Privacy Policy

Last updated: April 2025

Welcome to Hugh Helps Privacy Policy.

We take the privacy rights of all our clients seriously and adopt a high standard of compliance and confidentiality when dealing with your data. We want you to understand that this is a safe place for you to discuss your feelings and concerns and that we operate in a highly confidential environment. This privacy policy sets out the details of how data is collected and processed when using our website or our services.

Important Information and Who We Are

Hugh Helps Limited (“HHA” or “Consultancy”) is the ‘data controller’ for the personal information you provide to us. As the data controller, HHA is responsible for, and controls the processing of, your personal information by the Consultancy. HHA is registered with the Information Commissioner’s Office (ICO).

This Privacy Notice describes the basis on which any personal information HHA collects from you, or that you provide to HHA, will be processed by HHA. We would be grateful if you could read this Privacy Notice carefully as it details important information regarding the Consultancy’s use of your personal information.

If you have any questions about our privacy practices or if you would like to contact the Consultancy, you can do so in the following ways:

• Full name of legal entity: Hugh Helps
• Email address: enquiries@hughhelps.com

You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to the Privacy Policy and Your Duty to Inform Us of Changes

We keep our privacy policy under regular review. This version was last updated in April 2025.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-Party Links

This website may include links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Personal Information Collected by Us

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth, and gender.
• Contact Data includes billing address, delivery address, email address, telephone numbers, next of kin details, and GP/health insurance provider details.
• Financial Data includes bank account and payment card details.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Profile Data includes your identifiable information, appointment details made by you, your interests, preferences, feedback, and survey responses.
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• Sensitive Data includes information about your health, including information about your existing and previous medical conditions, medication details, psychiatric history, referral letters, assessment reports, blood test results, and any other relevant health information to enable us to carry out our services to you. We require your explicit consent for processing sensitive data, so when you submit your details there will usually be a consent tick box for you to indicate your consent to such processing.

We do not collect any other Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How Is Your Personal Data Collected?

You may give the Consultancy personal information by filling in our Registration Form or by speaking with us over the telephone, emailing us, or otherwise corresponding with us.

You may also provide us with personal and special category data during an appointment with us or verbally during discussions at our practice.

We will also collect and process personal information that you and other medical professionals may send to us, such as referral letters, reports or assessments, or results of blood tests, for example. We may also collect personal information about you that is given to us by your family members or other individuals known to you.

You may provide information to us when completing our contact form on our website.

We may collect some Technical Data from analytics providers such as Google.

How We Use Your Personal Information

We will use your personal information to carry out our obligations under our contract with you as detailed in the Patient Information Letter and to pursue our legitimate interests, that is, in order to provide healthcare services. Please note that in certain circumstances, your personal information may need to be shared with a psychiatrist colleague in order to ensure continuity of your care, and this would only be on an as-needed basis. Unless in an emergency situation, your consent would be requested prior to your information being shared.

We will also use your personal information to ensure you or your health insurance provider receives the correct bill, as well as to ensure that you receive the information and services that you request from us.

Your personal information will also be used to notify you of any changes to the information currently set out in our Patient Information Letter and for other administrative purposes.

Generally, we do not rely on consent as a legal basis for processing your personal data, although we will get your consent when collecting special category data (such as health information) and before sending third-party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Purposes for Which We Will Use Your Personal Data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Marketing

Our lawful ground of processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you received a service from us or if you asked for information from us about our services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

Disclosure of Your Personal Information

We may disclose some of your personal information to:

1. Other Clinicians Involved in Your Care: This includes your GP or other referring professional, pharmacists, therapists, or other medical professionals. We will seek your consent before sharing your personal information with such third parties. If you do not consent to your HHA psychiatrist sharing information with your GP, HHA will discuss with you the most appropriate way forward depending on your circumstances.

   In cases where there is a potential risk to your health (for example, if you are acutely unwell, or have relapsed in severe addiction or have intense suicidal thoughts), your HHA psychiatrist may discuss with you that they are not able to continue holding responsibility for your psychiatric care unless you provide consent for them to speak to third parties (such as a family member, your GP, or local NHS Mental Health Services such as the Crisis team) in order to ensure your safety and to avoid misleading other people involved in your care. If this is the case, your HHA psychiatrist will discuss this with you with a view to arriving at an acceptable solution.

2. Other Third Parties: In certain emergency or extreme circumstances, your HHA psychiatrist may contact a third party (usually the next of kin you have provided in the Registration Form or a health professional involved in your care such as your GP or a therapist). This can happen if there is a significant risk to your health or safety or that of others, or if there is a safeguarding concern or a situation where there is a concern about your mental capacity (as per the Mental Capacity Act) or there is a need for a Mental Health Act Assessment (as per the Mental Health Act). This is in accordance with the standards of HHA for all psychiatrists licensed to HHA in the UK. In every case, your HHA psychiatrist will make their best effort to discuss the situation with you prior to contacting anyone.
3. Your Health Insurance Provider: We will seek your consent before sharing medical information with your health insurance provider.
4. Regulatory or Public Bodies: The Care Quality Commission, the Court, or other regulatory or public bodies if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, including if a crime is being investigated or a formal court order has been issued.
5. Our Indemnity Organisation/Insurer and Solicitors: In the event of a civil claim being brought against the Consultancy.
7. Data Processors: Data processors are third parties who process data on our behalf. We have Data Processing Agreements in place with our data processors which means that they cannot do anything with your personal information unless we have instructed them to do so. Our data processors will hold your personal information securely and will retain it for the period we instruct. Our data processors will not share your personal information with any individual or organisation apart from us.

The data processors we use are:

• Organisations which manage financial transactions as mentioned above.
• Software providers/hosts for our secure database which holds your personal data and our email service provider.

Keeping Your Personal Information Secure

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

All personal information you provide to us or we collect from you is stored on secure servers and any payment transactions will be encrypted using SSL technology. Your personal information is held securely on a cloud-based electronic patient medical record database, accessed only via two-factor authentication.

No personal information is retained on paper – all hardcopy personal information is securely shredded as soon as the personal information has been processed electronically to our secure database.

Whilst we will use all reasonable efforts to safeguard your personal information, we are all aware that the transmission of information via the internet is not 100% secure and therefore we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet. Once we have received or collected your personal information, we will adhere to our strict procedures and security protocols to try to prevent unauthorised access.

Some of the information we hold is stored in servers outside the EEA and we will only transfer your personal data outside the EEA provided that the country in which your personal data is transferred ensures an adequate level of protection for your rights and freedoms as well as that the transfer is necessary in the performance of our contract with you. For any of our service providers (such as Stripe) who are based outside of the EEA, we may use specific contracts approved by the European Commission, which gives personal data the same protection it has in Europe.

Retention of Your Personal Information

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

There are legal requirements for the amount of time medical records need to be kept after the last contact with the patient. For adult health records, this is usually 8 years after the last contact and, for children, this is usually until the 25th birthday, or 8 years if longer. If you have not been in touch with the Consultancy for more than a year, you will no longer be considered an active patient. Your personal information will remain archived in our secure electronic database and will no longer be displayed as an active record. As mentioned previously, no hard copy or paper records are retained or stored, regardless of whether you are an active or inactive patient. We need to retain your records even if you are no longer an active patient in order to comply with our ethical, regulatory, and legal obligations. Please contact hugh@hughhelps.com if you have any concerns or queries.

Your Legal Rights

Under the Data Protection Act 2018, and the General Data Protection Regulation (GDPR) (2018), you have rights as an individual which you can exercise in relation to the information we hold about you.

You have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Please note that we cannot erase any medical records as we have a statutory duty to keep them as per the Data Protection Act 2018. We are professionally and legally obliged not to alter any medical records. However, if you disagree with any information contained on your medical records, a note can be added to the relevant entry to explain to any future readers that the patient disagrees with this information, and you can add an explanation if you wish.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • If you want us to establish the data's accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Contact Us:

If you wish to exercise any of these rights or to make a request for any personal information we may hold (a ‘Data Subject Access Request’), you can email us at

Hugh Helps

No Fee Usually Required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What We May Need From You

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time Limit to Respond

We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

We will generally submit any personal or special category data to you electronically using secure encrypted email, unless you specifically ask for this information to be sent to you by other methods such as standard email or post.

Book a Consultation

We can arrange a brief courtesy call directly with one of our psychiatrists, therapists, or specialists so you can judge for yourself if you feel comfortable talking to them.

Regulatory Information

We are registered by the Care Quality Commission (CQC), the independent regulator of health and social care in England.