GDPR and Your Personal Data
From 25th May 2018, new legal guidelines are coming into force that change the way companies like us process personal data of anybody we work with, from clients to organisations we work with, contractors and suppliers, even our book printers! Below is some information to help clarify what we as an organisation are doing to protect any data we receive or hold.
At the heart of our data protection policy is a deep commitment to protect the privacy and personal information clients divulge both to individual consultants and to The Thrive Programme itself (listed as Thrive Holdings). Due to the nature of our business helping people with a huge range of mental health issues, many of our clients divulge highly sensitive information when working through the programme with a consultant or seeking online/email support, and for this reason we are especially committed to (and vigilant about) ensuring that this information is protected as thoroughly as possible.
The GDPR defines the Head Office of The Thrive Programme, as well as every individual Licensed Thrive Consultant (registered as sole traders but with a license to deliver the Thrive Programme) as 'Data Controllers' which means we are accountable for the personal data we hold. If you ever have concerns about our handling of your personal data, you can contact the individual Thrive Consultant concerned, or Thrive Head Office (if it is a central Thrive Programme issue) to ask what information we hold about you, raise any concerns and ask to have your data deleted if required.
Our Thrive commitment to you and your personal data;
- We have produced guidelines for all of our Licensed Thrive Consultants in order for them to fully protect their clients’ personal data. We are not responsible for any data protection issues relating to unlicensed Consultants attempting to deliver the programme without the correct TTP qualifications and ATPC licensing/registration
- The Thrive Programme is not responsible for any personal data that individuals choose to share on public forums including review sites, social media including public Facebook support groups and Twitter chat sessions. We advise caution before posting sensitive or personally identifiable information (PII) relating to yourself or others on such sites
- We do not control and are not responsible for any third party websites that are referred to or linked from our websites. The use of your personal information on these websites will be subject to their own privacy rules.
- We commit to fully investigate and report any data breaches as quickly as possible, and take necessary steps to resolve any such matters as soon as possible
- We understand that sometimes our clients may want to know what data is held about them, how it is stored, and how it is used. Clients are able to email us for this information and we endeavour to respond as quickly as possible
- We never sell data to third party sources, sales teams or marketers, and only ever share data with companies contracted and approved to deliver services for us. The only exception to this is when we are required by law to divulge information for the purposes of a legal investigation or to protect vital interests (such as in medical situations to save somebody’s life, or to report a serious and genuine threat to life)
- Emails and other client data is held for an appropriate time, but is reviewed and deleted regularly to ensure it is not held for longer than is appropriate
- We sometimes use data for research and support purposes – unless client consent has been obtained to use/release personally identifiable information, this data is anonymised before public release to protect clients from identification
- We never share client information without the express permission of the client concerned. All clients providing video or written testimonials will from 25th May have to provide consent (which we will store) for the use of their testimonial, and can ask for its removal/erasure from our systems and public sites at any time
- All Licensed Thrive Consultants undertake compulsory Data Protection training and are required to comply with internal company policies relating to the protection of client data, including ensuring that businesses they work with (such as clinic rooms they hire) are also GDPR compliant.
As well as ensuring that our internal Data Protection policies are up to date and that they protect our clients as much as possible, we have also taken steps to ensure that suppliers we work with (from IT software, website/email and internet providers, to book printers, lawyers and accountants) are also GDPR compliant and committed to protect any data they hold as Data Controllers, as well as Data Processers (people processing and using our clients’ data for a contracted purpose). Any serious data breaches by suppliers or contractors will be taken seriously and clients protected and informed as fully as possible.
In order to fully protect our clients, we have chosen not to divulge any further specific information than the above points on how we protect various data we hold, such as naming safety software providers, security steps taken, or other providers/procedure changes, as this would put us at increased risk from hackers or other malware or risks. However, if anyone has any particular GDPR concerns or queries, please feel free to contact us and we will answer your questions as fully as we can.