Turning Point Privacy Notice
12 February 2021
Rightsteps is part of Turning Point and your privacy is covered by this group-wide policy
1. Introduction
Turning Point treats the privacy of our service users’ personal data seriously. This notice identifies for you some key information about data processing and sets out the type of data we collect from you, why we collect it and how we manage it. Managing data includes identifying the lawful basis for processing data, as well as how we gather, store, process, share, protect and ultimately destroy data.
Our responsibilities relating to data processing are set out by the General Data Protection Regulations (GDPR) and Data Protection Act (2018). In line with these provisions, data processing is overseen by our designated Data Protection Officer (DPO) whose principle duties are to inform, advise and monitor Turning Point’s compliance with the GDPR.
2. What is Personal and Sensitive Data?
Personal data means any information that may be used to identify you on its own or when combined with other information, will enable identification. Sensitive data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation. We may collect, use, store and transfer different kinds of personal and sensitive data about you which we have grouped together as follows:
a. Identity Data includes first name, last name, username or similar identifier, date of birth and gender and NHS number.
b. Contact Data includes your address, phone number and email address.
c. Health Data includes any information about your physical or mental health from how you use our Services.
d. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our services available online.
e. Profile Data includes your username and password.
f. Usage Data includes information about how you use our services.
3. Why do we ask for your data?
Your personal data is required to effectively assess you for the appropriate options and treat you. In addition key data may be used to support our safeguarding / risk responsibilities and other statutory obligations. We also require your data to measure the effectiveness of the services we provide and how they can be improved. This uses aggregated statistics which do not identify you.
4. How do we obtain your data?
We use different methods to collect data from and about you, including through:
a. Direct interactions: You may give us any of the categories of data identified in section 2 by filling in forms or by corresponding with us by, phone, email or otherwise.
b. Automated technologies or interactions: As you interact with our services online, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
c. Third Parties: We may receive your personal data from third parties who are referring you to our services. This is typically performed with your explicit consent but could be because there is a legal obligation that applies to the third party.
5. What do we do with your data?
All of the data gathered is processed to effectively assess you for our services and treat you accordingly. Our lawful reasons for processing data are detailed in the table below along with the type of data. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
Purpose/Activity | Type of Data | Lawful basis for processing including basis of legitimate interest |
To register you as a new service user | (a) Identity (b) Contact | Necessary for our legitimate interest (to provide our services to you) |
To process and deliver your request for our services. | (a) Identity (b) Contact (c) Health | a) Necessary for our legitimate interests (to provide our services to you) b) The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy | (a) Identity (b) Contact (c) Profile | a) Necessary to comply with a legal obligation b) Necessary for our legitimate interests (to keep our records updated and to study how service users use our services) |
To refer you to external organisations for additional services relevant to achieve your care goals | (a) Identity (b) Contact (c) Health | a) You have given clear consent b) The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality |
To include your attributable information in data returns to organisation like NHS and Department of Health to aid in the production of statistics for performance management and service improvement purposes | (a) Identity (b) Health | a) You have given clear consent b) Necessary to comply with a legal obligation |
To comply with Information Sharing Agreements where the service is a member which can be for the purpose of Adult and Children Safeguarding, Anti-social behaviour, Criminal Justice orders, etc. | (a) Identity (b) Contact (c) Usage | a) You have given clear consent b) Necessary in order to protect the vital interests |
To administer and protect our business and online services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical | a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) b) Necessary to comply with a legal obligation |
To use data analytics to improve our services, relationships and experiences | (a) Technical (b) Usage | Necessary for our legitimate interests (to define types of service users for our services, to keep our services updated and relevant, to develop our business) |
We also collect, use and share aggregated data such as statistical or demographic data for performance monitoring purposes. This is not considered personal data in law as this data does not directly or indirectly reveal your identity.
We will not use the personal data you give us or which we collect from you, for marketing purposes without your consent. We will only use your contact details to correspond with you about your treatment and appointment. Where you are using any of our online services we will only use your email address to send automated messages to you regarding the sessions you are working through and your account settings.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
6. Sharing your data
Data is shared within the organisation as part of our lawful basis to process and is only shared relevant to the processing requirement. We will not share data with third parties unless there is a lawful / regulatory / legal / contractual requirement or where you have given clear consent. We will aspire to share the minimum amount of data necessary for the purpose and restrict the use of data that directly or indirectly reveals your identify. This can include anonymising your data or producing aggregated statistics or demographic information.
Examples of where we share such information in line with the above include:
a. CQC obligations
b. Contractual reporting
c. Health and Social Care Datasets
d. A referral made on your behalf with your clear consent
e. A referral made for medical purposes including to protect your vital interests.
We do not transfer any of your personal data outside of the European Economic Area.
Examples of third parties include but are not restricted to Care Quality Commission (CQC), Local Authorities, Clinical Commissioning Groups (CCGs), Public Health England (PHE), NHS Digital, Housing Associations, Hospital units, etc.
7. Retaining your data
The length of time we will retain your information depends on who you are and the type of information. In general we will retain the information you provide for the purposes set out in this notice for a period 8 years after the last contact with you. The circumstance where this may be different includes if you are under the age of 18 when you start receiving services from us or if you are subject to the Mental Health Act. For a full description of how long we retain data for please request our Data Retention policy.
Privacy Notice - Data Subject Rights
The following information is intended to help you understand you rights in relation to personal and sensitive data as provided by either the Data Protection Act (2018) or the General Data Protection Regulation 2016.
The right to be informed: This relates to what information we are required to provide you about data processing. This Privacy Notice and the wider Turning Point Privacy represents the way in which we inform you of this information.
Right of access: You (i.e. the data subject) have the right to access particular personal and sensitive information that we hold about you. This is known as a Subject Access Request. We shall respond promptly (usually within one month from the point of receiving the request and all necessary information from you). This provision is usually free of charge. However we retain the right to charge a reasonable fee when we believe a request is unfounded, excessive or repetitive. Further information is contained in our found in our Information Governance Policy (Personal Information Procedure).
Right to rectification: You have the right to obtain from us, without undue delay, the rectification of inaccurate or incomplete personal data that we hold concerning you.
Right to erasure: You have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. We have the right to refuse to comply with a request for erasure and if this applies we will tell you the reason why.
Right to restrict processing: Subject to exemptions, you shall have the right to restrict processing where:
· You contest the accuracy of the information we hold and it is restricted until the accuracy is verified,
· You have objected to processing (where it is necessary for the performance of a public interest task / legitimate interest) and we are considering whether our grounds override your rights
· Processing is unlawful and you oppose erasure, requesting restriction instead,
· We no longer need the data, but you require the data to establish, exercise or defend a legal claim.
Right to Data Portability: This applies when processing is carried out in an automated way. You shall have the right to receive the personal data you have provided to us in a structured, commonly used and machine readable format. Where technically feasible, this right extends to us transmitting the data to another organisation at your request. For data portability to apply, the processing of your data must relate to information that is either i) based on your consent or ii) processed for the performance of a contract.
Right to Object: You have the right to object to processing on grounds relating to your personal circumstances. This provision applies to the processing that is undertaken for legitimate interests / the performance of a task in the public interests (includes personal profiling) and processing for purposes of scientific / historical research and statistics. In such cases we will stop processing unless we can demonstrate i) compelling legitimate grounds which override your interests, rights and freedoms ii) the processing is for the establishment , exercise or defense of legal claims. This right extends to processing for the purposes of direct marketing (including profiling) which must be stopped outright.
Right not to be subject to decisions based solely on automated processing: We do not carry out any automated processing which may lead to automated decision making based on your personal data.
Information accuracy: We take all reasonable steps to ensure the accuracy of the personal/ sensitive data that we hold and provide.
Invoking your rights: If you would like to invoke any of these rights, please write to our
Data Protection Officer, Turning Point, The Exchange, 3 New York Street, Manchester, M1 4HN Email [email protected]