GDPR Policy for Client Data
GDPR Policy for BTG Mind Matters
​​
1. Introduction
BTG Mind Matters is committed to protecting and respecting the privacy of our clients, employees, and other stakeholders. This GDPR Policy outlines our obligations under the General Data Protection Regulation (GDPR) and how we handle, store, and protect personal data.
​
2. Scope
This policy applies to all personal data processed by BTG Mind Matters, including data related to clients, potential clients, employees, contractors, suppliers, and any other individuals whose data we may process in the course of our business activities.
​
3. Data Protection Principles
We adhere to the following principles when processing personal data:
-
Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
-
Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes.
-
Data Minimization: We collect only the personal data that is necessary for the purposes we have specified.
-
Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
-
Storage Limitation: We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.
-
Integrity and Confidentiality: We process personal data in a manner that ensures its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
​
4. Legal Basis for Processing
We process personal data only when we have a legal basis to do so. The legal bases for processing may include:
-
Consent: The individual has given clear consent for us to process their personal data for a specific purpose.
-
Contract: The processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.
-
Legal Obligation: The processing is necessary for us to comply with the law.
-
Legitimate Interests: The processing is necessary for our legitimate interests, provided that these are not overridden by the individual's rights.
​
5. Data Collection
We collect personal data from clients and other individuals through our online forms when applying for access to the Respite Programme or providing feedback for the Respite Programme.
We may also collet data from:
-
Other online forms
-
Email correspondence
-
Telephone conversations
-
In-person meetings
-
Social media
The types of personal data we may collect include:
-
Name, address, and contact details
-
Date of birth
-
Ethnicity
-
Employment Status
-
Registered GP Practice
-
Medical or psychological history (where relevant to our services)
-
Payment details
​
When you contact us by email, letter or on the phone we may also record this information on our customer relationship management system to help us process your request efficiently.
6. Data Use
We use personal data for the following purposes:
-
Providing early intervention mental health services
-
Communicating with clients about their treatment
-
Managing client records
-
Billing and payment processing
-
Improving our services
-
Compliance with legal obligations
​
7. Data Sharing
We do not share personal data with third parties except in the following circumstances:
-
With Consent: We may share personal data with third parties when we have the individual's explicit consent to do so.
-
Service Providers: We do share data with trusted service providers who perform functions on our behalf, such as talking therapist and personal trainer service providers. These providers are bound by confidentiality agreements and data protection obligations.
-
Legal Requirements: We may disclose personal data if required to do so by law or in response to legal requests.
-
Risk of Harm: If we believe that an individual is at significant risk of harm to themselves or others, we may share personal details with appropriate authorities, such as medical professionals, law enforcement, or emergency services. This is done in accordance with our duty of care and legal obligations to prevent harm.
​
8. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:
-
Encryption of sensitive data
-
Secure storage solutions
-
Access controls to limit access to personal data
-
Regular security assessments and updates
-
To further protect our systems and the personal data we process, all passwords used within our systems are updated twice per year. This practise ensures an additional layer of security, reducing the risk of unauthorized access.
​
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Once personal data is no longer needed, we securely delete or anonymise it.
10. Data Subject Rights
Individuals have the following rights regarding their personal data:
-
Right to Access: The right to request access to the personal data we hold about them.
-
Right to Rectification: The right to request correction of any inaccurate or incomplete personal data.
-
Right to Erasure: The right to request the deletion of personal data in certain circumstances.
-
Right to Restrict Processing: The right to request the restriction of processing in certain circumstances.
-
Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format.
-
Right to Object: The right to object to the processing of their personal data in certain circumstances.
To exercise these rights, individuals should contact us using the contact details provided in Section 12.
​
11. Data Breach Notification
In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also inform the affected individuals without undue delay.
​
12. Contact Information
For any questions or concerns regarding this GDPR policy or our data protection practices, please contact:
BTG Mind Matters CIO
support@btg-mindmatters.org
​
We may update this GDPR Policy from time to time. Any changes will be posted on our website and, where appropriate, notified to individuals by email. The date of the latest revision will be indicated at the top of the policy.