Privacy Policy
Introduction and Purpose
Maintaining robust data protection practices is essential to providing high-quality talking therapies and maintaining trust with those who use our services (referred to as clients) and those who work for or alongside us (referred to as employees or self-employed professionals).
Therefore, at Flourish with Neurodiversity, we are committed to protecting the personal data of our clients in line with the Data Protection Act 2018, the UK GDPR and all other data protection legislation currently in force.
This policy outlines how we process and protect personal information, sensitive personal information or criminal records data, to ensure it is handled lawfully, fairly, and transparently.
By following this policy, we ensure that data is kept secure, used only for its intended purpose, and shared appropriately, respecting the privacy and rights of individuals.
Who and What This Policy Applies To
This policy applies to all those working for or on behalf of Flourish with Neurodiversity and to any personal (or sensitive personal) information and criminal records information processed by Flourish with Neurodiversity.
Definitions
Controller
A controller is a natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject
Means the individual to whom the personal information relates.
Personal Information
Sometimes known as personal data means information relating to an individual who can be identified (directly or indirectly) from that information.
Processing Information
Means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.
Processor
The UK GDPR defines a processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Pseudonymised
This is the process by which personal information (or sensitive personal information) is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual.
Sensitive Personal Information
Sometimes known as 'special categories of personal data' or 'sensitive personal data', means personal information about an individual's race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual's health, sex life or sexual orientation.
Privacy Policy
Data Protection Principles
Flourish with Neurodiversity endorses fully and adheres to the Data Protection Principles listed below. When processing data, we will ensure that it is:
⦁ processed lawfully, fairly and in a transparent way
⦁ processed no further than the legitimate purposes for which that data was collected
⦁ limited to what is necessary in relation to the purpose
⦁ accurate and kept up-to-date
⦁ kept in a form which permits identification of the data subject for no longer than is necessary
⦁ processed in a manner that ensures the security of that personal data and protects against unauthorised or unlawful processing and accidental loss, destruction, or damage
⦁ processed by a controller who can demonstrate compliance with the principles
These principles must be observed at all times when processing or using personal information.
The Basis for Processing Personal Information
Concerning any processing activity, we will, before the processing starts for the first time, and then regularly while it continues:
⦁ Review the purposes of the processing activity and select the most appropriate lawful basis (or bases) for that processing, for example:
⦁ That the data subject has consented to the processing;
⦁ That the processing is necessary for the performance of a contract to which the data subject is a party;
⦁ To take steps at the request of the data subject before entering into a contract;
⦁ That the processing is necessary for compliance with a legal obligation to which Flourish with Neurodiversity is subject;
⦁ That the processing is necessary for the protection of the vital interests of the data subject or another natural person;
⦁ That the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority; or
⦁ That the processing is necessary for the legitimate interests of Flourish with Neurodiversity or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the Data Subject.
⦁ Document our decision as to which lawful basis applies to help demonstrate our compliance with the data protection principles.
⦁ Include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s).
⦁ Where criminal offence information is processed, also identify a lawful condition for processing that information and document it.
⦁ If processing is based on legitimate interests, determine whether Flourish with Neurodiversity's legitimate interests are the most appropriate basis for lawful processing, and:
⦁ Conduct a Legitimate Interest Assessment (LIA) and keep a record of it to ensure that we can justify our decision;
⦁ If the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);
⦁ Keep the LIA under review and repeat it if circumstances change; and
⦁ Include information about our legitimate interests in our relevant privacy notice(s).
Sensitive Personal Information
Flourish with Neurodiversity may need to process sensitive personal information. We will only process sensitive personal information if:
⦁ We have a lawful basis for doing so set out above; and
⦁ One of the special conditions for processing sensitive personal information applies, for example:
⦁ The data subject has given explicit consent so that Flourish with Neurodiversity can provide its services.
⦁ The processing is necessary for exercising the employment law rights or obligations of Flourish with Neurodiversity or the data subject.
⦁ The processing is necessary to protect the data subject's vital interests, and the data subject is physically incapable of giving consent.
⦁ The processing relates to personal data, which is manifestly made public by the data subject.
⦁ The processing is necessary for the establishment, exercise, or defence of legal claims; or
⦁ The processing is necessary for reasons of substantial public interest.
⦁ The individual has been properly informed of the nature of the processing, the purposes for which it is being carried out, and the legal basis for it.
Data Protection Impact Assessments (DPIAs)
Before any new form of technology is introduced, and where data processing is likely to result in a high risk to an individual's data protection rights, we will, before commencing the processing, carry out a DPIA to assess:
⦁ Whether the processing is necessary and proportionate concerning its purpose.
⦁ The risks to individuals.
⦁ What measures can be put in place to address those risks and protect personal information.
During any DPIA, we will seek appropriate advice from data protection experts and/or the relevant governing bodies/authorities (for example, the ICO).
Documentation and Records
We will keep records of processing activities, including:
⦁ A description of the categories of individuals and categories of personal data;
⦁ Categories of recipients of personal data;
⦁ The purposes of the processing;
⦁ Where relevant, details of transfers to third countries, including documentation of the transfer mechanism safeguards in place;
⦁ Where possible, retention schedules; and
⦁ Where possible, a description of technical and organisational security measures.
As part of our record of processing activities, we document, or link to documentation, on:
⦁ Records of consent.
⦁ Controller-processor contracts.
⦁ The location of personal information.
⦁ DPIAs; and
⦁ Records of data breaches.
If we process sensitive personal information or criminal records information, we will keep written records of:
⦁ The relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;
⦁ The lawful basis for our processing; and
⦁ Whether we retain and erase the personal information following our policy document, and, if not, the reasons for not following our policy.
We will regularly review the personal information we process and update our documentation accordingly. This may include:
⦁ Carrying out information audits to find out what personal information Flourish with Neurodiversity holds and how we process it.
⦁ Reviewing our policies, procedures, contracts, and agreements to address areas such as retention, security, and data sharing.
Privacy Notices
Flourish with Neurodiversity will issue privacy notices from time to time, informing individuals about the personal information that we collect and hold relating to them, how they can expect their personal information to be used and for what purposes.
We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
Individual Rights
Individuals have the following rights concerning their personal information:
⦁ The right to access personal data held about them (the right of subject access);
⦁ The right to be informed about how and why their data is used - and you must give them privacy information;
⦁ The rights to have their data rectified, erased or restricted;
⦁ The right to object;
⦁ The right to portability of their data; and
⦁ The right not to be subject to a decision based solely on automated processing.
Note: Some exemptions and restrictions can, in some circumstances, be legitimately applied to exempt or qualify the right of individuals to exercise their rights.
For example:
⦁ If fulfilling the request would undermine the prevention, investigation, detection, or prosecution of criminal offences.
⦁ If the processing of personal data is necessary for the establishment, exercise, or defence of legal claims.
⦁ If fulfilling them would infringe upon the rights and freedoms of others, including trade secrets or intellectual property.
Individual Obligations
Training
All employees and self-employed professionals are required to read this and other relevant Data Protection/IT Security Policies.
Updating Personal Information
All employees and self-employed professionals are responsible for helping Flourish with Neurodiversity keep their personal information up to date and must let us know if the information they have provided to us changes, for example, if they move to a new house or change their bank account.
Accessing Others' Data
As an employee or self-employed professional, you may have access to personal information (e.g., of our clients, colleagues, etc.) during your employment or engagement.
If you have access to personal information, you must:
⦁ Only access the personal information that you have the authority to access, and only for authorised purposes.
⦁ Only allow others to access personal information if they have appropriate authorisation from the business owner to do so.
⦁ Keep personal information secure, for example, by complying with rules on computer access, password protection, secure file storage and destruction, etc.
⦁ Not store personal information on personal devices.
You should contact the business owner (Natasha Wakeling) if you are concerned or suspect that this policy has been breached or if you suspect or are made aware of a data breach (as set out below).
Information Security
Flourish with Neurodiversity will use appropriate technical and organisational measures to keep personal information secure and to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
In rare cases where Flourish with Neurodiversity uses external organisations to process personal information on its behalf, additional security arrangements will be implemented in contracts with those organisations to safeguard the security of personal information. In particular, contracts with external organisations will provide that:
⦁ The organisation may act only on the written instructions of Flourish with Neurodiversity;
⦁ Those processing the data are subject to a duty of confidence;
⦁ Appropriate measures are taken to ensure the security of processing;
⦁ Sub-contractors are only engaged with the prior consent of Flourish with Neurodiversity and under a written contract;
⦁ The organisation will assist Flourish with Neurodiversity in providing subject access and allowing individuals to exercise their rights under the GDPR;
⦁ The organisation will assist Flourish with Neurodiversity in meeting its GDPR obligations concerning the security of processing, the notification of data breaches and data protection impact assessments;
⦁ The organisation will delete or return all personal information to Flourish with Neurodiversity as requested at the end of the contract; and
⦁ The organisation will submit to audits and inspections and provide Flourish with Neurodiversity with whatever information it needs to ensure that they are both meeting their data protection obligations.
Pseudonymisation
Where appropriate, we will apply pseudonymisation to personal data to enhance privacy and data protection. Examples of when pseudonymisation may be used include:
⦁ When preparing anonymised success stories or training examples
⦁ When tracking progress across groups (e.g., Number of coaching sessions attended vs. improvement in daily living skills)
Please note that pseudonymisation may be used in combination with other security measures such as encryption and access restriction.
Storage and Retention of Personal Information
Personal information (and sensitive personal information) will be kept securely following the principles below:
⦁ Personal information (and sensitive personal information) should not be retained any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained.
⦁ Personal information (and sensitive personal information) that is no longer required will be deleted permanently from our information systems, and any hard copies will be destroyed securely.
Data Breaches
A data breach may take many different forms, for example:
⦁ Loss or theft of data or equipment on which personal information is stored;
⦁ Loss of data resulting from an equipment or system failure;
⦁ Human error, such as accidental deletion or alteration of data;
⦁ Unforeseen circumstances, such as a fire or flood;
⦁ Deliberate attacks on IT systems; and
⦁ 'Blagging' offences, where information is obtained by deceiving the organisation which holds it.
In the event of a Data Breach, Flourish with Neurodiversity will:
⦁ Immediately take such steps as are necessary to minimise the risk to clients, any employees or self-employed professions we engage, and the organisation.
⦁ Assess the situation and determine what steps need to be taken.
⦁ Make the required report of a data breach to the Information Commissioner's Office without undue delay and, where possible, within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of individuals;
⦁ Notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms, and notification is required by law.
⦁ Take steps as necessary to ensure that similar breaches cannot happen again.
International Transfer of Data
Whilst Flourish with Neurodiversity does not intend to transfer personal information outside the U.K. (United Kingdom) and E.U. (European Union), some of the software used by Flourish with Neurodiversity may be hosted outside of the U.K. and E.U.
However, we have determined that this data is secure on the basis that the country, territory or organisation is designated as having an adequate level of protection and has provided adequate safeguards by way of acceptable data protection clauses.
Selling Data
At Flourish with Neurodiversity, we are committed to upholding the highest standards of data protection and privacy and want to assure all individuals that we will never sell or trade personal data to any third parties.
Data Processing: Client Data
This list details the specific data types that may be collected, the reason the data is processed, the legal/legitimate reason, and the expected retention period.
Information Type
Client Data
Data Stored
⦁ Personal Contact Details. E.g., name, home address, telephone number(s), and personal email address
⦁ Emergency Contact Details
⦁ Date of Birth
⦁ Health Data
⦁ Healthcare Registration Details (GP registration)
⦁ Payment Details
Processing Reason
⦁ Providing Tailored Services
⦁ Health and Safety Compliance
⦁ Legal Obligations
⦁ Emergency Situations
Legal Interest/Legitimate Reason
⦁ Consent.
⦁ Contract.
⦁ Legal Obligation.
⦁ Legitimate Interests.
Retention Policy
⦁ Case notes not linked to safeguarding – many similar services (e.g., counselling/therapy organisations) 3–7 years after the end of service.
⦁ Safeguarding-related records –records linked to safeguarding concerns may need to be kept longer in line with local authority or safeguarding partnership guidance.
⦁ Pseudonymised data - may be retained indefinitely.
Data Storage
The following core systems are used to store day-to-day operational information. Access is only provisioned to individuals with a legitimate need to know, and software access controls are managed internally.
The systems typically used are:
⦁ Microsoft Office Programmes (Outlook, OneDrive, etc.)
⦁ Google Drive
⦁ Omni CRM
No physical data is stored by Flourish with Neurodiversity; any notes that any taken during talking therapy sessions will be typed up, with physical copies being shredded.
Data Sharing
Client data is only shared where there is a lawful basis with the following individuals and organisations:
⦁ Our Accountant, who has access to our bank account.
⦁ Other healthcare professionals (e.g., in an emergency, we may provide personal data to the paramedics).
⦁ Local Authority departments such as Safeguarding Teams and Social Services (where there is a Safeguarding concern).
⦁ The Police (where we are required to report criminal activity).
Subject Access Requests and Data Rights
Data subjects have the right to access any personal data that is being kept about them by Flourish with Neurodiversity. To do this, the data subject must make a 'subject access request'.
To make a subject access request, the data subject should contact Natasha Wakeling:
⦁ Email: [email protected]
⦁ Telephone: 07355929709
Flourish with Neurodiversity aims to deal with the subject access request as quickly as possible, and all requests will be completed within 30 days unless defined as complex. If the time exceeds 30 days, the requester will be notified in writing.
Subject Access Requests coming directly from the data subject will be free. However, we can charge a fee if requests become unfounded or excessive. Alternatively, we can refuse to comply with the request, for example, if the request is manifestly unfounded or manifestly excessive.
Please Note:
⦁ Some of the rights under the GDPR may be limited where we have an overriding interest or legal obligation to continue to process the data, or where data may be exempt from disclosure by law.
⦁ We sometimes need to request specific information from a requester to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is an appropriate security measure to ensure that personal information is not disclosed to anyone without the right to receive it.
Non-Compliance
Flourish with Neurodiversity takes compliance with this policy very seriously. Failure to comply with the policy:
⦁ Puts data subjects at risk.
⦁ Carries the risk of significant civil and criminal sanctions for the individual and Flourish with Neurodiversity.
⦁ May, in some circumstances, amount to a criminal offence by the individual.
Because of the importance of this policy, failure to comply will usually be treated as gross misconduct and will result in a working agreement/contract being terminated without notice.
If you have any questions or concerns about this policy, do not hesitate to contact us.
Monitoring and Reviewing
Flourish with Neurodiversity is committed to ensuring our policies are effective and up-to-date. To do this, we have a process for regularly monitoring and reviewing them.
The business owner and founder is responsible for this process and will review this policy at least once a year or more frequently if needed due to changes in laws or our practices.
Version Control
Author: Policy Pros
Issue Number: 1
Approved Date: 02/09/2025
Approved By: Natasha Wakeling
Copyright 2024 - 2025. Flourish Neurodiversity. All Rights Reserved.
Website designed by South Coast Design