Data protection, confidentiality and information handling policy
Introduction
This policy outlines how The Mental Health Practice with the General Data Protection Regulation (GDPR) to protect the personal data of our clients, ensuring transparency, accountability, and respect for their rights.
What is Personal Data?
Personal data refers to any information that identifies an individual directly or indirectly, including but not limited to:
-
Name, address, and contact details
-
Identification numbers (e.g., national insurance numbers, passport details)
-
Financial data
-
Case-related information
How We Use Your Personal Data
The Practice collects and processes personal data to:
-
Provide legal advice and services
-
Fulfil contractual and regulatory obligations
-
Communicate with clients and third parties involved in cases
-
Maintain records for legal and compliance purposes
We will only use your data for purposes that are lawful, necessary, and proportionate.
Lawful Basis for Processing
The Practice processes personal data based on the following lawful grounds:
-
Consent: Where explicit permission is provided.
-
Contract: To fulfil our obligations under a contract with you.
-
Legal Obligation: To comply with statutory requirements.
-
Legitimate Interests: For business operations, provided this does not override your rights and freedoms.
Your Rights as a Data Subject under GDPR
You have the following rights regarding your personal data:
Right to Access
You can request a copy of your personal data held by the Practice.
Right to Rectification
You can request corrections to any inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten)
You can request deletion of your personal data, subject to legal and contractual obligations.
Right to Restrict Processing
You can request limited use of your data in specific circumstances.
Right to Data Portability
You can request that your data be transferred to you or another organization in a structured, machine-readable format.
Right to Object
You can object to the processing of your data for specific purposes, including marketing.
Rights Related to Automated Decision-Making
You can request human intervention where decisions about you are made solely by automated processes.
Data Retention
The Practice retains personal data only as long as necessary for the purposes for which it was collected and to meet legal or regulatory requirements.
Data Sharing
We may share personal data with:
-
Courts, government bodies, and regulatory authorities
-
Opposing legal parties and their representatives
-
Quality assurance assessors
-
Service providers (e.g., IT support, document storage)
We ensure all third-party processors comply with GDPR.
Data Security
The Practice implements appropriate technical and organizational measures to protect personal data, including:
-
Encryption and secure file storage
-
Regular data protection training for staff
-
Access controls and audit logs
Third party data security
Legal and operational obligation
Where it is necessary to share information with third parties we are entitled to assume that any third party we have a legal or operational obligation to share information with will be compliant with GDPR, for example the Mental Health Tribunal, the LAA and SQM assessors. No further action is required when sharing this information.
Other cases
Where information is shared with a third party where there is not an existing legal or operational obligation, the other party will be required to provide written confirmation that they will treat any information provided as confidential and in accordance with GDPR before sensitive information is shared.
Complaints and Queries
If you have concerns about how your data is handled, please contact:
Tammy Groves
Data Protection Officer
The Mental Health Practice
Oxford Point, 19 Oxford Road, Bournemouth BH8 8GS
07961 053639
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk/