GDPR

Confidentiality is at the core of everything we do and protecting the privacy of our clients is extremely important to us.

Our privacy policy below explains exactly what information we collect from you and how we use it. By continuing to use our website, you are providing consent for us to collect and process data in line with the terms listed below.

The Step-by-Step Recovery privacy notice covers:

• Our contact information
• What personal data we collect
• How we use your personal data
• Where we store your personal data
• How your personal data is protected
• Disclosure to third parties
• Retention of personal data
• How to request a copy of your data
• Your rights
• Cookie policy

If you have any questions about our policies, please feel free to contact us on any of the information below:

Data Controller: The Lighthouse Rehab Clinic by Step-by-Step Recovery Ltd
Address: 1A Southchurch Avenue, Southend-On-Sea, SS3 9BA
Telephone: 01702 296 006
Email: [email protected]

If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office (ICO) www.ico.org.uk.

Privacy notice for residents in our care

When you contact Step-by-Step Recovery, you may be asked to provide some personal information depending on the type of service you require, this personal information will always be used in accordance with this privacy notice. We may also combine it with other information so we can improve our services. You are not required to provide any personal information that we request, however, in most cases, if you chose not to, we will not be able to provide you with our services or respond to any queries you may have.

Examples of occasions you may be asked to share personal data include:

• If you’re contacting us for a treatment quote
• If you’re providing personal information for your admittance documentation
• If you’re voluntarily completing a survey or feedback form
• If you have given a third-party permission to share with us the information they hold about you

What kind of data do we collect?

Personal data or information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed.

The data we collect may include:

• Name
• Date of birth
• Address
• Telephone number
• Email address
• Online identifier (social media handles or usernames)
• Physical and mental health information
• Financial information
• NHS number
• National Insurance number
• Passport details, residency status and nationality
• Marital status
• Racial or ethnic origin
• Religion
• Your next of kin and their contact numbers in case of an emergency

How we use your data

We may use your information to:

• Process a payment
• To carry out our obligations to you with regards to treatment and care
• Ask your views or comments on the services we provide
• Notify you of any changes to our services
• Send you communications that you have requested and that may be of interest to you. This includes newsletters and information about upcoming events.

The personal information we collect and store about you allows us to develop, operate, deliver, and improve the quality of care we provide or, more generally, the type of services that we offer. From time to time, we may use your personal information to contact those acting on your behalf, so we can update them on your progress, care and treatment plans or inform them of changes to our policies. Because this information is important to your interaction with Step-by-Step Recovery, you may not opt-out of receiving these communications.

How do we store your data

We aim to protect your data by storing it on secure servers and implementing technical and organisational security measures to safeguard your personal data and to reduce the risk of loss, misuse, unauthorised access, disclosure and alteration.

Your records are stored:

• On paper: All paper documents are kept in secured filing cabinets, and our offices are always locked and alarmed out of working hours.
• Electronically: We use a specialist client/patient management system. This provider is fully compliant with the General Data Protection Regulations. Access to this data is password protected, and the passwords are changed regularly.
• On our office computers: These are password-protected and backed up regularly. We also use firewalls and data encryption to protect this information, with all offices locked and alarmed out of working hours.

Although we believe we have taken adequate and appropriate measures, no system is perfect, and we therefore cannot guarantee that unauthorised access or theft will not occur. If you suspect that there has been unauthorised access to your personal information, please let us know immediately by contacting us on the details provided above.

How we protect your personal data

At Step-by-Step Recovery, we take the security of your personal information very seriously. To make sure your personal information is protected, we have a series of technical and administrative measures in place. Access is limited only to those of our employees who need to access it to provide services to you.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instruction, and they are subject to a duty of confidentiality.

Step-by-Step Recovery employees are required to undertake data protection and confidentiality training every two years and privacy guidelines are communicated to all our staff for security. These privacy safeguards are monitored and strictly enforced. We send any information that we need to share with any third parties either as a legal requirement or through an anonymised process securely.

All data is stored on servers within data centres in the UK, although at times they may be temporarily outside the UK but within the EU.

Disclosure to third parties

Your data is kept within Step-by-Step Recovery unless it is necessary to share with third parties. Where we share your data with third parties, we provide written instructions to them to ensure that your data is held securely and in-line with GDPR requirements. These third parties are then required to implement the appropriate measures to ensure the security of your data.

We only transfer your data to other companies for the purpose of the normal management of our facility e.g., to cloud-based hosting providers. Where this is the case, safeguards are put in place to secure your data – such as ensuring that the hosting provider’s security complies with GDPR.

We may also share data with third parties where Step by Step Recovery has a legal obligation to do so.

Your data can be shared with other people at your own request, for example, family or friends.

We may share your data with other bodies, for example, social care or educational services- where we do, we will always obtain your consent unless we are legally required to share the information.

You have a right to revoke your consent to sharing data where your consent is necessary, and we will explain the consequences of this when you do.

Only the following people/agencies will have routine access to your data:

• Your practitioner(s) so that they can provide you with treatment
• Our reception, therapeutic, support and addiction staff, who organise our treatment programmes, schedules, and coordinate classes, groups and one-to-one sessions
• The specialist patient management system which stores and process your contact information
• Insurance companies, when applicable, who are your co-data controllers
• We may share your data with third parties to facilitate a referral to another healthcare practitioner, investigation or to keep your GP informed about your progress with treatment, should you give consent

From time to time, we may have to employ consultants to perform tasks which might give them access to your personal data (but not your treatment notes). We ensure that these consultants are aware that the information they are accessing is strictly confidential and will require that they sign a non-disclosure agreement.

Transferring your information outside of Europe

There are occasions where it is possible that the information you provide to us through this website may be transferred to countries outside the European Union. For example: This could occur if any of our servers are, at any time, located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing, or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.

If you use our website services while you are outside the EU, your information may be transferred outside the EU so that we can provide you with those services.

Retention of data

Your personal data will only be retained for as long as is necessary for Step-by-Step Recovery to fulfil the purpose we collected it for. This may include satisfying any legal, accounting or reporting requirements.

We have a legal obligation to retain your treatment records for eight years from the date of your last visit to us. If you visit us as a free assessment and decide not to continue to assessment and treatment, we delete your free record at various intervals throughout the year.

We will retain your contact records indefinitely should you need to see us at some future date. However, we will be happy to delete this at your request once the legal obligation has passed.

Your rights

Under GDPR laws, you have several rights regarding your personal data. These include:

• The right to be informed of data that is processed about you
• The right to request access to your data and for this data to be provided within 30 days of your request or two months for complex cases. This data should be provided no cost except under certain circumstances
• The right to rectify any information held, and this to be corrected within 30 days of the request or two months for complex cases
• The right to erasure of data – where appropriate, your information can be deleted at your request. This will only apply where Step-by-Step Recovery determine that keeping your data on record is no longer necessary
• The right to restrict processing- under certain narrow circumstances, you will have the right to restrict t Step-by-Step Recovery from processing your data
• The right to data portability- under certain circumstances you can request to copy or transfer your information from one IT environment to another
• The right to object to processing – under certain circumstances you can object to the processing of the data and Step-by-Step Recovery must stop processing unless it can demonstrate an overriding legitimate interest to continue

Cookie Policy

You can find details of our cookie policy here.