Privacy Policy
Your privacy is important to us at ProblemShared. We respect your privacy regarding any information we may collect from you across our website.
It is simple ‒ information that is about you is private. Data Protection Legislation in the U.K. makes clear the responsibilities of data controllers and rights of data subjects such as you.
At ProblemShared, we respect and commit to protecting your personal data. Our Privacy Policy together with our Platform User Terms & Conditions explain the different types of data, and what you can do about your personal data. This is in connection with when you interact with our Platform and any Service you receive over the Platform.
Our Policy is divided into different sections for ease of reference and you will find an index over page. Capitalised terms here have the same meaning as in the User Terms and Conditions, or in the Data Protection Legislation unless specified otherwise.
We are ProblemShared, which is the trading name of Teledoctor Ltd, registered in England with company number 10410380 and at registered address 3 Frederick Street, London WC1X 0ND.
We provide access to mental health and neurodiversity care and support services via our digital platform problemshared.net (the “Platform”). This encompasses a network of mental health practitioners (each a “Practitioner”) who provide a range of services remotely, including via video link, to users of the Platform such as you.
We are a Data Controller for the purposes of the laws that govern privacy that we collectively call the Data Protection Legislation and this comprises all legislation and regulatory requirements in force from time to time in England relating to the use of personal data and the privacy of electronic communications including without limitation (i) the Data Protection Act 2018 (DPA) and any successor legislation, and (ii) the retained version of the General Data Protection Regulation (EU) 2016/679 as incorporated into the UK law by the Data Protection, Privacy and Electronic Communications (EU exit) Regulations 2019 (SI 2019/419) (UK GDPR),including where applicable the guidance and codes of practice issued by the UK Data Protection Supervisory Authority (ICO) or any other national data protection authority.
The data that we handle that relates to you also includes Special Category or Sensitive Data in reference to your mental and physical health and any information that you opt to share with us based on gender, linguistic, ethnic or cultural preferences connected with therapy. This policy further addresses our role, your data and your rights in relation to that.If you wish to contact us regarding privacy and your Personal Data, please contact our Data Compliance Officer care of the following email address: help@problemshared.net
This policy uses terms that are defined in our Platform User Terms and Conditions and select relevant terms are repeated here for ease of reference:
Legally we must have a lawful basis to access and use your data, and we must keep it private, and where that data does not remain private, it must only be where we are required or permitted by law to disclose it.
Before you book a Session with one of our Practitioners or you receive any service through our Counselling or Assessment Pathway, you will be asked if you accept our User Terms and Conditions and if you have read this Privacy Policy, both of which can be accessed at that point in your signup and also on our Platform under the relevant menu item. For Personal Data that includes Special Category Data or Sensitive Data, Data Controllers must have two lawful bases under which to process and handle that Personal Data (and to share it with another Data Controller in the case of Supported Clients access to services via our Platform).
These bases are as follows.
We handle your data specifically for the purpose of providing health care (Article 9h DPA), in particular mental healthcare via therapy and counselling or in respect of assessments of certain mental health conditions including ASC and ADHD ("healthcare basis"). This includes not only the actions specific to that type of care but also actions that are incidental to and key to your wellbeing, including safeguarding and monitoring risk.
We also handle your data on the basis of giving effect to contractual obligations (Article 6b of the DPA) such as those agreed by you with us in the Platform's User Terms and Conditions for us to provide you with access to health care, and between us and any Partner Organisation if you have been referred to us by them through the Counselling or Assessment Pathway and to give effect to any agreement you have with a Practitioner (these are singly and collectively referred to as "the contractual basis").
In matters that are strictly contractual and healthcare related, we are unable to provide our service without being able to collect, handle or process certain personal data in the ways set out in this Policy because we would fall short of the duty expected of us in complying with our contractual obligations, and of our duties in facilitating your health care by Practitioners.
Where we handle or process data for a purpose that is not strictly either on a contractual or healthcare basis, we may rely on legitimate interest such as that cited in 4(f)
Personal Data is defined in the Data Protection Legislation as information which, whether on its own or in combination with other information, allows for the identification of an individual As noted earlier, some information may also be Special Category or Sensitive Data. Where personal identifiers are removed from the information during processing, for example the information is anonymised and then aggregated, this is no longer Personal Data.
There are different contexts in which we hold information about you. These are associated with discrete, albeit related, purposes, and are also associated with different mechanisms for control by you. We first set out each of the different contexts for information, next we describe our purposes in more detail, and then we address sharing and access to data, the relationship with your Practitioner, processing of data, your rights and when we no longer hold your data.
We ask you for certain information when you sign-up or are enrolled on our Platform. This may also be information that is provided on your behalf, if you have come to us via the Counselling or Assessment Pathway. In this instance, we rely on the Partner Organisation or 3rd party who refers you to have in place your understanding and/or consent to such sharing of your personal data for example via their own Privacy Policy or Notice.
This includes:
With respect to sign-up or enrolment, you will be guided and prompted in filling in any required information fields on our intake form over the Platform dashboard.
You, or the Partner Organisation that refers you to us, or the third party that completes any assessment-related questionnaire on your behalf is solely responsible for the truth, currency, accuracy and completeness of the information about you that is provided to us.
With respect to counselling with a psychotherapist or clinical psychologist, your Practitioner has discretion as to whether s/he wishes to store the records and observations of her or his Sessions with you ("Notes") on our Platform or according to their own usual practices, outside of our Platform. This is for two reasons, i/ the Practitioner is a Data Controller in her or his own right because of the decisions s/he takes in the course of providing therapy and care to you and ii/ the Practitioner is an independent health care provider.
With respect to counselling with a psychotherapist or clinical psychologist, outside of the Assessment Pathway, we do not store information that either you or the Practitioner choose to share with each other during the course of your Session, for example a document with suggested exercises as part of your therapeutic relationship via separate email. In the event that you and the Practitioner share a document or file by email that contains information that is personal to you, the Practitioner is the person who controls and stores that information for the purposes of privacy. In the same way, the Practitioner may make notes of their Session with you, and this information is also personal to you. We address this later in the policy since Practitioners also hold, control, handle or process your information in this regard.
The content of any communication between you and us, separate to your Practitioner, also contains information relevant to you. When you contact the Company by email, we keep a copy of that email.
Each time you visit the Platform, we collect the following information about your digital activity including but not limited to the following:
We will use your information only as is legally permitted. We may interact with information that is personal to you in a number of ways or contexts: we receive or request data from you, we store data, we handle and use it, we direct or permit others to handle, process or use it (subprocessors), we share certain information with Partner Organisations who have referred you to us if you have come to us via the Assessment or Counselling Pathway, we provide copies of it to you at your request, and we eventually delete it.
The extent of our access and use: Legally we must have good reason to access and use your data, and we must keep it private, and where that data does not remain private, it must only be where we are required or permitted by law to disclose it. In handling data, it is important to note that once data has been anonymised it is no longer personally identifiable.
Our prime purpose in handling your personal information is to facilitate your mental health care, and to give effect to the terms and conditions that are agreed between you and us for your use of the platform (Platform User Terms and Conditions), any agreement for your care with a Partner Organisation if you are a Supported Client, and to give effect to any agreement you make with your Practitioner. We provide a centralised platform over which Practitioners can serve the mental health or neurodiversity needs of clients such as you in a remote setting via video-link consultation, for talk therapy counselling, psychiatry or in connection with any Assessment for certain mental health conditions.
How do we do this? This includes identifying you and how we can contact you;facilitating a Practitioner’s understanding of your health history; your reasons for seeking treatment; previous medications etc; contacting you if needed; facilitating a consultation or Session between you and a Practitioner via video over the Platform, enabling therapy preferences, if relevant, providing access to payment means for Sessions managing any complaint you make, and otherwise communicating with you in relation to your use of the Platform, eg via email, and sending you automated reminders about your Bookings, and recording outcomes of treatment or Sessions, or diagnoses in connection with Assessments.
We may also use your contact details to send information about updates and features of our Platform from time to time if you have opted in to receive that. We do not and shall not enable third parties to market to you.
Ancillary to our main purpose of providing a remote mental health care service via our Platform is the improvement and further development of the Platform itself, for the mutual benefit of the Company, Practitioners and Clients such as you to deliver a mental healthcare service that is user-friendly, secure, helpful, informed and responsive.
How do we do that? We use information about how and why the Platform is accessed for our own analysis of efficiencies and operations of the Platform and to understand the incidence and expression of mental health in the community and our capacity to respond to that.
So we may also use data that is collected regarding devices and usage of our Platform for various technical reasons, such as troubleshooting, improving operations, and efficiency, statistical analysis, research, and survey purposes for Platform and service optimisation, and to monitor security of the Platform and protect against inappropriate or unpermitted use of the Platform as per our User Terms. You may know this as "Cookies "and similar technologies that can be used to collect this information
In this respect, we use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site. You have the choice of accepting our cookies or not each time that you use our Platform.
Legitimate interest: On a broader level, we may also use data for analytical purposes that informs about patterns and presentation of mental health matters for the purpose of legitimate interest to better inform our approach to providing more tailored and representative services for mental health care and to contribute to a broader understanding of the incidence and expression of mental health states and conditions that our Practitioners treat and assess.
Anonymous and Aggregated: With respect to both understanding how our service is used for mental health purposes, and to better understand the incidence and expression of mental health states and conditions that our Practitioners treat and assess, we undertake various analysis on anonymised copies of the data. All personal identifiers are removed and the data is further aggregated prior to this analysis commencing. At that point, the data no longer constitutes Personal Data.
We also note that we do not carry out any automated decision making or profiling with any information.
GP or other medical practitioner: We may share your information with your G.P. in case of any safeguarding concern. For this we do not need your consent. Otherwise, your Practitioner or we will ask to share information with your G.P. or another medical practitioner only with your consent or on your request. Depending on the terms of referral from a Partner Organisation if you are a Supported Client, we may share details of your Assessment, including medication for ADHD if relevant, with your registered G.P. (this may be relevant if your referral to us originates with your registered GP in conjunction with your local NHS Trust or CCG).
Treating practitioners: We share your information with your treating Practitioner and if you have been treated by more than one Practitioner, then that current treating Practitioner may access information we have about you that pre-dates the current treating Practitioner's treatment or assessment of you.
Partner Organisation's authorised contacts: If you are a client whose health care is supported by a Partner Organisation then we need to share with that organisation certain matters in connection with your mental health or neurodiversity care and support including but not limited to the following, as may be relevant to the type of mental health or neurodiversity care and support that you are receiving: the name of your treating Practitioner, the number of talk therapy counselling Sessions booked and attended, information in connection with appropriate safeguarding, outcomes including either in relation to an Assessment, including whether you are eligible for or commencing medication in relation to ADHD if relevant, or in relation to a Practitioner's recommendation for concluding or advancing further talk therapy counselling Sessions, each of which also facilitates your care on the terms which we are contractually obliged to so provide.
Clinical governance and audit: Whether for internal or regulatory reasons, our named Clinical Lead may also access certain information in respect of our management of safeguarding, or our broader provision of mental health or neurodivergent care or support. If related to regulatory audit or review, the relevant body or organisation may also access certain information as required by them. See below.
If we disclose personally identifiable information about you to third parties other than those included above, without your consent then we can only do so where our action is necessary by way of a legal claim, or is required by any enforcement or other government agency, or as is necessary under any competing law or regulation, for example a public health interest, as may be required for any audit of service, including by reason of our registration with the national English health regulatory body, the Care Quality Commission (C.Q.C.) with respect to medical care, or in case of emergency or for the purpose of safeguarding you or another person from harm, or to investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of our services. And the information disclosed would only be to the extent necessary and relevant to the purpose for disclosure.
The Practitioner you see in your Session or who is involved in your care or assessment is also bound to follow and comply with all relevant laws about privacy, like us. And if you are receiving counselling, including via any Counselling Pathway, the agreement you make with them in defining your therapeutic relationship should also address your rights and the Practitioner’s obligations about privacy in connection with the information that they handle, hold and store about you.
Restricted access: Only the Practitioner or Practitioners who treat/s you orassess/es you has access to your digital Health Record in full, other than our named Clinical Lead for the purposes of clinical governance, or audit or any regulator or authorised person on behalf of a regulator (see 6b). If you have been treated by more than one Practitioner, only the Practitioner currently treating you will have current access to this record.
Practitioners are not only bound by strict confidentiality practices to maintain your privacy, as per their relevant professional body’s code of ethics, but also bound by compliance with the Data Protection Legislation by reason of their registration with the I.C.O as a Data Controller (talk therapy counselling Practitioners) and their contractual agreement with us in which we also oblige them to do so too.
Records: Depending on which type of client a Practitioner is treating, for example a self-referring client or a client of the Counselling Pathway, the Practitioner may choose to make their own arrangements with respect to certain matters such as storage and filing of Session notes or they may avail themselves of our Platform to store this; in any case, they are obliged to ensure that should they choose to store any data outside of the Platform, that they do so in keeping with good industry practice and in compliance with the Data Protection Legislation. Practitioners who are treating clients of the Assessment Pathway are obliged to keep all notes and records on the Platform. Each of our talk therapy Practitioners is also independently registered with the Data Protection Authority, the Information Commissioner's Office (I.C.O.) (Practitioners within the Assessment Pathway are not independently registered due to the nature of their engagement with us; our company registration covers their activities.)
With regard to recordings of any Session, we note that there is no opportunity for any recording to be made over our Platform for privacy reasons. Should there be any request by a Practitioner to record a Session with you by some other means for some reasonable purposes connected with therapy, this must be evidenced in writing as agreed between you and the Practitioner as proof of your consent, along with provisions for the purpose and format of such recording, use, processing, handling and storage and deletion, as would be usual for privacy law requirements and must be included with your Health Record.
Data controller/s
Third Party Data Processors
We use other companies to provide data processing services on our behalf, for a range of purposes connected with your health care and giving effect to our agreement to provide a service to you, including facilitating the integration of parts of the Platform, enabling videolink consultations, storage and retrieval of your information, facilitating payment for Sessions, optimising functions of the Platform, analysing access to and engagement with the Platform.
With regard to personally identifiable information that enables payment for services, we do not store any such information. The third parties who are our suppliers of billing and payment function systems, credit checking or encrypted security solutions must be compliant with Level 1 Payment Card Industry (PCI) data security standards. Any payment transactions are encrypted using SSL technology.
Transfers of data for processing purposes: We have in place agreements with our Data Processor/s that accord with Data Protection Legislation. Our Platform is only stored on U.K. based servers. Where we do share information with third party Data Processors, this will not be processed via destinations outside the European Economic Area unless it is in accordance with the protections afforded by the Standard Contractual Clauses of the Data Protection Legislation for such transfers that comprise as follows: the Data Subject has enforceable rights and effective legal remedies; and that the Party complies with its obligations under the Data Protection Legislation by providing adequate levels of protection to any Personal Data thatis transferred, and that it obliges each Party to so oblige any Data Processor it appoints by providing for the same in its agreement with such Data Processor.
Other types of access - As noted earlier, the Company may be required to provide information to others in the context of legal, enforcement or other governmental obligations.
We take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of your Personal Data and against accidental loss or destruction of, or damage to, your Personal Data as required by the Data Protection Legislation. The Company has security measures in place and we contractually oblige our Data Processor/s, and any joint Data Controller with whom we may share information to provide for the same if relevant.
Some of these measures include:
Under certain circumstances, by law you have the right to:
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, request the restriction of processing or request that we transfer a copy of your personal information to another party, please email our Data Compliance Officer care of: help@problemshared.net
You will not have to pay a fee to access your personal information (or to exercise any of the other rights) on the understanding that such is not vexatious.
To withdraw your consent to us anonymising and aggregating your data for the ancillary purpose of analysis of health care service capabilities and response, as cited above at section 4, please email our Data Compliance Officer care of help@problemshared.net
Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You may contact us regarding any complaint at help@problemshared.net
Alongside your right to contact us to make a complaint or other request with regards to your privacy, you may also contact the I.C.O. as follows: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113 (local rate).
We hold information personal to you for a period of seven (7) years after your care ortreatment via our Platform has ceased including when your therapeutic relationship ends with a Practitioner or the date of your last Assessment.
With regard to medical records pertaining to psychiatric-based treatment over the Platform, we hold that part of your record in accordance with national best practice guidance as issued by the British Medical Association, Department of Health, and/or relevant NHS codes.
When it comes time to dispose of or destroy information personal to you we shall do that by secure means in line with good industry practice and in compliance with Data Protection Legislation.
But of course, we may retain Personal Data for other periods as mandated by any other law which may requires us to do so from time to time.
If you apply for a job opening with our organisation that is listed on NHS Jobs, we will collect information that is personal to you, that includes but is not limited to the following: your name, contact details, address details, title of role for which you are applying, C.V. and related qualifications and employment history, availability to take up the role, remuneration range including salary and benefits if relevant, availability for interview, details of referees if relevant and any other information reasonably relevant to your job application.
We will receive this data from you and process it on the basis that this is of legitimateinterest in respect of the making of a job application and possible engagement in role. You supply the information voluntarily and should we contract with you to engage you in the role, that any contract would depend on us continuing to access such Personal Data. None of this data will comprise Sensitive Category Data unless you elect to include such in your CV or employment history or associated documentation.
You can choose to exercise your rights in relation to this Personal Data at any time, please see section 10 above, but we cannot duly process your job application without access to, handling and storage of that Personal Data for the period of time that we receive and assess the job application, and for our nominated retention period thereafter.
We store all data on our Platform - you can find out more about security in section 9 of this Policy. And we use your Personal Data as the registered Data Controller and we have a Data Registration Number with the UK supervisory body - the Information Commissioner’s Office (I.C.O.) We use this information internally amongst select Staff to assess the job application.
You may contact us regarding any complaint at help@problemshared.net
Alongside your right to contact us to make a complaint or other request with regards to your privacy, you may also contact the I.C.O. as follows: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113 (local rate).
We will retain as much of your Personal Data as is reasonably necessary until such time as your job application is resolved. In the event that you are not offered nor take up the role, we will hold your Data for a period of 6 months following the resolution of your job application after which time we will only retain the minimum Personal Data relevant to establishing that you applied to us for a role at a particular time (this is for various reasons related to our frameworks for Human Resources and Dispute Resolution) including your name, job title and email. If you join our organisation, our handling of your Personal Data will then be governed by our Staff Privacy Policy.
As per section 12 above, when it comes time to dispose of or destroy information personal to you we shall do that by secure means in line with good industry practice and in compliance with Data Protection Legislation.
But of course, we may retain Personal Data for other periods as mandated by any other law which may require us to do so from time to time as may be relevant here.