Privacy Policy

DATA PROTECTION AND INFORMATION GOVERNANCE

1. Purpose 

The purpose of this Data Protection and Information Governance section is to ensure that Indigo Neuropsychology Ltd UK processes personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant regulatory requirements.

2. Scope 

This applies to all Indigo Neuropsychology Ltd associates students, volunteers, and any individuals who process personal data on behalf of the organisation. 

The policy covers all forms of data processing, including collection, storage, access, sharing, transmission, retention, and disposal of information. 

The policy applies to all systems used by Indigo Neuropsychology Ltd, including but not limited to Cliniko, Microsoft Teams, secure email, cloud storage, and physical records. 

This applies to all personal data processed in the context of clinical services, administrative functions, safeguarding, HR, and operational management. 

3. Data Categories 

  • Personal Data Information relating to an identified or identifiable individual, including: 

i. Name, address, date of birth 
ii. Contact details 
iii. Appointment information 
iv. Billing and administrative data 

  • Special Category Data Sensitive information requiring enhanced protection, including: 

i. Health and neuropsychological assessment data 
ii. Diagnostic information 
iii. Therapy notes and clinical reports 
iv. Safeguarding information 
v. Ethnicity, disability, and other protected characteristics 

  • Child and Young Person Data Information relating to individuals under 18, including: 

i. Educational records 
ii. Parental responsibility information 
iii. Multi‑agency reports 
iv. Risk assessments 

  • Associate Data Information relating to associates and contractors, including: 

i. HR records 
ii. Training and supervision records 
iii. Professional registration details 

  • Technical and System Data Information generated through digital systems, including: 

i. Access logs 
ii. Audit trails 
iii. System usage data 

4. Data Processing Systems 

  • Cliniko 

Cliniko is the designated clinical practice management system used for appointment scheduling, clinical documentation, invoicing, and secure storage of patient records. 

Cliniko is compliant with UK GDPR and uses encrypted servers located in approved jurisdictions. 

Access to Cliniko is role‑based and restricted to authorised staff. Audit logs are maintained to monitor access and changes to records. 

  • Microsoft Teams 

Microsoft Teams is used for internal communication, MDT collaboration, supervision, and secure file sharing. 

Teams is configured to meet UK GDPR and NHS Digital security standards, including encryption in transit and at rest. 

Clinical information shared via Teams must be limited to what is necessary and stored in designated secure channels or SharePoint locations. 

5. Data Protection Principles 

All data must be processed in accordance with the UK GDPR principles: 

  • Lawfulness, fairness, and transparency 

  • Purpose limitation 

  • Data minimisation 

  • Accuracy 

  • Storage limitation 

  • Integrity and confidentiality 

  • Accountability 

Staff must ensure that data is only accessed for legitimate clinical or operational purposes. 

6. Subject Access Requests (SARs) 

Individuals have the right to request access to their personal data under UK GDPR. 

All SARs must be submitted in writing to the Data Protection Officer (DPO) or designated lead. 

Indigo Neuropsychology Ltd must respond to SARs within one calendar month unless an extension is justified due to complexity. 

  • Before releasing information, identity verification must be completed to ensure the request is lawful and appropriate. 

  • Where the request relates to a child or young person, decisions about disclosure must consider: 

i. The child’s capacity to understand the request 
ii. Parental responsibility 
iii. Safeguarding considerations 
iv. Potential harm from disclosure 

  • Information may be withheld where disclosure would: 

i. Breach another person’s confidentiality 
ii. Pose a safeguarding risk 
iii. Contravene legal restrictions 

7. Information Commissioner’s Office (ICO) 

Indigo Neuropsychology Ltd is registered with the Information Commissioner’s Office as a data controller. 

All Associates must be independently registered with the ICO.

The ICO registration details are maintained by the CFO and reviewed annually. 

All data breaches must be reported to the CEO / Clinical Lead immediately. The Clinical lead and CFO will assess whether the breach meets the threshold for reporting to the ICO within 72 hours. 

Staff must cooperate fully with any ICO investigations or audits. 

8. Data Security and Access Control 

  • Access to systems is restricted to authorised personnel using unique login credentials. 

  • Multi‑factor authentication (MFA) is required for all cloud‑based systems, including Cliniko and Microsoft Teams. 

  • Portable devices must be encrypted and password‑protected. 

  • Data must not be stored on personal devices or unapproved platforms. 

9. Data Retention and Disposal 

  • Clinical records are retained in accordance with NHS and professional body retention schedules. 

  • Data must be securely destroyed when no longer required, using approved digital or physical destruction methods. 

Close and return