Page 1 of 4
Information Governance (IG) Policy
Reviewed Annually, date of Last Review: October 2021 (SL)
Author: Steve Leach, Director
- Introduction
In the healthcare sector, it is inevitable that professionals and the organisations they work for
will use and process large amounts of individuals’ personal data. The use, storage, and
processing of personal data within health and social care is governed by a wide range of
legislation and guidelines, including:
• General Data Protection Regulation (GDPR) 2016
• Data Protection Act 2018
• Regulation of Investigatory Powers 2000
• Environmental Information Regulations 2004
• Freedom of Information Act 2000
• Re-use of Public Sector Information Regulations 2005
Information Governance (IG) is the term used to describe how organisations meet their
obligations under this legislation, and other guidelines around preserving the privacy of
personal data. Under data protection legislation, organisations that process personal data
are accountable for, and must be able to demonstrate their compliance with the legislation.
The arrangements set out in this and related policies and procedures are intended to
achieve this demonstrable compliance.
Think Therapy is registered with the Information Commissioners Office (ICO) under number
ZA788980 and for the purposes of this policy is the Data Controller.
The appointed Data Protection Officer (DPO; refer to section 3) is Steve Leach who can be
contacted here:
Email: admin@thinktherapy.org.uk
Postal Address: Think Therapy, Victoria Business Centre, Croft Street, Widnes, WA8 0NQ
Think Therapy Social Enterprise Ltd. is a Company Registered in England and Wales with
Company number 10867392.
Page 2 of 4 - What information do we collect?
Although the most obvious type of personal data processed in health and social care is that
of patients/ clients, it is not only their privacy which is protected by robust IG procedures.
The rules are also concerned with the personal data of employees, contractors, and other
staff; patients’/ clients’ friends and family; professionals in partner organisations; and any
other personal data with which organisations come into contact.
Personal data is any information that can be used to identify you or another person. For
example, if you use our services or visit our offices, we will collect and process the personal
data that you have provided.
We may collect the following personal data:
• Basic personal details (your name, email address, postal address, telephone or
mobile number and date of birth)
• Financial details (bank account number, UK taxpayer information for gift aid)
• Credit or debit card information
• IP address
• Photos, videos or audio recordings, if used as part of our work with you
We may also collect, store and use the following ‘special categories’ of sensitive personal
data which need more protection, called a ‘condition of processing’. We won’t use any of this
information without a justified reason:
• Information about your race or ethnicity;
• Philosophical or religious beliefs
• Sexual orientation
• Political opinions
• Information about your health, including any medication you have been prescribed
We will not share your information unnecessarily and will ensure that your data is:
• Held securely and confidentially
• Processed fairly and lawfully
Page 3 of 4
• Obtained for specific purpose(s)
• Recorded accurately and reliably
• Used effectively and ethically, and
• Shared and disclosed appropriately and lawfully - Data Protection Officer (DPO)
The Data Protection Officer (DPO) is responsible for ensuring that all those working for and
on behalf of Think Therapy are furnished with the necessary information regarding Data
Protection Law and that they have sight of and acknowledge this policy.
The DPO will ensure that the organisation maintains its registration and adherence to the
relevant offices and that privacy concerns or recommendations with regard to potential
changes to, or new initiatives that, involve processing of personal data are followed.
The DPO will:
• provide advice to the organisation and its employees on compliance
• obligations with data protection law
• advise on when data protection impact assessments are required
• monitor compliance with data protection law and organisational policies in
relation to data protection law
• co-operate with, and be the first point of contact for the Information
Commissioner
• be the first point of contact within the organisation for all data protection
matters
• be available to be contacted directly by data subjects
• take into account information risk when performing the above - Employees, Volunteers and Associates, (Staff)
It is the responsibility of each staff member to adhere to this policy and all associated
information governance e.g., the Data Protection Act 2018 and policies and procedures
Staff will receive instruction and direction regarding the policy from several sources:
Page 4 of 4
• DPO
• Other relevant policies, procedures and legislation
• Line manager
• Specific training course
• Other communication methods, for example, team meetings. - Clients Rights
Under the Data Protection Act 2018, anyone has the right to find out what information the
government and other organisations store about them. These include the right to:
• be informed about how their data is being used
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of their data
• data portability (allowing clients to get and reuse their data for different services)
• object to how their data is processed in certain circumstances
