Personal data is data which relates to any living individual who can be identified from that data, or from that data and other information; such as an expression of opinion about the individual.
What is the GDPR?
The General Data Protection Regulation 2018 (GDPR) replaces the Data Protection Act 1998 (DPA) in governing how personal data is managed by a “controller” or “processor”.
In this respect, a data controller is a person (or business) who determines the way in which, personal data is processed. A data processor is anyone who processes personal data on behalf of the data controller (not including the data controller’s employees).
A “Data Subject” is a person whose data is being processed.
Psychology Expressions is both a controller and processor of personal data. This means that we are responsible for deciding how we hold and use personal information about you, whether you use our services directly or via a third-party.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
GDPR requires that personal data shall be:
Processed lawfully, fairly and in a transparent manner. Collected for specified, explicit and legitimate purposes. Adequate, relevant and limited to what is necessary. Accurate and, where necessary, kept up to date. Kept in a form which permits identification of data subjects for no longer than is necessary. Processed in a manner that ensures appropriate security of the personal data.
It also requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
The GDPR provides the following rights for individuals:
The right to be informed – Psychology Expressions must provide details (such as those provided in this privacy notice) of how Psychology Expressions processes information to the data subject. This information must be available at any time personal data is obtained.
The right of access – Data subjects have the right to know what information Psychology Expressions has in relation to them. Data subjects then have the right to access this information.
The right to rectification – Data subjects have the right request we update inaccurate or incomplete information that is being processed or stored by Psychology Expressions. We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can request for us to update or amend it.
The right to erasure – Data subjects have the right to request we delete any information Psychology Expressions have in relation to them. However, as a private medical practice, we also have a legal duty to retain medical records for a period of time in line with UK law and guidelines, or if other legal obligations bind us.
The right to restrict processing – Data subjects have the right to block or suppress Psychology Expressions processing their information. However, it may be necessary to keep your information in order to perform a task which is in the public interest or for the purposes of establishing, exercise or defending legal claims.
The right to data portability – Data subjects can request that Psychology Expressions make their information available to move, copy or transfer personal data easily from one environment to another.
The right to object – Data subjects can object to processing their information for activities such as marketing.
Individuals also have rights in relation to automated decision making and profiling. However, Psychology Expressions does not carry out this type of processing.