Page 1 of 4
Information Governance (IG) Policy
Reviewed Annually, date of Last Review: October 2021 (SL)
Author: Steve Leach, Director

  1. Introduction
    In the healthcare sector, it is inevitable that professionals and the organisations they work for
    will use and process large amounts of individuals’ personal data. The use, storage, and
    processing of personal data within health and social care is governed by a wide range of
    legislation and guidelines, including:
    • General Data Protection Regulation (GDPR) 2016
    • Data Protection Act 2018
    • Regulation of Investigatory Powers 2000
    • Environmental Information Regulations 2004
    • Freedom of Information Act 2000
    • Re-use of Public Sector Information Regulations 2005
    Information Governance (IG) is the term used to describe how organisations meet their
    obligations under this legislation, and other guidelines around preserving the privacy of
    personal data. Under data protection legislation, organisations that process personal data
    are accountable for, and must be able to demonstrate their compliance with the legislation.
    The arrangements set out in this and related policies and procedures are intended to
    achieve this demonstrable compliance.
    Think Therapy is registered with the Information Commissioners Office (ICO) under number
    ZA788980 and for the purposes of this policy is the Data Controller.
    The appointed Data Protection Officer (DPO; refer to section 3) is Steve Leach who can be
    contacted here:
    Postal Address: Think Therapy, Victoria Business Centre, Croft Street, Widnes, WA8 0NQ
    Think Therapy Social Enterprise Ltd. is a Company Registered in England and Wales with
    Company number 10867392.
    Page 2 of 4
  2. What information do we collect?
    Although the most obvious type of personal data processed in health and social care is that
    of patients/ clients, it is not only their privacy which is protected by robust IG procedures.
    The rules are also concerned with the personal data of employees, contractors, and other
    staff; patients’/ clients’ friends and family; professionals in partner organisations; and any
    other personal data with which organisations come into contact.
    Personal data is any information that can be used to identify you or another person. For
    example, if you use our services or visit our offices, we will collect and process the personal
    data that you have provided.
    We may collect the following personal data:
    • Basic personal details (your name, email address, postal address, telephone or
    mobile number and date of birth)
    • Financial details (bank account number, UK taxpayer information for gift aid)
    • Credit or debit card information
    • IP address
    • Photos, videos or audio recordings, if used as part of our work with you
    We may also collect, store and use the following ‘special categories’ of sensitive personal
    data which need more protection, called a ‘condition of processing’. We won’t use any of this
    information without a justified reason:
    • Information about your race or ethnicity;
    • Philosophical or religious beliefs
    • Sexual orientation
    • Political opinions
    • Information about your health, including any medication you have been prescribed
    We will not share your information unnecessarily and will ensure that your data is:
    • Held securely and confidentially
    • Processed fairly and lawfully
    Page 3 of 4
    • Obtained for specific purpose(s)
    • Recorded accurately and reliably
    • Used effectively and ethically, and
    • Shared and disclosed appropriately and lawfully
  3. Data Protection Officer (DPO)
    The Data Protection Officer (DPO) is responsible for ensuring that all those working for and
    on behalf of Think Therapy are furnished with the necessary information regarding Data
    Protection Law and that they have sight of and acknowledge this policy.
    The DPO will ensure that the organisation maintains its registration and adherence to the
    relevant offices and that privacy concerns or recommendations with regard to potential
    changes to, or new initiatives that, involve processing of personal data are followed.
    The DPO will:
    • provide advice to the organisation and its employees on compliance
    • obligations with data protection law
    • advise on when data protection impact assessments are required
    • monitor compliance with data protection law and organisational policies in
    relation to data protection law
    • co-operate with, and be the first point of contact for the Information
    • be the first point of contact within the organisation for all data protection
    • be available to be contacted directly by data subjects
    • take into account information risk when performing the above
  4. Employees, Volunteers and Associates, (Staff)
    It is the responsibility of each staff member to adhere to this policy and all associated
    information governance e.g., the Data Protection Act 2018 and policies and procedures
    Staff will receive instruction and direction regarding the policy from several sources:
    Page 4 of 4
    • DPO
    • Other relevant policies, procedures and legislation
    • Line manager
    • Specific training course
    • Other communication methods, for example, team meetings.
  5. Clients Rights
    Under the Data Protection Act 2018, anyone has the right to find out what information the
    government and other organisations store about them. These include the right to:
    • be informed about how their data is being used
    • access personal data
    • have incorrect data updated
    • have data erased
    • stop or restrict the processing of their data
    • data portability (allowing clients to get and reuse their data for different services)
    • object to how their data is processed in certain circumstances