67 Whitehall Road, Norwich, NR2 3EN
Who are we?
Bamboo Mental Health is the trading name for Tom Oxley, a mental health consultant. I help employers improve staff care and improve corporate and employee resilience.
I take great care to preserve your privacy and safeguard any personal details you provide to me as I deal with sensitive issues throughout the everyday function of my business. Personal confidentiality is paramount in all my work and this privacy statement documents how Bamboo complies with European Union data protection requirements and how I collect and use your information.
By using my website or providing me with your personal information you are agreeing to this Policy. I may update this Policy at any time without notice to you, so please check it regularly to ensure you are happy with any changes.
There are two sections to the following information:
- About your personal data – the type of data that is collected or used, including when, how and why
- Your rights – all the ways that you can control what happens with your data
About Your Personal Data
- When will I need to provide my details?
I may collect personal information (for example your name, email or telephone number) from you when you:
- Contact me to ask about my work
- Attend one of my seminars or events
- Work directly with me
- When Janine Forder, my representative at Ringhello Ltd contacts you on the phone
The name and contact details you give and the content of your message(s) are retained for three reasons:
- By your consent
- As part of a ‘contract’ (only while I communicate)
- For legitimate business interests
When you work with me
Typically when I am working with you, I will need to gather the following information from you: Your name and email address only. Dependent on the work I do together, you may wish (or need) to provide personal details of a sensitive nature.
- In Consultations: I may also ask you to provide me with information regarding your personal or professional interests, lifestyle, health conditions and wellbeing – this is purely to ensure I deliver the best service to you. This information will not be disclosed or ever used for any marketing purposes.
- When you attend a workshop/event or training session: If you attend a workshop or training with me I simply record your name and email. All payments are gathered through invoicing so there is no third party involved in the payments between us. When you make a payment it is a contract for services and your contact details are dealt with as above (consent, contract, legitimate reasons) – also these, your purchase history and the payment details are retained for six years beyond the end of the contract for legal reasons – accounting law
I am required by law to retain these records for six years after the completion of my contract.
I may also follow up, either by email, phone or mail, to people who have received my services as part of my customer care procedure.
Any notes that I keep tend to be summaries and key points covered in my sessions and are usually handwritten. I do not keep named notes. I securely destroy interview notes shortly after the session.
- Why do I need any personal details?
Although I work with businesses, I also work closely with the individuals within them i.e. you. This means I need personal details.
It’s important that I communicate with you and keep you up to date about the work I am doing and I go into more detail in the next section about why I ask specifically about mental health.
As part of the registration process for my ad hoc e-newsletter, I collect personal information. I use that information for a couple of reasons: to provide positive and useful information to you about mental health in the workplace, tell you about events, courses, products and services that you’ve asked me to tell you about; to contact you if I need to obtain or provide additional information; to check my records are right and to check every now and then that you’re happy and satisfied.
I’ll only send the newsletter via email if you tell me that you’re happy to hear from me by opting-in to my emails and completing the contact preferences form on my newsletter.
I don’t rent or trade email lists with other organisations and businesses. When dealing with your personal information I will at all times comply with the Data Protection Act 1998, and any other applicable legislation. The permission you give me will only last 2 years so just before that I’ll ask you again if you still want to hear from me.
I use a third-party provider, MailChimp, to deliver my newsletter. I gather statistics around email opening and clicks using industry standard technologies to help me monitor and improve my e-newsletter. For more information, please see MailChimp’s privacy notice. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of my emails or by contacting me directly through this website.
When I ask for your input via survey monkey or other research, I never identify participants via the IP address, unless they identify themselves for one of the above interviews.
- Why do you ask for information about my interest in mental health?
When I consult people, I ask for some personal information relating to mental health in order to anonymously let the company know generally about the wellbeing of employees. I never use this for marketing. I never share your information against your name unless I feel you may be at risk of harming yourself or someone else, or you give me consent to ask me to raise your concerns.
- Do you pass my details to any other organisations or individuals?
I will never sell your data to another organisation. In addition, if I ever need to send data to a third party (for example checking against the Telephone Preference Service) I will make sure the company I use also complies with GDPR legislation.
In continuation of current UK law on confidentiality, I also retain the right and in some cases the legal requirement to breach confidentiality to inform an authority such as the police or your GP of impending harm or illegality.
- How do you keep my information secure?
I will take precautions to prevent the loss, misuse or unauthorised alteration of personal information you give me. For example, I do not have a contact form on the website, therefore, no personal data is stored on there. I do not keep named notes. I securely destroy interview notes shortly after the session.
I may send communications to you by email. Email is not a fully secure means of communication, and whilst I do my utmost to keep my systems and communications protected I cannot guarantee this.
I make no representations about any other websites, and when you access any other website through a link on my website (including social media sites) you should understand that it is independent from me and that I have no control over that website or the way your personal information is collected through those websites. E.g. Twitter and LinkedIn. Those websites may have their own privacy policies and I encourage you to look at those policies or contact the website operators directly to understand how your personal information is used.
Right to be informed
You have the right to be informed about the collection and use of your personal data. I must provide you with information including my purposes for processing your personal data, my retention periods for that personal data, and who it will be shared with. This ‘privacy information’ is provided above. Please note that I may, where permitted under applicable law, charge a small administrative fee and/or request proof of identity. I will respond to your requests within all applicable timeframes (in accordance with the Information Commissioner’s Office guidelines).
In certain circumstances (for example where required or permitted by law) I might not be able to provide you with access to some of your personal information, but where appropriate I will notify you of the reasons for this.
I must provide you with privacy information at the time I collect your personal data from you, in other words, it has to be available to you before you fill in a form or hand over your data such as your email address.
If I obtain your personal data from other sources, e.g. by referral I must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when I do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it.
The information I provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. Therefore if there is anything you do not understand, please get in touch.
Right of access
You are entitled to view, amend, or delete the personal information that I hold. This allows you to be aware of and verify the lawfulness of the processing. Email firstname.lastname@example.org in the first instance.
You are entitled to confirmation that your data is being processed, access to your personal data, and other supplementary information as provided in this privacy notice.
Right to rectification
You have the right to have your personal data corrected if it is incorrect, or completed if it is incomplete. If you believe that any information I am holding on you is incorrect or incomplete, please write or e-mail me as soon as possible to the above address. I will correct any information which was found to be incorrect promptly.
Right to erasure
You may request, verbally or in writing, to have your data erased. This is also commonly known as ‘the right to be forgotten’. This right only takes effect when:
- Your personal data is no longer necessary for the purpose for which it was originally collected or processed;
- You withdraw your consent when the sole legal basis to hold this information is your consent;
- There is a legitimate interest in processing this data, which does not override your request;
- Processing/analysing of the personal data was for direct marketing purposes and this is the use you object to;
- Your personal data was processed unlawfully without a proper legal basis;
- There is a legal obligation to comply with your request; or
- If the personal data was processed to offer information society services to a child.
Right to restrict processing
You may change your mind about the permission you have given me to use your personal information at any time by emailing me email@example.com
You have the right to request the restriction or suppression of your personal data. In other words, you want to stop the data being used but keep it on file.
In this case, your personal data cannot be used and can only be stored unless:
- you give your consent;
- it is for the establishment, exercise or defence of legal claims;
- it is for vital interests – I choose to deliver the best possible service, and in line with most therapy organisations I reserve the right to break your confidentiality agreement if I decide you or another person is at risk or secondly the content discloses criminal or illegal activity to me.
- it is for the protection of the rights of another person (natural or legal); or
- it is for reasons of important public interest.
Right to data portability
This allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this is meant to enable you to take advantage of applications and services that can use this data to find you a better deal or help you understand your spending habits. In general, this rule exists for data held by big service providers, such as your call history or insurance or gas bill history. The right also only applies to information you have provided.
If you want to move other sensitive data to another mental health consultant, these may be provided to you or to the nominated service provider, on request, as an encrypted and password protected document.
Right to object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Your objection must be made on grounds relating to your particular situation.
Once you object your data can no longer be processed, unless
- there are demonstrably compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
You may complain directly to me using the contact details above. If you find the outcome unsatisfactory you are then able to object or complain to the ICO.
You may of course also exercise your right to legal action.
You can claim a right verbally or in writing.
A response should come without delay and at least within one month of receipt. The time limit is calculated from the day after you make the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
I aim to respond within 28 days.
When you request access to your data, a copy must be provided free of charge. However, you can be charged a ‘reasonable fee’ when a request is:
- manifestly unfounded or excessive, particularly if it is repetitive unless that’s because I failed to respond; or
- for further copies of the same information (that’s previously been provided).
If you have any questions or concerns about this Privacy Statement or would like to receive a printed version, please call me on 07718 130930.