Privacy policy
Grow and Thrive Ltd complies with the General Data Protection Regulation (GDPR) and is committed to protecting your personal information. This policy describes our processes for ensuring that personal information about clients and their families is processed lawfully. We detail what information we collect, what with do with this information, how the information is stored, who we may share this information with, the legal grounds for holding and processing personal information and your choices and rights relating to your personal information.
We may update this privacy policy in the future and will inform you of any important changes.
Grow and Thrive is registered with the Information Commissioners Office (ICO) as a data controller/processer.
Collecting personal information
To provide the most effective and highest standard of input, we require to hold and process sensitive personal information about the client and where necessary the client’s family.
This personal information includes:
Date of birth of client
Address of client
Contact details of parents/carers including name address phone numbers (landline/mobile)
Email address
Name of GP surgery
Name of education establishment
Relevant medical diagnosis and developmental history
Signed consent forms for sharing information stating who information can be shared with
Signed consent forms for photographs/video usage as part of therapy
Paper based therapy notes
Email correspondence
Reports/minutes/other multi-disciplinary information
Sources of personal information:
Information may be gathered from a range of sources which includes:
From client/parent/carer
From other professionals only with parental/carer (and where applicable) client consent
Information may be gathered in a range of forms including:
Verbal communication: face to face, telephone, meetings
Written: email, text, WhatsApp or facebook messenger
Please be aware that email and facebook messenger are not secure ways of sharing personal information and parents do so at their own risk. Grow and Thrive will not share personal sensitive data through facebook messenger and advise individuals to email avoiding the use of names and identifiable information i.e. using initials only.
Information sent via facebook messenger will be deleted immediately.
Holding personal information
We will use your sensitive personal data for the purposes of providing our services to you and to comply with a legal obligation.
We will use your non-sensitive personal data to (i) register you as a new client, (ii) manage payment, (iii) collect and recover monies owed to us (iv) to manage our relationship with you, (v) send you details of our goods and services.
Please note: if you like our facebook page we may use this information to deliver relevant content and advertisements to you and measure and understand the effectiveness of our advertising.
Lawful basis for processing personal information
Grow and Thrive’s legal grounds for processing your data in relation to points (i) to (iv) above for performance of a contract with you and in relation to (v) above, necessary for our legitimate interests to develop our products/services and grow our business. We also process your data on the grounds of consent when we wish to share client’s personal information with other professions for the best interests of the client. Please see appendix 1&2 in T&C’s
Sharing data with others
We will share personal information about a client within Grow and Thrive (therapists, contracted associates such as clinical psychologists) in order to share expertise and provide the most effective treatment to individuals.
We will only share personal information with other professionals out with Grow and Thrive when is in the best interests of the client. Others who may require to have this information can include:
• GP
• Education establishment
• Educational psychology
• Paid carers
• Social work department
Consent would be required for each instance of sharing information. For example, parent’s written consent is required before the therapist can attend and provide verbal feedback of input at a school meeting or before a report is shared with the GP.
We will not share your details with third parties for marketing purposes.
We may have to share your personal data with (i) service providers who provide IT and system administration support, (ii) professional advisors including lawyers, bankers, auditors and insurers (iii) HMRC and other regulatory authorities
International transfers
We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. They are only allowed to process your personal data on our instructions.
Where is data stored
Protecting your data is important to us and we have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Information is stored within paper files which are kept locked in filing cabinets at Grow and Thrive Offices Haypark Business Centre Marchmont Avenue Polmont FK2 0NZ
Electronic information is held within Microsoft 365 cloud storage and on encrypted laptops/desktop. You can read about Microsoft 365 GDPR compliance here http://info.microsoft.com/rs/157-GQE- 382/images/EN-AU-CNTNT-Whitepaper-Prepare-for-GDPR-today-with-M365%5B1%5D.pdf
We also limit access to your personal data to those employees, associates and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.
Retention of data
We will only hold your data for as long as is necessary. If you make an enquiry, do not have any face to face sessions and no further action is required we will delete your data within 3 months of your first contact.
If you commence input from Grow and Thrive which requires face to face contact (including remote contact such as Teams or Zoom) we open a case file and comply with data retention law relating to children’s records. The law states that children’s records must be kept:
Until the child is 25 (or 26 if they were 17 when treatment ends) or 8 years after their death if sooner.
If the child’s illness could be relevant to an adult condition, or have genetic implications for their family, records must be kept until the client’s death.
We may retain your data to satisfy any legal, accounting, or reporting requirements so for example we need to keep certain information about you for 6 years after you cease to be a client for tax purposes.
You have the right to ask us to delete the personal data we hold about you in certain circumstances.
Your rights
Under GDPR you have the right to obtain information about the personal data we hold/process about you and your child.
You are able to exercise certain rights in relation to your personal data that we process. These are set out in more detail at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
In relation to a Subject Access Right request, you may request that we inform you of the data we hold about you and how we process it. We will not charge a fee for responding to this request unless your request is clearly unfounded, repetitive or excessive in which case we may charge a reasonable fee or decline to respond.
We will, in most cases, reply within one month of the date of the request unless your request is complex or you have made a large number of requests in which case we will notify you of any delay and will in any event reply within 3 months.
If you wish to make a Subject Access Request, please send the request to Grow and Thrive Haypark Business Centre Marchmont Avenue Polmont FK2 0NZ or email jude@growsalt.uk marked for the attention of the Jude Philip, CEO.
Keeping your data up to date
We have a duty to keep your personal data up to date and accurate so from time to time we will contact you to ask you to confirm that your personal data is still accurate and up to date.
If there are any changes to your personal data (such as a change of address) please let us know as soon as possible by writing to or emailing Grow and Thrive Ltd Haypark Business CentreMarchmont Avenue Polmont FK2 0NZ or email jude@growsalt.uk marked for the attention of the Data Compliance Officer.
Data Breach
We have protocols in place to reduce the risk of a data breach. We have clear guidelines should there be a data breach. We must inform the regulating body (ICO) within 72 hours of any breach. We must also contact the individuals affected.
Data protection complaints
We are committed to protecting your personal data but if for some reason you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.