology, including IP addresses or other device information (please see our Cookies Statement for more details).
Special category information includes:

information about your physical or mental health, including genetic information or biometric information (we may get this information from application forms you have filled in, from notes and reports about your health and any treatment and care you have received or need, or it may be recorded in details of contact we have had with you such as information about complaints or incidents, and referrals from your insurance provider, quotes and records of medical services you have received); information about your race, ethnic origin and religion (we may get this information from your medical or care-home preferences to allow us to provide care that is tailored to your needs); and information about any criminal convictions and offences (we may get this information when carrying out anti-fraud or anti-money-laundering checks, or other background screening activity.

What we use your personal information for?
We process your personal information for the purposes set out in this Privacy Statement. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing). We normally process standard personal information if this is necessary to provide the services set out in a contract, it is in our or a third party’s legitimate interests or it is required or allowed by any law that applies. Please see below for more information about this and the reasons why we may need to process special category information.

By law, we must have a lawful reason for processing your personal information. We process standard personal information about you if this is:

necessary to provide the services set out in a contract − if we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you and your dependants with our products and services);
in our or a third party’s legitimate interests − details of those legitimate interests are set out in more detail below; required or allowed by law.

We process special category information about you because:

it is necessary for the purposes of preventive or occupational medicine, to assess whether you are able to work, medical diagnosis, to provide health care or treatment, or to manage health-care systems (including to monitor whether we are meeting expectations relating to our clinical and non-clinical performance);
it is necessary for an insurance purpose (for example, advising on, arranging, providing or managing an insurance contract, dealing with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or law); it is necessary to establish, make or defend legal claims (for example, claims against us for insurance);
it is necessary for the purposes of preventing or detecting an unlawful act in circumstances where we must carry out checks without your permission so as not to affect the outcome of those checks (for example, anti-fraud and anti-money-laundering checks or to check other unlawful behaviour, or carry out investigations with other insurers and third parties for the purpose of detecting fraud); it is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response to a safeguarding concern, a member’s complaint or a regulator (such as the Care Quality Commission, the General Medical Council or any similar body) telling us about an issue); it is in the public interest, in line with any laws that apply; it is information that you have made public; or
we have your permission. As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for, and ask you to confirm your choice to give us that permission. If we cannot provide a service without your permission (for example, we can’t manage and run a health service without health information), we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you with a service that relies on having your permission.
We have set out in the table below the conditions within the GDPR we are relying on when we use your data:

Purpose Article 6 condition Article 9 condition
All Patients
Cooperate with regulators, e.g. the Care Quality Commission Article 6(1)(e) – public task
Article 6(1)(c) – compliance with a legal obligation
Article 9(2)(g) – substantial public interest
Compliance with legal obligations, e.g a court order requiring us to release information Article 6(1)(c) – compliance with a legal obligation Article 9(2)(f) – establishment, exercise or defence of legal claims
Article 9(2)(g) – substantial public interest
Dealing with disputes, for example if you make a legal claim against one of our counselors Article 6(1)(f) – legitimate interests (we have a legitimate interest in being able to deal with disputes and legal claims) Article 9(2)(f) – establishment, exercise or defence of legal claims
Dealing with any risk to public health Article 6(1)(e) – public task
Article 6(1)(c) – compliance with a legal obligation
Article 9(2)(h) – healthcare and social care purposes
Article 9(2)(i) – public health
NHS Patients
Providing you with our services Article 6(1)(e) – public task Article 9(2)(h) – healthcare and social care purposes
Helping to maintain the quality of and improve our services Article 6(1)(e) – public task
Article c(1)(f) – legitimate interests (we have a legitimate interest in maintaining and improving the quality of our services)
Article 9(2)(h) – healthcare and social care purposes
Providing information back to your NHS GP surgery Article 6(1)(e) – public task Article 9(2)(h) – healthcare and social care purposes
Helping other organisations delivering NHS or social care to provide you with services. Article 6(1)(e) – public task Article 9(2)(h) – healthcare and social care purposes
Letting you know more about our services and offers Article 6(1)(a) – consent Article 9(2)(a) – consent
Letting you know more about the products and services of third parties that may be relevant to you Article 6(1)(a) – consent Article 9(2)(a) – consent
Non NHS Patients
Providing you with our services Article 6(1)(b) – performance of a contract Article 9(2)(h) – healthcare and social care purposes
Helping maintain the quality of and improve our services Article 6(1)(f) – legitimate interests (we have a legitimate interest in maintaining and improving the quality of our services) Article 9(2)(h) – healthcare and social care purposes
Carrying out credit checks using our own or third party providers Article 6(1)(b) – performance of a contract No special data used
Obtaining payment from you for our services Article 6(1)(b) – performance of a contract No special data used
Letting you know more about our services and offers Article 6(1)(a) – consent Article 9(2)(a) – consent
Letting you know more about the products and services of third parties that may be relevant to you Article 6(1)(a) – consent Article 9(2)(a) – consent
Who we share information with
To provide you with services we need to share your personal information with our counseling team. Our counseling team works with Roots Psychotherapy Services Ltd as self-employed contractors.

We also need to share information with partner organisations that help administer Roots Psychotherapy Services. We have vetted these organisations to ensure that they will deal with your personal information responsibly and will not use your personal information for their own purposes. For example: IT suppliers, including suppliers of data storage services, contractors who provide our telephone services and suppliers of web hosting services.

We may need to share information with regulators: Care Quality Commission, General Medical Council, NHS Digital, the Information Commissioner’s Office, the Health Service Ombudsman, and any similar body.

With your agreement, information can be shared with relatives, partners or friends who act as a carer for you. We will only share information once the person you have asked us to share the information with has provided us with proof of their identity. We may share information with anyone you have given as an emergency contact, for example your next of kin. You can find out more by contacting us.

There are some other rare occasions where we may share your data with other organisations.

We may share information with the police, fire and rescue services if there is an immediate risk of harm to you or other people, or there is a legal requirement to do so e.g. the police have obtained a court order requiring us to provide information
We may share information with our professional advisors, including lawyers and accountants, if this is necessary to take and receive professional advice (including legal advice), or to bring or defend a legal claim or threatened claim.
We may share information with our insurers and the insurers of other organisations where this is necessary to investigate insurance cover and to handle a claim or threatened claim.
We may share information with individuals or organisations if we are legally required to, for example if this is specified in a warrant or court order.
Where we, or substantially all of our assets, are merged or acquired by a third party, in which case this information may form part of the transferred or merged assets.
The other organisations that we share information with depend on whether you are paying for Roots Psychotherapy Services or not.

If you do not pay for Roots Psychotherapy Services, then we may share your personal information with other organisations that help provide counselling services.

Our marketing
We may provide you with information about products, services, offers, and other news where we feel these may interest you.

Depending on what contact information you have given to us, we may contact you by email, post, or phone. We will only do this where you have consented to receiving such information from us.

Google Calendar
if you choose to integrate your Google Calendar with your account, you will be asked to give us a permission to access your calendar events, and add events to your calendar. We will also have permission to see, edit, and remove events on your chosen calendar.

THIRD PARTY PRIVACY POLICIES

Our site may contain links to websites owned by other organisations. If you follow a link to another website, these websites will have their own privacy policy. We suggest that you check the policies of any other websites before giving them your personal information as we cannot accept responsibility for any other website.

For how long do we store your personal data?

Your medical information

If you do not pay for our services, clinical information will be stored on your GP practice’s patient record system as well as our system (see below). For information about how long that information is stored, please refer to your GP practice’s privacy notice.

If you pay for our services, clinical information will be stored on our systems. This information will be deleted in accordance with the Records Management Code of Practice for Health and Social Care.

We are committed to ensuring that our suppliers have appropriate technical, administrative and physical procedures in place to ensure that your information is protected against loss or misuse. All information you provide to us is stored on our secure servers or on secure servers operated by a third party.

Emails
If you choose to send us information via email, we cannot guarantee the security of this information until it is delivered to us.

Your rights
You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer of information you have provided, to withdraw permission you have given us to use your information and to ask us not to use automated decision-making which will affect you. For more information, see below.

You have the following rights (certain exceptions apply):

Right of access: the right to make a written or verbal request for details of your personal information and a copy of that personal information. You can read more about this right here (https://ico.org.uk/your-data-matters/your-right-of-access).
Right to rectification: the right to have inaccurate information about you corrected or removed. You also have the right to ask us to complete information you think is incomplete. You can read more about this right here (https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected).
Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased. You can read more about this right here (https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted )
Right to restriction of processing: the right to request that your personal information is only used for restricted purposes. You can read more about this right here (https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data/ )
Right to object: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interests. You can object to our use of your information for profiling purposes where it is in relation to direct marketing. You can read more about this right here https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/
Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats. You can read more about this right here https://ico.org.uk/your-data-matters/your-right-to-data-portability/
Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information prior to the withdrawal of your consent and we will let you know if we will no longer be able to provide you your chosen product or service.
Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have.
Please note: Other than your right to object to the use of your data for direct marketing (and profiling to the extent used for the purposes of direct marketing), your rights are not absolute: they do not always apply in all cases and we will let you know in our correspondence with you how we will be able to comply with your request.

If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. If we do not meet your request, we will explain why.