Privacy Policy

Privacy Notice

Data Controller: Onebright Limited, First Floor West Wing, Holgate Park Drive, York, United Kingdom, YO26 4GN

This privacy notice explains what personal data Onebright collects and processes from those accessing our services or who we work with (Network Clinicians and Referrer Employees) including via our website and other subdomains owned and run by the Onebright Group. The “Onebright Group” includes Onebright Group Limited (company number 11791999), Onebright Limited (company number 09507950), Onebright Efficacy Limited (company number 06245547), Moving Minds Psychological Management and Rehabilitation Limited (company number 4353657), Onebright Systems & Training Limited (company number 07037705), Expert Psychological Reports Limited (company number 8073738) and Onebright Psychiatric Services Limited (company number 14014785); all with registered offices at First Floor, West Wing, Holgate Park Drive, York, United Kingdom, YO26 4GN. References to the “organisation” in this privacy notice means one or more of the Onebright Group. It also describes how we use that data and explains your rights concerning your personal data and how to contact us or a relevant regulator if you have a complaint about how we process and use the personal data we collect about you.

Where we collect, use and are responsible for certain personal data about you, we are subject to the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”). We are also subject to the EU General Data Protection Regulation (“EU GDPR”) in relation to Services we offer to individuals in the European Economic Area (“EEA”). We may also be subject to other data protection laws where we offer Services to individuals based outside of the UK and the EEA or if we provide Services from outside of the UK or the EEA.

This version of our privacy notice is primarily written for adults, including parents and guardians of child users of our Services. If you are a child (under 18 years old) you are welcome to read this notice if you find it useful, or alternatively please refer to our easy read leaflet; Your Information, Your Rights.

This privacy notice is divided into the following sections:

  • Data security and protection
  • Transferring your personal data out of the UK and EEA
  • How long we keep your data
  • Your privacy rights
  • How to contact us
  • How to complain
  • Client-specific privacy notice
  • Network-specific privacy notice
  • Referring Parties specific privacy notice
  • Changes to this privacy notice
Data Security and Protection

The organisation takes the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

Where we use third parties to process your personal information, we will ensure that third parties do so in accordance with GDPR, including by way of data processing agreements and appropriate technical and organisational security measures.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Transferring your personal data out of the UK and EEA

Personal data we store, or process is predominantly held in data centres within the UK or the wider European Economic Area. We (or processors acting on our behalf) may also store or process your personal data in countries outside the European Economic Area but only where we are assured of the security of the data and the adequacy of the data protection regimes of those countries and organisations holding the data.

How long we keep your data

We do not keep your personal information for longer than we need it for the purpose for which it is used. Different retention periods apply for different types of personal information. How long we retain specific personal information varies depending on the purpose for its use.

Please note, we may retain your personal information even after we have stopped delivering services to you to comply with our legal and regulatory obligations, to resolve disputes or complaints, and to enforce our rights in connection with the website, our Services, or our products or to protect our business.

Data held in back-ups will be subject to separate retention and destruction processes.

If you have any questions about how long we keep your data for, please contact us using the details below.

You can review our retention schedule here

 

Clients accessing mental health services

Personal information we collect about you is stored within Onebright’s case management system for 8 years for Adults and up until the 25th birthday for a child accessing Onebright services.

For Onebright Psychiatric Services clients’ data is retained for 20 years for adults and up until the 25th birthday for a child.

 

Network Clinicians

In general, data about you (where regards our use of your services) will be kept for 7 years after you stop working for Onebright. Other data relating to records you have made about our clients and payments and expenses may be kept longer depending on various legal requirements as they apply.

Your privacy rights

If you are in the EEA or the United Kingdom you have certain privacy rights and protections under the EU GDPR or the UK GDPR. These are the following:

  • Right to rectify inaccurate or outdated information
  • Right to request to move your data (data portability)
  • Right to object to data processing
  • Right to withdraw your data consent at any time
  • Right to be forgotten
  • Right to ask for a copy of your data via a Subject Access Request (SAR)
  • Right to lodge a complaint with the UK’s Information Commissioner or other relevant supervisory authority

Please see the Contact section below for how to contact us to exercise any of these rights.

 

How to complain 

Please contact us if you have any queries or concerns about our use of your personal information (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with:

  • the Information Commissioner in the UK, OR
  • a relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA.
  • The UK’s Information Commissioner may be contacted at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113

 

How to contact us 

You can contact our Data Protection Officer by post, email or telephone if you have any questions about this Privacy Notice or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Our Data Protection Officer’s contact details are shown below:

  • email: DPO@onebright.com
  • telephone: 01904 620781
  • address: Onebright Ltd, First Floor West Wing, Holgate Park Drive, York, United Kingdom, YO26 4GN attention: Data Protection Officer

Client Privacy Notice

Information we collect

Your data may be stored in a range of different secure places, including in our client management systems and in other IT systems (including the organisations email system).

We hold the following types of data:

Information which helps us to contact, identify, administer, or manage our relationship, including complaints, with you:

  • Personal details such as name, address, date of birth, phone numbers, gender and email address.
  • Personal details of a guardian will also be collected for clients who are children
  • Third party details such as your employer, insurance company including your membership number and emergency contact details
  • Card details. We use Key IVR and Sage Pay as our secure online payment solution partners to take credit and debit card payments. Which partner is used is determined by which of the services we provide to you, which will be confirmed during the booking process;

Information which helps us tailor your care and provide healthcare services including:

  • Details regarding your physical and mental health.
  • Information about your race, ethnic origin, religion and sexual orientation.
  • Safeguarding and risk information;

Information about how you use our website, apps, Services, or other technology, including IP addresses or other device information.

 

How we collect your information

We collect personal information from you when you use our website, contact us via phone or email and access our services. Please note that if you contact us via phone, we may record or monitor calls for the effectiveness of our service. We may also collect personal information about you from third parties (namely, anyone acting on your behalf) for example:

We collect personal information from you when you use our website, contact us via phone or email and access our services. Please note that if you contact us via phone, we may record or monitor calls for the effectiveness of our service. We may also collect personal information about you from third parties (namely, anyone acting on your behalf) for example:

  • Those paying for the services we provide to you including insurers or personal injury services
  • Solicitors
  • A family member or someone acting on your behalf
  • Doctors, clinicians, healthcare professionals, hospitals, clinics and other healthcare providers
  • Your parent or guardian (if you’re under 18 years old)

 

How and why we use your personal information, including the lawful basis

Under data protection law, we can only use your personal data if we have a proper reason (lawful basis). For example:

  • where you have given consent
  • to comply with our legal and regulatory obligations
  • for the performance of a contract with you or to take steps at your request before entering into a contract
  • for our legitimate interests

The table below explains what we use your personal information for and why:

What does Onebright use your personal data for Our reasons (lawful basis)
To create and manage your account with us, respond to your enquiries or fulfil your requests (e.g. send you documents or information you request), and otherwise administer our relationship with you including complaints and individual rights handling. Depending on the circumstances:

  • To meet the requirements of a contract to deliver services to you (Article 6 (1) (b) Performance of the contract )
  • To comply with our legal and regulatory obligations (Article 6 (1) (c) Legal Obligation)
  • For our legitimate interests or those of a third party (i.e., to be as efficient as we can so we can deliver the best Service to you). (Article 6 (1) (f) Legitimate interests and Article 9 (2) (h) Health and Social Care )
  • Your consent (Article 9 (1) (a) Explicit Consent.)
To provide psychological or psychiatric health care services to you, including on behalf on a third party.
  • Your consent (Article 6 (1) (a) Consent and  Article 9 (1) (a) Explicit Consent.)
Onebright Psychiatric Services Limited only: To provide psychiatric and neurodevelopmental health care services to you, including on behalf on a third party.
  • Article 6 (1)(f) – legitimate interests
  • Article 9 (2)(h) – provision of health or social care
Call recordings for the purposes of training our staff and monitoring the effectiveness of our service. Depending on the circumstances:

  • Article 6 (1)(f) – legitimate interests
  • Article 9 (2)(h) – provision of health or social care
Recording your assessment call in order to determine appropriate treatment pathways.
  • Article 6(1)(a) – Consent
  • Article 9(2)(a) – Explicit consent
Recording your therapy session for client learning and recovery or for the purposes of clinical supervision.
  • Article 6(1)(a) – Consent
  • Article 9(2)(a) – Explicit consent
To ensure the billing of any products and Services procured by you or for you by a third party and obtain payment.
  • If you are a direct customer: Article 6(1)(a) – Consent
  • If your insurer or another organisation refers you: Article 6(1)(f) – Our legitimate interests in providing you with a service and gaining payment from your provider
Communications with you not related to marketing, including about changes to our terms or policies or changes to our products and services or other important notices. To process and respond to complaints, individual right’s requests’ or incidents. Depending on the circumstances:

  • To meet the requirements of a contract to deliver services to you (Article 6 (1) (b) Performance of the contract )
  • To comply with our legal and regulatory obligations (Article 6 (1) (c) Legal Obligation)
  • For our legitimate interests (i.e., to be as efficient as we can so we can deliver the best Service to you). (Article 6 (1) (f) Legitimate interests ).
To monitor and record information relating to the use of our website and how you move around different sections of our website for analytics purposes. This helps us to understand how people use our website so that we can make it more intuitive or to check our website is working as intended. Depending on the circumstances:

  • Your consent as gathered by the separate cookies tool on our website (see ‘Cookies’ below
  • where we are not required to obtain your consent and do not do so, for our legitimate interests or those of a third party, i.e. so we can deliver the best service and experience to you.
  • This website is hosted in Azure within the Onebright tenant and is designed and maintained by TiPi, who does not export or use any data stored on its client websites.
Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, product/services range or other efficiency measures.
  • Depending on the circumstances:
  • Your consent (Article 6 (1) (a) Consent and  Article 9 (1) (a) Explicit Consent.)
  • For our legitimate interests in order to improve our products and Services for users, and for quality control and training purposes. (Article 6 (1) (f) Legitimate interests) .
  • Article 9 (2)(h) – provision of health or social care .
To monitor our clinical and non-clinical performance expectations.
  • For our legitimate interests in order to improve our products and Services for users, and for quality control and training purposes. (Article 6 (1) (f) and Article 9 (2) (d) Legitimate interests).
To verify compliance with the terms of use of our website or other agreement governing the use of the website or our products and Services, or to protect our (and third parties’) rights, property or safety. Depending on the circumstances:

  • To comply with our legal and regulatory obligations, (Article 6 (1) (c) Legal Obligation)  or
  • In other cases, for our legitimate interests or those of a third party, i.e. to protect our business, interests and rights of others (Article 6 (1) (f) Legitimate interests).
To exercise our legal rights, to defend ourselves from legal claims, to undertake legal proceedings or because we have a legal obligation to do so pursuant to applicable law which governs the psychological and psychiatric healthcare services we offer. Depending on the circumstances: Depending on the circumstances:

  • To comply with our legal and regulatory obligations  (Article 6 (1) (c) Legal Obligation and Article 9 (2) (h)  provision of health or social care)  , or
  • In other cases, for our legitimate interests or those of a third party, i.e. to protect our business, interests and rights of others. (Article 6 (1) (f) Legitimate Interest)
To share your personal information with members of our group and third parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary. Depending on the circumstances:

  • To meet the requirements of a contract to deliver services to you (Article 6 (1) (b) Performance of the contract )
  • To comply with our legal and regulatory obligations (Article 6 (1) (c) Legal Obligation)
  • Article 9 (2) (h)  provision of health or social care
  • For our legitimate interests or those of a third party (i.e., to be as efficient as we can so we can deliver the best Service to you). (Article 6 (1) (f) Legitimate interests )
To share with people or organisations we are required to share your personal information with by law (for example, for fraud-prevention or safeguarding purposes);
  • Article 6(1)(d) – vital interests
  • Article 9(2)(c) – vital interests
To communicate with you about content, product and Services offerings, newsletters, and event invitations which are relevant to your interests and in line with your preferences (marketing)

 
  • Article 6 (1) (f) Legitimate interests This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will ask for this separately and clearly.
  • You have the right to opt out of receiving marketing communications at any time by:
  • contacting us at the details provided below
  • using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts, or
  • updating your marketing preferences
  • We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
  • We will always treat your personal data with the utmost respect and never sell or share it with other organisations outside of our group for marketing purposes.

 

Who we share your personal information with

We may share information with:

  • Doctors, clinicians and other health and social care professionals, hospitals, clinics and other health-care organisations;
  • Suppliers who help us run our business such as website hosts, website analytics providers, online psychological platforms (Silvercloud) and payment service providers ;
  • People or organisations we are required to share your personal information with by law (for example, for fraud-prevention or safeguarding purposes);
  • The police, law-enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations and to help them perform their duties;
  • External auditors, e.g. in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • Professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
  • Other parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations.

If we provide you with psychological health care services, we may share information with:

  • Your employer (If your employer is paying for the services we are providing);
  • Our insurance partners, for example, solicitors and interpreters;
  • Those paying for the products or Services we provide to you. Where consent has been provided to your insurer, details of treatment may be shared;
  • Those providing your treatment.; and
  • This includes information about your race, ethnic origin, religion and sexual orientation to report on the services and outcomes to our referrers or relevant parties.

If Onebright does share your personal information, we will make sure suitable protection is in place to protect your personal information in line with applicable law.

Where we use third parties to process your personal information, we will ensure that third parties do so in accordance with GDPR, including by way of data processing agreements and appropriate technical and organisational security measures.

Network Clinician Privacy Notice

Information we collect

Your data may be stored in a range of different secure places, including your clinician file, in the client case management systems and in other IT systems (including the organisations email system).

We hold the following types of data:

  • Personal details such as name, address including clinic address, date of birth, phone numbers and personal and work email addresses
  • Your photograph
  • Ethnicity
  • Right to work documentation including identify documents and national insurance number
  • Information gathered via the recruitment process such as that entered into your CV and details on your education, qualifications, and employment history etc.
  • Criminal records checks
  • Information relating to your contract with us
  • Bank details

You will provide us directly with the data as part of the onboarding process and subsequently upon the start of your contract with us. We will collect additional personal information in course of your contract related activities throughout the period of you working with us.

 

How and why we use your personal information

The personal information we process is necessary for the performance of a contract (Article 6 (1) (b)). In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant’s eligibility to work in the UK before employment starts. The organisation is entitled to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment, and/or to satisfy itself that there is nothing in your criminal convictions history which makes you unsuitable for the relevant role.

The organisation may process special categories of data, such as information about ethnic origin and sexual orientation, to monitor recruitment and equal opportunity statistics and report on the same (GDPR Article 9 (2) (b)). This information may also be used for matching with clients.

Where we process criminal convictions data, this is permitted in the area of employment under the Data Protection Act 2018, Schedule1, part 1, Paragraph 1(a) and (b). For part (b) we have produced an Appropriate Policy Document which can be requested by using the details in ‘Contact Us’.

 

Who we share your personal information with

Data is shared with third parties for the following:

  • DBS services for the administration of DBS Checks.
  • Onebright clients including include potential clients who may not engage with your services.
  • Referrers to confirm which clinicians Onebright engage with and their specialisms.
  • Solicitors for legal litigation cases.
  • Where necessary, we will share information with safeguarding boards
  • Maptive to produce interactive maps showing clinic locations for treatment allocation

We have a data processing agreement in place with such third parties to ensure data is processed in accordance with GDPR. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

We may share your data with other entities in our group, such as in connection with our regular reporting activities on company performance or for system maintenance support and hosting of data.

Referring Parties

Information we collect

Onebright has a Partner Portal through which our referrers can submit referrals directly to Onebright. If you work for one of referrers and you submit a referral, the portal stores and collects your full name and work email address.

 

How and why we use your personal information

To manage your account to access the Partner Portal. Please speak to your own internal system administrator if you have technical difficulties.

To create the referral record i.e. referral created by XXX.

We process your personal information for our legitimate interest, article 6 (1) (f).

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time.

Your Information, Your Rights Easy Read

Read our leaflet to learn more

Download now