This privacy statement covers:
- Privacy contact information
- Who we are
- Collection of personal data
- Technical information
- How information is kept safe
- Who the data is shared with
- How long information is kept for
- Your rights
- How to request a copy of your data
- Staff consent form
Privacy Contact Information
Castle Craig Hospital, West Linton, Peeblesshire Scotland EH46 7DH
We reserve the right to update this policy from time to time so it is in keeping with the latest guidelines and relevant to our website users. Any significant changes to this policy will be posted on our blog.
We take data security and confidentiality extremely seriously and all communications and replies are issued as soon as possible.
We may update this notice from time to time.
Castle Craig has been awarded the Cyber Essentials accreditation.
Certificate no: ‘2669324336211063
Cyber Essentials is a UK Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. For more information please visit the Cyber Essentials website.
Carrying this accreditation demonstrates that we take cybersecurity extremely seriously and have protected our systems against cyber attack.
Collection of Personal Data
Castle Craig Hospital Ltd is the data controller for the information collected on this and other websites. This means that Castle Craig determines what information is collected, how this data will be used and how it is protected. We are fully committed to fulfilling our obligations to website users about their privacy and their rights.
Our registered address is:
Castle Craig Hospital
If you have any concerns about your data protection rights please contact firstname.lastname@example.org
We will collect data about you to make your browsing a better experience, provide you with information you have requested, in your communication with us either on the phone or by email, to fulfil your contract with Castle Craig or in the course of our transaction with you or someone you know at Castle Craig.
This includes information that was obtained directly from you, either via our website or in communications, but may also include from time to time information that was collected about you- for example, from your family or friends who contact us.
We collect this information based on either legitimate interest, where Castle Craig requires the information to provide its service and which isn’t outweighed by your right to privacy; for a lawful basis where Castle Craig is required to collect your data; where consent is required to process the information; or where it is necessary for the public good.
When you get in contact with us, the information that is collected about you may include:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth
- Marital status and dependants
- Next of kin and emergency contact information
- Communication between Castle Craig and you
- Financial information for payment purposes
Also, and to ensure that each visitor to any of our websites can use and navigate the site effectively, we collect the following:
- Technical information, including the Internet Protocol (IP) address, used to connect your device to the Internet;
- Your login information, browser type and version, time zone setting, browser plug-in types and versions;
- Operating system and platform;
Information about your visit, including the Uniform Resource Locators (URL) clickstream to, through, and from our site.
How Information is Kept Safe
Information is retained in secure electronic and paper records and access is restricted to only those who need to know.
We also anonymise or pseudonymise your information where appropriate to protect your identity.
All of our staff are subject to strict confidentiality policies.
Who the Data is shared with
Your data is kept within Castle Craig unless it is necessary to share with third parties.
We transfer your data to other companies for the normal management of the business, to cloud-based hosting providers. Where this is the case, safeguards are put in place to secure your data- including ensuring that the host provider’s security is acceptable and contractual obligations for providers to comply with the GDPR.
We may share data with third parties where Castle Craig Hospital has a legal obligation to do so.
We may share your data with other people that you request we share it with, for example, family or friends. We may share your data with other bodies, for example, social care or educational services- where we do, will gain your consent unless we are legally required to share the information.
You have a right to revoke your consent to sharing data where your consent is necessary, and we will explain the consequences of this when you do.
Under certain circumstances, your data may be transferred outside of the UK to other EEA countries, or countries outside of the EEA. Where this is the case, Castle Craig Hospital ensures the security of your data with strict safeguards including contractual obligations for third parties outside of the EEA to comply with GDPR requirements and encryption of data.
How Long is Information Kept
Your information will be kept for different lengths of time, but in all cases, for no longer than is necessary.
Where you give us information but do not enter treatment, this information will be deleted after being held for six months. Where you, or the person on whose behalf you were ringing, does come into treatment, your communications with us will be held for six years following discharge to comply with the statute of limitations. Where you give us financial information for the payment of treatment, this will be kept for the legal requirement of 7 years.
Under the GDPR, you have several rights regarding your personal data. These are:
- The right to be informed of data that is processed about you;
- The right to request access to your data, to be provided within 30 days of the request or 2 months for complex cases at no cost except under certain circumstances;
- The right to rectify information held, to be corrected within 30 days of the request or 2 months for complex cases;
- The right to erasure- where appropriate, your data can be deleted at your request. This will apply only where the Company recording the information is no longer necessary or they do not have an overriding legitimate interest to do so;
- The right to restrict processing- under certain narrow circumstances, you will have the right to restrict the Company from processing the data
- The right to data portability- under certain circumstances you can request to copy or transfer your information from one IT environment to another
- The right to object to processing- under certain circumstances you can object to the processing of the data and the Company must halt processing unless it can demonstrate an overriding legitimate interest.
Request a copy of your data
You should complete this Subject Access Request form if you want us to supply you with a copy of any personal data we hold about you.
You have the right to complain to Castle Craig Hospital regarding any rights you have under the GDPR. Please contact Senior Governance Administrator Lucy Haden at email@example.com.
You have the right to complain to the Information Commissioner’s Officer if you believe the Company has not complied with the GDPR. Contact at:
Information Commissioner’s Office
Telephone: 0303 123 1113
Via email here: https://ico.org.uk/global/contact-us/email/
Or the Scottish office here:
The Information Commissioner’s Office – Scotland
45 Melville Street
Telephone: 0303 123 1115
Via email here: Scotland@ico.org.uk