Our lawful bases for processing your information are:

We collect and process personal data, including Special Category or Sensitive Data, for patient care, services, and our patient portal (Carebit) under the following lawful bases:

Consent – We obtain your explicit permission after providing all relevant information

All data protection rights apply, except the right to object
• You have the right to withdraw consent at any time

Contract – Collection and use of information necessary to enter into or carry out our contract with you

All data protection rights apply except the right to object

Legal Obligation – Processing required to comply with the law

All data protection rights apply, except:
Right to erasure
• Right to object
• Right to data portability

Legitimate Interests – Our legitimate interests include:

Patient Care and Services:

Providing high-quality, safe, and effective psychiatric care
• Collecting comprehensive medical histories for accurate diagnosis
• Treatment planning and ongoing care management
• Ensuring patient safety and identifying potential risks
• Maintaining detailed records for continuity of care
• Meeting legal and professional obligations
• Quality improvement through anonymised data analysis
• Research and development (with explicit consent)

Digital Services (Carebit Patient Portal):

Enhanced patient care and accessibility
• Secure appointment management
• Medication management and reminders
• Secure sharing of educational materials
• Efficient information exchange
• Data security and protection

We implement these legitimate interests while:

Collecting only necessary information
• Providing direct patient benefits
• Maintaining robust security measures
• Ensuring patient control over data
• Maintaining transparency in data usage

All data protection rights apply, except the right to portability.

Vital Interests

Processing necessary when someone’s physical or mental health or wellbeing is at urgent or serious risk
• All data protection rights apply, except:
  Right to object
  • Right to portability

For more information about our patient portal privacy policy, please visit: https://www.carebit.co/privacy-policy

Our lawful bases for collecting or using personal information to comply with legal requirements are:

• Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • Our legitimate interest in collecting and using personal information to comply with legal requirements is fundamental to our operation as a responsible and law-abiding healthcare provider. This interest is essential for maintaining the integrity of our practice, protecting patient rights, and upholding the standards of the medical profession.
  • Regulatory Compliance: As a healthcare provider, we are subject to various laws and regulations, including the Health and Social Care Act 2008, the Data Protection Act 2018, and the UK GDPR. Collecting and processing certain personal information is necessary to meet these legal obligations.
  • Professional Standards: We are required to adhere to standards set by professional bodies such as the General Medical Council (GMC) and the Royal College of Psychiatrists. This includes maintaining accurate and complete patient records.
  • Patient Safety: Legal requirements often exist to ensure patient safety. Collecting and processing personal information allows us to comply with these requirements, such as reporting adverse drug reactions or suspected abuse.
  • Quality Assurance: Many legal requirements are in place to ensure the quality of healthcare services. Collecting personal information enables us to participate in audits and inspections as required by law.
  • Financial Compliance: We are legally obligated to maintain accurate financial records, which necessitates the collection and processing of certain personal information related to billing and payments.
  • Legal Defense: In the event of a legal claim or investigation, having accurate and complete records is crucial for our ability to respond appropriately and protect both the clinic’s and patients’ interests. We believe these interests are not overridden by individual privacy concerns because: – The information we collect for legal compliance is limited to what is necessary to fulfill our obligations. – Patients benefit from our compliance with laws and regulations designed to protect their rights and ensure quality care. – We are transparent about our legal obligations and how they impact data processing. – We implement strict data protection measures to ensure the security and confidentiality of all personal information. – Much of this data processing is mandatory, and patients would reasonably expect us to comply with legal requirements. We continuously assess our data processing activities to ensure we only collect and use personal information that is necessary for legal compliance. Our aim is to balance our legal obligations with respect for patient privacy, always striving to use personal information responsibly and in ways that ultimately benefit and protect our patients.
• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. All of your data protection rights may apply, except the right to object and the right to portability.

Our lawful bases for collecting or using personal information for recruitment purposes are:

• Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • We collect and use personal information for recruitment purposes based on the following lawful bases under the UK GDPR: 1. Legitimate Interests (Article 6(1)(f) of the UK GDPR): Our primary lawful basis for processing personal information during the recruitment process is legitimate interests. We have a legitimate interest in: – Attracting and selecting suitable candidates for roles within our organization – Ensuring we hire individuals with the necessary skills, qualifications, and experience – Maintaining a fair and efficient recruitment process – Protecting our organization against any legal claims arising from the recruitment process We balance our legitimate interests against the potential impact on candidates’ privacy rights and ensure that our practices are necessary, proportionate, and respectful of individual privacy.
  • Consent (Article 6(1)(a) of the UK GDPR): We may rely on consent for certain aspects of the recruitment process, such as: – Retaining candidate information for future job opportunities – Contacting a candidate’s references (with their explicit permission) – Processing any sensitive personal data that is not strictly necessary for the recruitment process In these cases, we ensure that consent is freely given, specific, informed, and unambiguous.
  • Legal Obligation (Article 6(1)(c) of the UK GDPR): In some instances, we may need to process personal information to comply with legal obligations, such as: – Checking a candidate’s right to work in the UK – Complying with equal opportunities monitoring requirements – Adhering to any statutory reporting obligations
  • Contract (Article 6(1)(b) of the UK GDPR): If a candidate is successful, we may process their personal information as necessary for entering into an employment contract. This includes steps taken at the request of the candidate prior to entering into the contract. We ensure that: – We only collect and process personal information that is necessary for the recruitment process – Candidates are informed about how their data will be used through our privacy notices – Personal information is kept secure and only accessed by authorized personnel – Data is retained only for as long as necessary for the recruitment process or as required by law – Candidates can exercise their rights under data protection law, including the right to access, rectify, and erase their personal information We regularly review our recruitment practices to ensure they remain compliant with data protection laws and respect candidates’ privacy rights.

Our lawful bases for collecting or using personal information for information updates, marketing or market research purposes are:

• Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • We collect and use personal information for information updates, marketing, and market research purposes based on the following lawful bases under the UK GDPR:
  • Consent (Article 6(1)(a) of the UK GDPR): Our primary lawful basis for processing personal information for marketing and market research purposes is consent. We ensure that: – Individuals provide explicit, informed consent to receive marketing communications or participate in market research. – Consent is freely given, specific, and unambiguous. – Individuals can easily withdraw their consent at any time. – We maintain records of consent for accountability purposes. This applies to: – Email newsletters and updates – SMS marketing messages – Invitations to participate in surveys or focus groups – Targeted advertising based on personal preferences
  • Legitimate Interests (Article 6(1)(f) of the UK GDPR): In some cases, we may rely on legitimate interests for certain types of communication, particularly for existing patients or business contacts. This includes: – Sending relevant information about our services that may be of interest based on previous interactions – Conducting satisfaction surveys to improve our services – Analyzing anonymized data to understand market trends and patient needs When relying on legitimate interests, we: – Conduct a balancing test to ensure our interests do not override the individual’s rights and freedoms – Provide clear information about our use of data and the right to object – Honor opt-out requests promptly
  • Contract (Article 6(1)(b) of the UK GDPR): For existing patients, we may send service-related updates and information necessary for the performance of our contract, such as: – Appointment reminders – Important changes to our services or policies – Information directly related to ongoing treatment or care
  • Legal Obligation (Article 6(1)(c) of the UK GDPR): In rare cases, we may be required by law to send certain information, such as: – Safety notices related to treatments or medications – Mandatory public health information Key Considerations: – We always clearly distinguish between service messages and marketing communications. – We provide easy opt-out options in all marketing communications. – We do not share personal information with third parties for their marketing purposes without explicit consent. – For market research, we anonymize data wherever possible and ensure participants are fully informed about how their data will be used. – We respect individual privacy preferences and tailor our communication approaches accordingly. – We regularly review and update our marketing and research practices to ensure ongoing compliance with data protection laws and best practices. By adhering to these lawful bases and principles, we aim to balance our need to communicate effectively with our patients and improve our services while respecting individual privacy rights and preferences.

Our lawful reasons for collecting or using personal information for medical research or archiving purposes are:

• Consent – We obtain your permission after providing all relevant details. Most of your data protection rights apply, except the right to object. You have the right to withdraw your consent at any time.
• Legitimate interests – We collect or use your data because it benefits you, our organisation, or others without causing undue harm. Most of your data protection rights apply, except the right to portability. Our legitimate interests include:
• Under the UK GDPR, we base our collection and use of personal data for these purposes on the following lawful provisions:
• Consent (Article 6(1)(a) and Article 9(2)(a)):

• • For specific projects, we get explicit, informed consent from participants.
  • Consent is clear, freely given, specific, and well-documented.
  • Participants can withdraw consent at any time.

• We keep detailed consent records for accountability.
• Public Interest (Article 6(1)(e) and Article 9(2)(j)):

• • We process data for public interest when studies can significantly benefit public health or advance medical knowledge, with ethics committee approval and appropriate safeguards.

• Legitimate Interests (Article 6(1)(f)):

• • For certain activities, we rely on legitimate interests when processing is necessary and does not override individuals’ rights. We balance our interests against those of the participants through thorough assessments.

• Archiving Purposes in the Public Interest (Article 6(1)(e) and Article 9(2)(j)):
• We process personal data for archiving significant historical or scientific value, complying with the UK GDPR’s requirements and ensuring suitable safeguards.
• Key Considerations and Safeguards:
• Data Minimization: We only collect the necessary amount of data for specific purposes.
• Pseudonymization and Anonymization: We protect privacy by pseudonymizing or anonymizing data when possible.
• Ethical Approval: All research undergoes rigorous ethical review and approval.
• Data Security: We implement strong measures to secure personal data.
• Transparency: We inform individuals clearly about how their data will be used.
• Individual Rights: We respect and support the exercise of their rights, like access, rectification, and erasure, where applicable.
• Storage Limitation: Personal data is retained only as long as necessary, complying with legal and ethical requirements.
• Data Sharing: Data sharing follows strict protocols and agreements for continued protection.
• Ongoing Review: We regularly update our practices to ensure compliance with data protection laws and ethical standards.
• Public Task – We collect or use data to fulfil a legally mandated task pertinent to our organisation. Most of your data protection rights apply, except the rights to erasure and portability.
• By adhering to these lawful bases and implementing comprehensive safeguards, we aim to contribute valuable medical research and maintain important archives while respecting privacy and maintaining high data protection standards.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

This is the most common lawful basis for processing personal information in this context. The clinic’s legitimate interest is to: Respond to queries and complaints: This involves understanding the nature of the issue, investigating, and providing appropriate responses. Resolve disputes: This may involve collecting and analyzing information to determine the facts and reach a fair resolution. Protect its reputation: Handling complaints and claims effectively helps to maintain the clinic’s reputation and avoid legal issues. Contractual Necessity: In some cases, the processing of personal information may be necessary to fulfill a contract with the individual, such as when they are a patient or have agreed to a specific service. Legal Obligation: The clinic may be required to process personal information to comply with a legal obligation, such as reporting incidents to regulatory bodies or responding to legal proceedings.