26th April 2022
TherapyRecord.Online is a trading name of Desuto Ltd.
The type of personal information we collect
As a Data Controller, we currently collect and process personal data about our customers and potential customers. This includes:
Type: Potential Customer Data
- Contact information to include telephone number, email address and work base
- Contact information to include telephone number, email address and work base
- Account registration information
- Bank Details for invoicing
- Usage of Services via cookies and other tracking technologies
– To market Desuto products and services to potential customers
– To provide service according to contract and agreements with our customers.
– To provide, operate, maintain and improve Desuto Ltd services
As a Data Processor for our customers, Desuto does not directly collect personal data from customer data subjects. Data is collected and entered into our system for processing by our customers, their employees and contractors.
Personal Data processed by Desuto on behalf of customers, may include some of the following types of information:
Type: Customer employee/contractor data
- Account registration information
- Contact information (email address)
- Contacts information (contact list)
- Usage of services via cookies and other tracking technologies
- The customer may use some of this information for the purpose of line management supervision and/or to manage the employee/contractors workload
- The employee uses the data for work planning, caseload management, scheduling and managing contacts.
Type: Customer’s clients personal data
- Personal Contact information
- GP Contact Information
- Assessment Information
- Clinical Contact information including clinical notes, risk assessment, dates of appointments and data collected at sessions.
- Discharge information
- This information is highly protected and only accessible by those with involvement in the service users treatment pathway.
Customers may, on a need-to-know basis, access these details to
- Manage/reschedule or cancel bookings with their clients
- Contact their client
- Manage client requests
- Improve their client’s experience
- Use anonymised data for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our services and access to our services.
Type: Customer data subjects health and care (Therapeutic) data
When clients choose to participate in receiving a service from our customers. Our customers will keep a progress record.
Counselling and therapeutic work is a highly collaborative endeavour and clients are encouraged to participate in agreeing what information from the session is pertinent for the record. It is likely to include some of the following.
- The information shared by the client (previous experience, feelings, tendencies, counselling and psychological wellbeing history etc.)
- Any activity practised under guidance
- Session progress
- Plans agreed in the session
- Any relevant medical information
- Overall progress using a range of outcome measures
Desuto customers may use or process this data for the following purposes:
- To manage the performance and progress of the session.
- To build an accurate picture and understanding, so that the service can be tailored to meet the client’s needs and contribute to maintaining safety.
- To collaboratively monitor the clients progress over time
- To provide a contracted service to the client against identified performance criteria
- To fulfil a legal obligation to the client in the exercising of their rights under GDPR such as a subject access request
How we get the personal information and why we have it.
As a data controller, Desuto directly collects and processes personal data provided by our customers and potential customers for marketing purposes, for customer operations and servicing of our contract with our customers.
To find and reach potential customers and market our products to them, Desuto relies on ‘Legitimate Interest’ as the lawful basis for collecting and using potential customer contact details. Once contact has been made, we rely on explicit consent to retain and use potential customer data.
If we enter into a contract with a customer, servicing this contract becomes the lawful basis for the collection and use of customer data.
As a data processor, Desuto processes personal data to service and maintain contractual obligations to customers.
Our customers include individuals and organisations that provide psychotherapy treatment and counselling. Personal data, including special category personal data is collected and used by these services to support the delivery of their services to patients and clients.
Patients and clients (customer data subjects) are given detailed information about how their data is to be used.
Consent to process personal data is actively sought and recorded by our customers.
Patients and clients wishing to remove consent can do so by contacting their service provider (data controller).
Our customers ensure that their data subjects sign and receive a copy of the Data Processing Consent form.
A copy of this form must be uploaded to the client information system for processing to continue
As data controllers, our customers’ primary lawful basis for collecting, storing and sharing personal data is specified in GDPR Article 6 (1a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. Customers also rely on Article 6(1b,1c,1d,1e,3).
Customers are exempt from the prohibition on processing special category data, GDPR Article 9(1) as they meet exemptions specified in Article 9 (2a,2h,2i,2j,3).
In addition to meeting these two requirements, customers ensure that data processing is compliant with the principles in GDPR Article 5 including data minimisation, fairness, transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality.
Patients and clients (data subjects) of our customers have the right to remove their consent.
Desuto does not use or share the personal data that it stores on behalf of its customers.
How we store your personal information
All personal data is encrypted and stored securely on UK based cloud servers meeting SOC 2 Type II and Type III and to the standard of ISO 27001 certification.
As data controllers, we keep details of customers and potential customers for as long as they are using our service or have registered an interest in doing so. Personal information stored for this purpose includes names of key contacts and their contact details including an email address.
As Data Processors, the personal information processed on behalf of our customers includes special category personal data collected with the data subject’s consent to support the delivery of psychotherapy treatment and counselling to the data subject.
The customer is responsible for adhering to data retention timescales outlined in the consent form and agreed with the data subject. The time period will vary according to the data retention policies of the customer, their commissioning body or the consent of the data subject. However, data is only stored for as long as the contractual legal basis is in place.
Desuto will dispose of personal data at the request of the customer (data controller). This will be in accordance with the agreed timescale or earlier in response to a written request. Data will be deleted from servers unless further retention is required by law. Archived data held on backup systems will be securely isolated and protected from further processing unless required by law.
The rights of data subjects
Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service if the request is complex.
The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete information you believe is incomplete.
The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organisation, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you unless the request is complex. If you would like to exercise any of these rights, please contact us at our email:
Email us at: [email protected]
Or write to us: Desuto, HWIC,Treliske, Truro, TR1 3FF
If your personal data is held by a service provider, please contact them for the request and will support any legal request made by one of our data controllers.
What are cookies?
When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, a computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.
These pieces of information are used to improve services for you through, for example: enabling a service to recognise your device so you don’t have to give the same information several times during one task recognising that you may already have given a username and password so you don’t need to do it for every web page requested measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.
You can manage these small files yourself and learn more about them through Internet browser cookies – what they are and how to manage them
All cookies in use on this website are first party. No third party cookies are used.
Although your browser may be set up to allow the creation of cookies, you can specify that you be prompted before a site puts a cookie on your hard disk, so that you can decide whether to allow it. Alternatively, you can set your computer not to accept any cookies. If you disable cookies, you may not have access to some features that make your site experience more efficient and some of our services may not function properly.
How to manage cookies
You can set your browser not to accept cookies, and the website, https://www.allaboutcookies.org/, tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Privacy policies of other websites
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at:
Truro, TR1 3FF
You can also complain to the ICO if you are unhappy with how we have used your data or responded to your requests.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
This Policy has been approved and authorised by:
|Date:||11th May 2022|
|Due for Review by:||11th May 2023|