OXPIP Clinical Privacy Notice
For all OXPIP Clients
1. What is a Privacy Notice?
A Privacy Notice is a document that explains why we are collecting your data, what we do with it and how long we keep it for, to ensure you remain informed and in control of your information.
All organisations that collect personal data (i.e. any information which identifies you, or which can be identified as relating to you personally) are legally required to provide a privacy notice.
We realise this is a long notice with language that you may be unfamiliar with. However, we are legally obliged to tell you in detail about your rights and our responsibilities when we process your personal information.
2. What information do you record?
This Privacy Notice is for children and families who use OXPIP clinical services. To provide you with the most appropriate and high-quality care we
need to collect and process your personal data. This requires us to keep records about you, your health, and the services we provide or plan to provide for you. We also generate clinical notes following our sessions with you.
Video is frequently used in clinical work with families using OXPIP services. Film will not be kept by OXPIP beyond the closure of any work, unless there is agreement for it to be used for future training or presentations. If video is used, a separate policy and agreement will be shared with you.
We usually receive your information directly from you. We may also receive referral information from health or social care professionals, or a legal
representative on your behalf. Our therapists may speak to other organisations already involved in your care. These details allow us to determine if OXPIP services are appropriate for you. We respect your rights to confidentiality and are careful to only collect the data that is necessary to provide the service you require.
OXPIP is considered a data controller and is registered with the Information Commissioner’s Office (ICO).
If you have any questions about the content of this notice, you can contact us at:
OXPIP, Suite J, The Kidlington Centre, Kidlington, Oxford, OX5 2DL
Tel: 01865 778034
Our Data Protection Officer is:
Tel: 01865 778034 / 07934 517 400
3. What lawful basis do you have for processing my data?
To collect and use your data we need to have a lawful basis for doing so. Detailed information about the lawful basis for processing data can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
In summary, under the General Data Protection Regulation (GDPR) 2018 we collect and process data on the basis that it is essential for the purposes of providing a safe and effective assessment or treatment. It may be that we have a contract to provide a service for you which will require us to process your personal data. We may collect and process data following additional consent given, such as for training and research purposes.
4. Will you share my data?
We understand how important confidentiality is and abide strictly to data protection laws that allow us to share information only with your knowledge and permission, or in rare circumstances when we are legally required to do so. If the therapist considers that you are either a danger to yourself or to others, the therapist would be obliged to inform the GP and other relevant outside agencies regardless of whether permission has been given. Further guidance on these circumstances are available from OXPIP’s Safeguarding Policies, the Oxfordshire Safeguarding Children Board and the Oxfordshire Safeguarding Adults Board websites (www.oscb.org.uk, www.osab.co.uk).
To provide you with safe and effective care, we seek consent from you to inform your GP that you are using our service. We may also seek consent to share relevant information with other health professionals involved in your or your child’s care. All therapists have regular supervision with a clinical supervisor to discuss their
work. They all have the same duty of confidentiality towards your data.
To develop our understanding of how best to help children and families and to evaluate whether our work is effective, we collect outcome measures from you at various points in your treatment and / or assessment. The scores from the outcome
data are entered into a database to assist with the evaluation of the
data. The data held in this database is anonymised, which means that all identifying information is removed and replaced with a code, so you cannot be easily identified.
If we are providing a service as part of a contract or commission with another organisation, we may share anonymous evaluation data with the commissioning organisation, which would not contain identifiable information.
Where the work is carried out to inform on-going legal proceedings or pre-proceedings, the results of the work may be shared with all parties to the proceedings. The exact terms of sharing will always be set out in the Letter of Instruction prior to therapy starting.
Anybody we share information with has a legal obligation to keep your information confidential.
5. Where will my data be kept?
We keep your personal data on secure databases. A contract is in place to ensure that data security meets GDPR requirements.
Any personal information kept on hard paper copies is kept securely in the OXPIP office in locked filing cabinets.
6. How long will you keep my data?
If you and your child have received a service with OXPIP, we will securely retain your records until you child’s 25th birthday. This is in line with NHS retention periods and we periodically review this to ensure it is still appropriate. Clinical notes are securely disposed of at the end of their retention period.
Where clients contribute financially to the sessions, anonymised payment information is kept for six years on our accounting system, according to statutory requirements.
Where we use data for training purposes, the length of retention will be clearly specified when you consent to the use of your data. At the end of this period your data will be securely disposed of, unless you withdraw your consent earlier, in which case we will stop using the material and case material will be permanently deleted.
7. What are my rights?
OXPIP adheres to GDPR which has been written to ensure that your rights are central to how an organisation manages your data. You have certain rights, depending on the legal basis for processing, that you can exercise at any time:
The right to be informed
This privacy notice informs you about why and how we use your information.
The right of access
You may ask us for a copy of the information we hold about you.
This is called a Subject Access Request (SAR).
The right to rectification
If any data about you is inaccurate or out of date you can ask us to correct it.
The right to erasure
In certain circumstances you can ask us to delete your data.
The right to limit your use of data
In certain circumstances you can ask us to stop processing your data.
The right to data portability
An easily transferable copy of your data, this generally refers to online services, but we can provide a copy.
Rights in relation to automated decision making and profiling
We do not use automated decision making and profiling.
If you wish to exercise any of these rights, please use the contact details above.
You can read more about your rights on the Information Commissioner’s Office website. We will fulfil these rights unless we have a legal or safeguarding reason not to.
8. How do I give my consent?
Your consent is confirmed by the Client Consent Form you are asked to complete at the first session. We obtain your explicit consent to contact other providers and agencies (e.g. your GP) to collect information about you. Consent is sought separately to using your personal information for training and research purposes, or if the work involves the use of video.
9. How do I withdraw my consent?
Where we rely on Consent as the legal basis to process your data, you are entitled to withdraw your consent at any time and we will stop processing your data for that purpose. This applies to consent for additional uses of your data, such as for training or research purposes.
10. How do I make a complaint?
You can complain to OXPIP directly by contacting our Data Protection Lead using the details set out above. If you are not happy with our response, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at