Data Protection Policy

ACPAS Limited is committed to protecting and respecting the privacy and confidentiality of all personal data we collect. This policy explains how we collect, use, store, and protect personal information in line with data protection laws, including the General Data Protection Regulation (GDPR) or any other applicable regulations.

This policy applies to all employees, contractors, volunteers, and third parties who process personal data on our behalf.

Purpose
The purpose of this policy is to ensure that ACPAS Limited:

• Complies with data protection laws.

• Safeguards personal data and ensures it is used fairly, transparently, and for legitimate purposes.

• Protects individuals’ privacy rights.

• Prevents unauthorized access or misuse of personal data.

Definitions

• Personal Data: Any information that can identify an individual (e.g., name, contact information, medical history).

• Sensitive Personal Data (Special Category Data): Data that reveals racial or ethnic origin, political opinions, religious beliefs, health information, etc.

• Data Subject: The individual whose personal data is being processed (e.g., clients, employees).

• Data Controller: The organization that determines the purposes and means of processing personal data

• Data Processor: Any third party that processes personal data on behalf of the data controller (e.g., IT service providers, cloud storage).

Data Collection
We collect personal data in order to provide psychological services and support to our clients. The types of data we collect include:

• Basic Information: Name, address, contact details.

• Health Data: Medical history, psychological assessments, treatment plans, session notes.

• Payment Information: Billing information, insurance details.

• Sensitive Data: In some cases, we may collect more sensitive data related to clients' mental health, medical conditions, or other special categories of personal data, which are processed in line with strict confidentiality standards.

We collect data in the following ways:

• Directly from the data subject (e.g., intake forms, questionnaires, consultations).

• From third parties (e.g., healthcare providers, insurers) with explicit consent.

Lawful Basis for Processing Personal Data
We process personal data based on one or more of the following lawful bases:

• Consent: We obtain explicit consent from the data subject before collecting and processing their data.

• Contractual Necessity: Processing is required to fulfill a contract (e.g., providing therapy services).

• Legal Obligation: We may process data to comply with legal or regulatory requirements.

• Legitimate Interests: We may process data for legitimate business interests (e.g., improving service quality) provided it does not override the individual’s rights and freedoms.

Data Storage and Security
We take the security of personal data seriously. All personal data is stored securely using industry-standard encryption methods and appropriate security measures. This includes:

• Secure storage in physical or cloud-based systems.

• Access controls to ensure only authorized personnel can access sensitive data.

• Regular software updates and patches to prevent data breaches.

Sensitive personal data, including health information, will be stored separately and treated with extra care.

Data Retention
Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected. Retention periods are determined based on the type of data and legal or contractual obligations. After the retention period, personal data will be securely deleted or anonymized.

For example:

• Client treatment records may be kept for a minimum of 7 years, in line with professional guidelines.

• Financial data (e.g., invoices) will be kept for a minimum of 5 years for tax and audit purposes.

Data Subject Rights
Under data protection laws, data subjects have the following rights:

• Right to Access: Clients can request a copy of their personal data that we hold.

• Right to Rectification: Clients can request corrections to inaccurate or incomplete data.

• Right to Erasure: Clients can request that we delete their data (subject to certain conditions).

• Right to Restrict Processing: Clients can ask us to stop processing their data, under specific circumstances.

• Right to Data Portability: Clients can request their data in a structured, commonly used format to transfer it to another service provider.

• Right to Object: Clients can object to the processing of their data, particularly for direct marketing purposes.

Requests can be made by contacting the Data Protection Officer (DPO) or relevant company representative.

Data Sharing and Third Parties
We do not share personal data with third parties, except under the following circumstances:

• With the client’s consent (e.g., sharing information with a healthcare provider).

• When required by law (e.g., responding to legal obligations or court orders).

• With third-party service providers (e.g., IT providers, cloud services) who process data on our behalf. All such third parties must comply with our data protection standards and sign data processing agreements.

International Data Transfers
In some cases, personal data may be transferred outside the country or region (e.g., cloud services hosted in another country). We ensure that any international data transfers comply with applicable data protection laws and that appropriate safeguards (e.g., Standard Contractual Clauses) are in place.

Breach Notification
In the event of a data breach, we will notify affected individuals and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR regulations. We will also take immediate steps to mitigate any harm and prevent further breaches.

Changes to this Policy
This Data Protection Policy will be reviewed periodically and updated as needed to ensure compliance with data protection laws. Any significant changes will be communicated to data subjects as appropriate.

Conclusion

At ACPAS Limited, we are dedicated to protecting the personal data of our clients and ensuring transparency in how we handle and process their information. This policy helps ensure compliance with data protection laws and safeguards our clients' privacy rights.

Data Protection Officer (DPO)
For questions or concerns about data protection or if you wish to exercise your data protection rights, you can contact our Data Protection Officer (DPO):

DPO Name: Frank Furlong
Email Address: frankfurlong@acpas.co.uk
Phone Number: 0121 358 1500
Postal Address: 1 Farlands Grove, Great Barr, Birmingham