1. Introduction and Purpose
ClearMinds is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection legislation.
As a provider of workplace mental health and wellness support services, we process sensitive personal data, including special category data relating to health. We recognise the critical importance of maintaining the highest standards of data protection and privacy.
This policy sets out our approach to data protection and the responsibilities of all staff, contractors, and partners who process personal data on behalf of ClearMinds.
Our Commitment
We are committed to processing personal data in accordance with our responsibilities under data protection legislation, maintaining the confidentiality, integrity, and availability of personal data, and respecting the rights of individuals whose data we process.
2. Scope and Application
This policy applies to:
- All personal data processed by ClearMinds
- All staff members, contractors, consultants, and temporary workers
- All data processing activities, whether manual or automated
- All systems, platforms, and technologies that process personal data
- All third parties who process personal data on our behalf
3. Definitions
| Term |
Definition |
| Personal Data |
Any information relating to an identified or identifiable living individual |
| Special Category Data |
Sensitive data including health information, racial/ethnic origin, religious beliefs, etc. |
| Processing |
Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.) |
| Data Controller |
The organisation that determines the purposes and means of processing (ClearMinds) |
| Data Processor |
A third party that processes personal data on behalf of the controller |
| Data Subject |
The individual to whom the personal data relates |
4. Data Protection Principles
We adhere to the seven key principles of data protection:
4.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about how we use personal data through privacy notices and ensure individuals understand what data we collect and why.
4.2 Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes only. We do not process data in ways incompatible with those purposes without obtaining fresh consent or having another lawful basis.
4.3 Data Minimisation
We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4.4 Accuracy
We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data is rectified or deleted without delay.
4.5 Storage Limitation
We retain personal data only for as long as necessary for the purposes for which it was collected, in line with our Data Retention Policy.
4.6 Integrity and Confidentiality (Security)
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
4.7 Accountability
We demonstrate compliance with these principles through documentation, policies, procedures, training, and regular audits.
5. Lawful Basis for Processing
We only process personal data where we have a lawful basis under Article 6 of UK GDPR:
5.1 Standard Personal Data
- Consent: The individual has given clear consent for us to process their data
- Contract: Processing is necessary for performance of a contract with the individual
- Legal obligation: Processing is necessary to comply with the law
- Vital interests: Processing is necessary to protect someone's life
- Public task: Processing is necessary to perform a task in the public interest
- Legitimate interests: Processing is necessary for our legitimate interests (unless overridden by individual's rights)
5.2 Special Category Data (Health Data)
For health data, we also require a condition under Article 9 UK GDPR:
- Explicit consent: The individual has given explicit consent (e.g., accepting terms when booking counselling)
- Health/social care purposes: Processing is necessary for health or social care purposes (Article 9(2)(h))
- Public health: Processing in the public interest in public health
⚠️ Special Category Data Handling: Health data requires additional safeguards. All staff must complete specialist training on handling health data and follow strict confidentiality procedures.
6. Data Subject Rights
Individuals have the following rights under UK GDPR:
6.1 Right to be Informed
Individuals have the right to know how their personal data is being used. We provide this information through our Privacy Policy and privacy notices.
6.2 Right of Access (Subject Access Request)
Individuals have the right to obtain a copy of their personal data and information about how it is processed. We respond to Subject Access Requests (SARs) within one month. See our SAR Procedure for details.
6.3 Right to Rectification
Individuals can request correction of inaccurate or incomplete personal data. We update records promptly upon receiving such requests.
6.4 Right to Erasure ('Right to be Forgotten')
In certain circumstances, individuals can request deletion of their personal data. This right is not absolute - we may need to retain data for legal or regulatory reasons.
6.5 Right to Restrict Processing
Individuals can request that we limit how we use their data in certain circumstances (e.g., while accuracy is verified).
6.6 Right to Data Portability
Individuals can request their data in a structured, commonly used format to transfer to another service provider.
6.7 Right to Object
Individuals can object to processing based on legitimate interests or for direct marketing purposes.
6.8 Rights Related to Automated Decision-Making
Individuals have rights regarding automated decisions (including profiling) that have legal or significant effects. We do not currently use fully automated decision-making.
Exercising Rights
Individuals can exercise their rights by contacting our Data Protection Officer at: dpo@clearmindseap.com
7. Consent
Where we rely on consent as our lawful basis, we ensure consent is:
- Freely given: Not coerced or conditional
- Specific: Separate consent for different purposes
- Informed: Clear information provided about what data is used and why
- Unambiguous: Clear affirmative action required (not pre-ticked boxes)
- Withdrawable: Easy to withdraw consent at any time
We maintain records of when and how consent was obtained and keep this information for the duration of the relationship plus 2 years.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data:
8.1 Technical Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication for all systems
- Regular security updates and patching
- Firewalls and intrusion detection systems
- Secure backup procedures
- Anti-virus and anti-malware protection
8.2 Organisational Measures
- Role-based access controls
- Staff confidentiality training
- Clear desk and clear screen policies
- Secure disposal procedures
- Regular security audits and penetration testing
- Incident response procedures
For full details, see our Information Security Policy.
9. Data Sharing and Third Parties
9.1 When We Share Data
We only share personal data when:
- We have a lawful basis to do so
- It's necessary for service provision
- We have appropriate safeguards in place
- We have Data Processing Agreements (DPAs) with processors
9.2 Categories of Recipients
- IT service providers: Cloud hosting, email services, backup services
- Professional advisers: Lawyers, accountants (where necessary)
- Regulatory authorities: ICO, professional bodies (where legally required)
- Corporate clients: Aggregated, anonymised statistics only (NOT individual session details)
9.3 Data Processing Agreements
All third-party processors must sign a Data Processing Agreement (DPA) that includes:
- Scope and purpose of processing
- Security obligations
- Sub-processor requirements
- Data breach notification (within 24 hours)
- Assistance with DPIAs and data subject rights
- Audit rights
- Data return or deletion on termination
10. International Data Transfers
We prioritise UK-based data processing and storage. Where international transfers occur, we ensure:
- Adequacy decisions exist, OR
- Appropriate safeguards are in place (e.g., Standard Contractual Clauses), AND
- Data subjects' rights remain enforceable
All international transfers are documented in our Record of Processing Activities (ROPA).
11. Data Retention
We retain personal data only for as long as necessary:
| Data Type |
Retention Period |
| Clinical records (adults) |
8 years from last contact |
| Clinical records (children) |
Until 25th birthday OR 8 years (whichever longer) |
| Employee records |
Duration of employment + 7 years |
| Financial records |
7 years from end of financial year |
| Contracts |
Duration of contract + 7 years |
For complete retention schedules, see our Data Retention Policy.
12. Data Breaches
A personal data breach is any incident that results in unauthorised access, loss, destruction, or disclosure of personal data.
12.1 Reporting Breaches
All staff must report suspected breaches immediately to the Data Protection Officer:
- Email: dpo@clearmindseap.com
- Phone: [DPO PHONE NUMBER]
- Emergency: [24/7 EMERGENCY NUMBER]
12.2 Breach Response
We have 72 hours to report serious breaches to the ICO. Our Data Breach Response Plan includes:
- Immediate containment procedures
- Risk assessment
- ICO notification (if required)
- Data subject notification (if high risk)
- Post-incident review
⚠️ CRITICAL: Never delay breach reporting. Even if unsure whether it qualifies as a breach, report it immediately. The DPO will assess severity.
13. Privacy by Design and Default
We implement data protection from the outset of any new project, system, or process:
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- Privacy considerations in system design
- Default privacy settings (not opt-out)
- Data minimisation from the start
- Security measures built in, not bolted on
14. Roles and Responsibilities
14.1 Board of Directors
- Ultimate accountability for data protection
- Approve data protection policies
- Ensure adequate resources for compliance
- Receive regular compliance reports
14.2 Data Protection Officer (DPO)
- Monitor compliance with UK GDPR
- Advise on data protection obligations
- Act as contact point for ICO
- Conduct DPIAs and audits
- Manage data breach response
- Handle data subject rights requests
14.3 All Staff
- Comply with this policy and related procedures
- Complete mandatory data protection training
- Report suspected breaches immediately
- Follow security procedures
- Only access data needed for their role
- Respect confidentiality
14.4 Managers
- Ensure team compliance
- Facilitate staff training
- Manage access rights
- Report and escalate issues
15. Training and Awareness
All staff must complete:
- Induction training: Before accessing personal data
- Annual refresher training: Every 12 months
- Role-specific training: For clinical staff, IT staff, managers
- Training on updates: When policies or procedures change
Training completion is monitored and recorded. Non-completion may result in access restrictions.
16. Monitoring and Audit
We monitor compliance through:
- Quarterly reviews of processing activities
- Annual internal audits
- Regular access rights reviews
- Breach log analysis
- Training completion tracking
- Third-party processor reviews
17. Records and Documentation
We maintain comprehensive records including:
- Record of Processing Activities (ROPA) - updated quarterly
- Data breach log
- Subject Access Request log
- Training records
- DPIAs for high-risk processing
- Data Processing Agreements with processors
- Consent records
- Policy approval and review documentation
18. Related Policies and Procedures
- Privacy Policy (public-facing)
- Data Retention Policy
- Data Breach Response Plan
- Subject Access Request Procedure
- Information Security Policy
- Cookie Policy
- Staff Handbook
- Confidentiality Policy
19. Policy Review and Updates
This policy is reviewed:
- Annually as a minimum
- When legislation changes
- Following significant data breaches
- When processing activities change significantly
- Following ICO guidance updates
Questions or Concerns?
If you have questions about this policy or data protection at ClearMinds:
Data Protection Officer: dpo@clearmindseap.com | [PHONE]
Emergency (24/7): [EMERGENCY NUMBER]
20. Compliance and Enforcement
Failure to comply with this policy may result in:
- Retraining requirements
- Restriction or removal of data access
- Disciplinary action up to and including dismissal
- Legal action in serious cases
ClearMinds may also face:
- ICO fines up to £17.5 million or 4% of global turnover
- Criminal sanctions for certain offences
- Reputational damage
- Loss of corporate partnerships