Back Home

Privacy Policy

INTRODUCTION

As part of the services we offer, we are required to process personal data about our staff, our service users and, in some instances, the friends or relatives of our service users and staff. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

If you have any concerns or questions please contact us at contact@hg-mindworks.com. For queries specifically about data protection, please contact our Data Protection Lead: Faye Evans.

SERVICE USERS

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:

Your basic details and contact information e.g. your name, address, date of birth and next of kin;
If paying for our services: your financial details e.g. details of how you pay us for your care or your funding arrangements.

We also record the following data which is classified as “special category”: Health and social care data about you, which might include both your physical and mental health data.

To provide the best care, improve health outcomes and ensure our services are inclusive, we may record data about your race, ethnic origin, sexual orientation or religion. This information is used to identify and reduce health inequalities.

Why do we have this data?

We use your data to provide you with high-quality care and support. The law requires us to have a valid legal basis before we can process your personal data.

We process your personal data because:

We have a legal obligation to do so, primarily under the Health and Social Care Act 2012, Mental Capacity Act 2005, Care Act 2014, Children Act 1989/2004, UK GDPR, Data Protection Act 2018 and NHS Act 2006.

We process your special category data because:

It is necessary to comply with social security and social protection law; this would typically arise in safeguarding situations.
It is necessary for us to deliver and manage the services we provide to you.
We are required to share certain data with our regulator in the public interest.

Your consent

In some cases, we may also process your data with your consent. Where we need your permission, we will give you a clear choice and ask you to confirm that you agree. We will always explain why we need the data and how you can withdraw your consent at any time.

You can withdraw consent by contacting us at contact@hg-mindworks.com. Withdrawal does not affect the lawfulness of any processing already carried out. If you withdraw consent during an active course of treatment, we will discuss the implications with you before taking any action.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses);
We have a legal requirement to collect, share and use the data; or
The public interest in collecting, sharing and using the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).

Where do we process your data?

So that we can provide you with high quality care and support, we need specific data. This is collected from or shared with:

You or your legal representative(s);
Third parties, including referrers such as GPs, NHS services, or, where applicable, your employer or an organisational commissioner who has arranged your care.

We do this face to face, via phone, via email, via our website and via application forms.

Third parties are organisations we might lawfully share your data with. These include:

Other parts of the health and care system such as local hospitals, GPs, pharmacies, social workers and other health and care professionals;
The Local Authority;
Your family or friends, with your permission;
Organisations we have a legal obligation to share information with, for example for safeguarding or regulatory purposes;
The police or other law enforcement agencies if we have to by law or court order.

Employer and commissioner referrals:

If you have been referred to us by your employer or an organisational commissioner, specific data items, defined in your consent form, will be shared with that referrer. This typically includes your clinical status, number of sessions attended, treatment modality and discharge recommendations. The content of your sessions is never shared.

NATIONAL DATA OPT-OUT

We review our data processing on an annual basis to assess whether the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

At this time, we do not share any confidential patient information for planning or research purposes for which the national data opt-out would apply. If this position changes we will update this notice accordingly and apply the opt-out.

STAFF

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:

Your basic details and contact information e.g. your name, address, date of birth, National Insurance number and next of kin;
Your financial details e.g. details so that we can pay you, insurance, pension and tax details;
Your training records.

We also record the following data which is classified as “special category”:

Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/paternity pay;
We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion.

As part of your application you may – depending on your job role – be required to undergo a Disclosure and Barring Service (DBS) check. We record that a check has been carried out; we do not retain the certificate itself.

Why do we have this data?

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

We have a legal obligation under UK employment law;
We are required to do so in our performance of a public task;
We have a legitimate interest in processing your data – for example, we may provide data about your training to workforce planning bodies.

We process your special category data because:

It is necessary for us to process requests for sick pay or maternity/paternity pay;
If we request your criminal records data it is because we have a legal obligation to do so due to the type of work you carry out. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975;
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm your consent. We will also explain clearly what we need the data for and how you can withdraw your consent.

Where do we process your data?

Specific data is collected from or shared with:

You or your legal representative(s);
Third parties.

We do this face to face, via phone, via email, via our website and via application forms.

Third parties are organisations we have a legal reason to share your data with. These include:

His Majesty’s Revenue and Customs (HMRC);
Our pension and healthcare schemes;
Our external payroll provider;
Organisations we have a legal obligation to share information with, for example for safeguarding purposes;
The police or other law enforcement agencies if we have to by law or court order;
The DBS Service.

FRIENDS AND RELATIVES

What data do we have?

As part of our work providing high-quality care and support, it may be necessary that we hold the following information about you:

Your basic details and contact information e.g. your name and address.

Why do we have this data?

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm that you consent. We will also explain clearly what we need the data for and how you can withdraw your consent.

Where do we process your data?

This data is collected from or shared with:

You or your legal representative(s);
Third parties.

We do this face to face, via phone, via email, via our website and via application forms.

Third parties are organisations we have a legal reason to share your data with. These may include:

Other parts of the health and care system such as local hospitals, GPs, pharmacies, social workers and other health and care professionals;
The Local Authority;
The police or other law enforcement agencies if we have to by law or court order.

HOW WE STORE YOUR PERSONAL INFORMATION

Clinical records are held in a secure, GDPR-compliant electronic health record system. A Data Processing Agreement is in place with that provider. Access to your records is restricted to the clinician(s) involved in your care and authorised supervisory staff. Non-clinical records are stored securely in encrypted systems. Paper records, where held, are kept in locked storage.

We retain records in line with the Records Management Code of Practice. Adult clinical records are kept for seven years following the end of treatment (or until the individual’s 25th birthday if they were a child at the time of treatment, whichever is longer). Staff records are retained for the period required by employment law.

At the end of the applicable retention period, records are securely deleted or destroyed, electronic records are wiped to the appropriate standard and paper records are shredded.

Our website

Our website may use cookies to improve your experience. Please refer to our Cookie Policy for details of what cookies we use and how to manage them.

YOUR RIGHTS

The data that we keep about you is your data and we ensure that we keep it confidential and use it appropriately. You have the following rights when it comes to your data:

You have the right to request a copy of all of the data we keep about you (a Subject Access Request). We will generally not charge for this;
You have the right to ask us to correct any data we hold which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your request;
You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose for which we originally collected it. We retain data in line with the Records Management Code of Practice, so this right may be limited where we have a legal obligation to keep records;
You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased;
If we are processing your data on the basis of your consent, you can withdraw that consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent during an active course of treatment, we will discuss the implications with you before taking any action;
If we are processing your data as part of our legitimate interests or in order to complete a public task, you have the right to object to that processing. We will restrict all processing while we consider your objection;
We do not make decisions about you based solely on automated processing.

You may need to provide adequate information to allow us to identify you, for example a passport or driving licence. This is to make sure that data is not shared with the wrong person. We will always respond to your request as soon as possible and at the latest within one calendar month.

If you are unhappy with how we have handled your data or your request, you have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

https://ico.org.uk/global/contact-us/

Version 1.0 | Issued April 2026 | Next review April 2027 | Owner: Data Protection Lead

Call: 02081268767 | Email: contact@hg-mindworks.com

Registered with the Care Quality Commission · Provider ID: 1-25757603783

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.