Privacy Policy

Introduction

Isorropia Foundation is the Island’s mental health wellbeing service, we are responsible for delivering wellbeing programmes and support to the population of the Isle of Wight

As part of the services we offer, we are required to process personal data about our staff, our service users and, in some instances, the friends or relatives of our service users and staff. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

If you have any concerns or questions please contact us:
Isorropia Foundation CIC
7 High Street
Newport
Isle of Wight
PO30 1SS

For more information, please refer to the website: https://isorropia.uk/

Isorropia Foundation aims to provide you with the highest quality of wellbeing support. To do this we must keep records about you, your mental health and wellbeing and the support we have provided, or plan to provide to you.

Records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection legislation.

All our staff are trained to handle your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold on to any other third parties.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2021.

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process data in accordance with Data Protection Legislation.  This includes the General Data Protection Regulation (UK) 2021 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national legislation implementing them as amended from time to time.

The legislation requires us to process personal and special category data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

In addition, consideration will also be given to all applicable legislation concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.

Service Users

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:

    • Your basic details and contact information e.g. your name, address, email, date of birth and next of kin;

We also record the following data which is classified as “special category”:

    • Health and social care data about you, which might include both your physical and mental health data.
    • We may also record data about your race, ethnic origin, sexual orientation or religion..

Why do we have this data?

We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

    • We have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.

We process your special category data because

    • To produce a record of all health and wellbeing decisions made about you and the care provided to you (which may involve wellbeing, support and administrative staff).
    • To respond to your queries, compliments or concerns.
    • For assessment and evaluation of safeguarding concerns.

Personal and Special Category data could also be used in the following cases:

    • We need to respond to patients, carers or Member of Parliament communications.
    • You have freely given your informed agreement (consent) for us to use your information for a specific purpose.
    • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
    • There is a legal requirement that will allow us to use or provide information (e.g. a Court order).
    • To help teach and train new members of staff.

We may also process your data for other reasons with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Where do we process your data?

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

    1. You or your legal representative(s);
    2. Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.

Third parties are organisations we might lawfully share your data with. These include:

    • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals;
    • The Local Authority;
    • Your family or friends – with your permission;
    • Organisations we have a legal obligation to share information with i.e. for safeguarding;
    • The police or other law enforcement agencies if we have to by law or court order.

What do we use non-identifiable data for?

We use pseudonymised, anonymised and aggregated data to plan health and wellbeing services. Specifically we use it to:

    • Check the quality and efficiency of the mental health and wellbeing services we provide.
    • To help improve the quality of services for patients and ensure that the right treatment is being provided to patients
    • Prepare performance reports on the services we provide
    • Review the care being provided to make sure it is of the highest standard
    • To help teach and train new members of staff
    • To keep track of spending.

Do we share your information with other organisations?

We will share your information with other organisations to assist with providing you with the best care possible. This will typically be your GP Practice as well as other NHS organisations. Isorropia Foundation uses the electronic patient record system, PARIS (which is also the system that Isle of Wight NHS Trust Mental Health Division use). This allows the systems to share information with one another to ensure that both your NHS record and your Isorropia record contain the most up to date and relevant health information about you.

Other organisations who receive information from Isorropia Foundation have a legal duty to keep it confidential and secure.  Only information that is required and appropriate to support your care and treatment will be provided. Where we share your information with other organisations that do not form part of your care, permission from yourself will be obtained before sending the information unless we have a legal obligation to provide the information or we are required to do so because the interest of the public is considered to be of greater importance.

Isorropia Foundation holds a contract with the Isle of Wight NHS Trust who controls data on our behalf (Data Controller) in order to deliver care. This organisation is legally and contractually bound to operate within agreed security arrangements, and there is evidence that these are in place where data that could or does identify an individual are processed.

Coded information about patient care is sent by the Isle of Wight NHS Trust to NHS Digital who manage information sent to the Department of Health & Social Care. This information is used to review the treatment provided to patients across the NHS and identify trends/changes in the health of the population.

What safeguards are in place to ensure data that identifies you is secure?

All staff are required to protect your information, inform you of how your information will be used, and in certain circumstances allow you to decide if and how your information can be shared. In addition all staff are required to ensure that information is kept confidential and must undertake annual Data Security Awareness training on how to do this. This is monitored by Isorropia Foundation and can be enforced through disciplinary procedures.

We also ensure that the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which codes data so that unauthorised users cannot see or make sense of it).

How long do we hold information for?

All records held by Isorropia will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice 2021. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way dependent upon the type of information it is.  Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures.

Cookies and other Tracking Technologies

Our analytics provider uses technologies such as cookies, beacons, tags and scripts, to analyse trends, administer the website, track users’ movements around the website, and gather demographic information about our website visitors as a whole. A cookie is a small file stored on your computer by a website which gives you a numeric user ID and stores certain information about your activity on the site. We use cookies to let us know that you are a returning visitor and to provide certain features to you. Most web browsers automatically accept cookies, but most allow you to instruct your browser to prevent the use of cookies. If you disable this feature, you will not experience any functionality problems with our website.

Use of Email and SMS text

Isorropia Foundation now provide the option to communicate with patients via email and SMS text. Please be aware that Isorropia Foundation cannot guarantee the security of this information whilst in transit, and by using this service you are accepting this additional risk.

Any emails sent by Isorropia Foundation staff for the purpose of your health and wellbeing which contain your personal information are appropriately protected by NHS Security Standards including encryption where required.  More information can be found at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment

Links to other websites

This privacy notice does not cover the links included within this notice linking to other websites.  We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review.  This Privacy Notice was last updated in March 2022.

If you would like to submit any comments or feedback regarding our Privacy Notice please email these to privacy@isorropia.uk

Staff

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:

    • Your basic details and contact information e.g. your name, address, date of birth, National Insurance number and next of kin;
    • Your financial details e.g. details so that we can pay you, insurance, pension and tax details;
    • Your training records.

We also record the following data which is classified as “special category”:

    • Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/paternity pay;
    • We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion.

 As part of your application you may – depending on your job role – be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We do not keep this data once we’ve seen it.

Why do we have this data?

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.

We process your data because:  

    • We have a legal obligation under UK employment law;
    • We are required to do so in our performance of a public task;
    • We have a legitimate interest in processing your data – for example, we provide data about your training to our Commissioners as part of our public interest obligations.

We process your special category data because

    • It is necessary for us to process requests for sick pay or maternity pay.

If we request your criminal records data it is because we have a legal obligation to do this due to the type of work you do. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any).

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

As your employer we need specific data. This is collected from or shared with:

    1. You or your legal representative(s);
    2. Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.

Third parties are organisations we have a legal reason to share your data with. These include:

    • Her Majesty’s Revenue and Customs (HMRC);
    • Our pension and healthcare schemes, provided by Nest Workplace Pension Scheme;
    • Our external payroll provider, Harrison Black;
    • Organisations we have a legal obligation to share information with i.e. for safeguarding;
    • The police or other law enforcement agencies if we have to by law or court order.
    • The DBS Service, CareCheck.co.uk.

Friends/Relatives

What data do we have?

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

    • Your basic details and contact information e.g. your name and address.

Why do we have this data?

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

So that we can provide high quality care and support we need specific data. This is collected from or shared with:

    1. You or your legal representative(s);
    2. Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.

Third parties are organisations we have a legal reason to share your data with. These may include:

    • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals;
    • The Local Authority;
    • The police or other law enforcement agencies if we have to by law or court order.

Our Website

In order to provide you with the best experience while using our website, we process some data about you.

When you use the Isorropia website, we use various technologies to collect information automatically – such as your IP address. This is commonplace across all internet services to enable the investigation of issues such as service availability and the identification of malicious use. This information is then kept in our internet access logs.

In order to provide you with the best experience while using our website, we process some data about you. The Isorropia website itself does not use cookies however we use third parties for social media and media feeds, and they may use cookies. By using the Isorropia website you agree these cookies can be placed on your device and use your data in accordance with the appropriate third-party policy.

Video content: The Isorropia website video content – whether viewed on the website, in emails or embedded in third-party sites – are streamed to users by a third-party company, YouTube. See the YouTube privacy policy https://policies.google.com/privacy?hl=en-GB for more information about how they collect and use data about viewers of our videos.

Social Media: The Twitter content – whether viewed on the website, in emails or embedded in third-party sites – are streamed to users by a third-party company, Twitter. See the Twitter privacy policy https://twitter.com/en/privacy for more information about how they collect and use data. The Isorropia website also has links to the Isorropia Facebook and Instagram pages and their privacy policies can be found https://www.facebook.com/about/privacy and https://help.instagram.com/519522125107875.

E-Mail: When you contact us via our enquiry form, we collect your name and email address so that we can respond to you. We will only share your information with the relevant member of staff to deal with your enquiry.

In addition to this we collect aggregated or anonymous information about the services you use and how you use them, like when you watch a video on YouTube or visit our website.

We may use your information in a number of ways and for a number of purposes including:

    • To provide you with information that you have requested.
    • For internal record keeping relating to feedback or complaints
    • To analyse or improve the operation of our website
    • Where it is required or authorised by law

Your rights – Subject Access Request

The data that we keep about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:

    1. You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service;
    2. You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
    3. You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Information Governance Alliance’s guidelines.
    4. You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
    5. You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
    6. If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.

If you wish to exercise any of the above rights please contact the Isorropia Admin Team, requesting a subject access request form:

Admin Team
Isorropia Foundation CIC
7 High Street
Newport
Isle of Wight
PO30 1SS

Tel 01983 217719
Email – privacy@isorropia.uk

You may need to provide adequate information for our staff to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
If you would like to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

https://ico.org.uk/global/contact-us/