Who are we and why do we process personal data?
Expert in Mind Ltd (Company No 06563261) provides a service to lawyers and experts intended to facilitate the provision of quality medico-legal reports and relevant assessments or treatment by our panel of highly qualified mental health experts.
We are based at Unit G03, High Weald House, Glovers End, Bexhill, East Sussex, TN39 5ES. We can be contacted by email (firstname.lastname@example.org) or telephone (01424 444130) during normal office hours.
Our Company Director, Zofia Ludwig, is our Data Protection Lead responsible for dealing with any queries related to our Data Protection obligations, however you raise these with us.
What personal data do we process and where do we get it from?
We process the name and contact details of those instructing us or using our website to raise enquiries concerning our services (‘Contact’). We also process personal data relating to the experts on or wishing to join our panel (‘Experts’), including their name, contact details, relevant financial information and details concerning the relevant education and experience allowing us to ensure that only highly qualified mental health experts are included on our panel. Such information is generally provided by the Contact or Expert or their employees or employers. We may access publicly available information regarding education and experience and obtain references for Experts wishing to join our panel.
We also process personal data relating to those people (‘Subjects’) who are the subject of reports, assessments or treatment. The majority of the information provided concerning Subjects is received in the instructions from their legal advisor, employer or a public official such as a police officer. The personal data includes names, dates of birth, identification, gender and marital status as well as standard contact details.
In addition, we process large amounts of Subjects’ personal data relating to the situation giving rise to the need for a medico-legal report, assessment or treatment. We do not control the information provided with our instructions, which is generally determined by the party instructing us, subject to any legal obligations they may be under to supply certain information or documents. Common examples of the information provided include correspondence, Court Orders and evidence considered relevant to the Expert’s opinion which may include medical records, photographic, audio or video information with any related metadata. We may also receive personal data relating to the family of the Subject or others (whether in a personal or professional capacity) where this is relevant to the issue giving rise to our instruction.
The information provided regularly includes sensitive personal data with special protection under the General Data Protection Regulation (‘GDPR’) and Data Protection Act 2018 (‘DPA18’) as special category data. This most often involves the receipt of information concerning mental and physical health but may also involve details of race, ethnic origin, religion, employment status including any trade union membership and details regarding sexual orientation. In certain circumstances the health information provided may contain genetic information or biometric records and where relevant details of a person’s sex life may be included. Further, in some circumstances we receive details of criminal records and accusations of criminal conduct officially or unofficially reported. Where such data relates to a person known to the Subject no direct Privacy Notice is provided as there is an obligation of secrecy concerning the relevance of this to the Subject’s mental health.
Our Experts in order to compile their report collect personal data directly from Subjects and on behalf as Controller, during interview, assessment or treatment. The Subject is in control of the information supplied in these circumstances, but such personal data covers the range of categories noted above, including specifically the special category data (as defined by DPA 2018).
When we or others instructed by us process such special category data in accordance with Schedule 1 DPA 2018, we maintain an appropriate policy document which details the procedures for complying with the data protection principles in connection with processing the data and further additional processes for retention and erasure of the special category data.
We do not use any form of automated decision making on the basis of personal data provided to us.
Why do we process this personal data?
We collect the personal data set out above for the purpose of both the promotion and improvement of our service and the facilitation or provision of medico-legal reports and associated assessments or treatment. The processing of Subjects’ personal data is excluded from any processing relating to promotion.
Our lawful basis:
We process Contact(s) and Expert personal data in order to allow us to fulfil contracts with those who use our service but also in the legitimate interest of improving our services and providing relevant information to those who use them.
We generally process the data of Subjects in accordance with our contract with them or through their legal advisor, local authority or other person who are acting as agent. On occasion we process such data in accordance with requests from public bodies such as the NHS, the police or courts and on these occasions we process it on the basis that we are instructed in connection with a public task set down in law. Further we are sometimes instructed by the employer of a Subject to provide a report, assessment or treatment in relation to their employment. This is on the basis that it is in the legitimate interests of the employer to obtain or provide such information regarding their employee’s mental health to inform or action appropriate occupational health measures.
We process sensitive special category data and any information regarding criminal convictions or allegations (whether relating to the Subject or those known to them) for the exercise or defence of legal claims or for the purposes of preventative and occupational medicine, diagnosis and provision of health care or treatment as well as counselling where our Experts are providing treatment.
The processing in each of these lawful basis set out above are necessary for the fulfilment of a contract and to allow us and the instructed Experts to provide a Services pursuant to a contract. Additionally where instructed by any authority or court it is necessary for us to process to assist in a public task (for a local authority) or in the administration of Justice (when a court order is present).
(+ Public Task administration of Justice where instructed by authority …)
Who do we share the personal data with?
We will share the Subject’s personal data received on instruction with an appropriate Expert on our panel to enable them to provide the contracted service. If the Subject’s personal data is collected solely for clinical purposes then we may share the Subject’s personal data with the appropriate party to provide the contracted service for example this may include your GP when relating to medication.
Any report, assessment, treatment plan or treatment review prepared in accordance with the instructions given will be shared with those instructing us, whether they are a legal advisor, police officer, employer or other Contact.
How do we secure personal data?
We take the security of the personal data we hold very seriously, the confidentiality of data is central to our Expert’s professional qualifications. In addition to these professional obligations we have a Data Processing Agreement with each Expert.
We do not generally transfer data outside the UK or EEA, except where we do, we use a secure, GDPR compliant cloud based service to share the personal data with our Experts. We have a contract with the provider to ensure that the requirements of the GDPR are contractually imposed where this data is transferred to any third country not directly covered by the GDPR.
Any physical data received in relation to an instruction is scanned into this system and the physical copies securely shredded in accordance with our data protection policies. The system provides for encrypted, password protected access to the information for authorised recipients. We keep our IT services under review and ensure that we have sufficient IT support to advise on developing security issues and to ensure a prompt response should any issues arise.
How long will we keep your data?
We keep personal data relating to the Expert, Contact and Subject of any instruction for a maximum period of six years following the final communication or invoice involving their personal data and retain invoices containing basic information regarding the instruction for a further year to comply with HMRC requirements.
What are your rights?
The GDPR and DPA18 set out eight rights in relation to personal data held by organisations. The nature of our work restricts the extent to which we can provide information in response to rights requests. This is particularly the case where the courts are involved.
Notwithstanding this, we are committed to providing a response to all data rights requests and will always set out any relevant exemption or restriction and its effect when responding. You also have the right to raise any data protection issue with the Information Commissioners Office (www.ico.org.uk). We set out the details of your data rights below:
The right to be informed. This Privacy Notice sets out the information to which you are entitled in relation to our processing of your personal data. It is not always appropriate to provide a notice directly to a person whose information we have received, particularly in relation to active court cases. We display it here so that it is available to anybody who wishes to understand our approach to data protection whether or not they are entitled to receive a notice directly.
The right to access. Generally known as a Subject Access Request (‘SAR’), this is the right to receive details of the personal data held by an organisation that relates to you. The sensitive nature of many legal cases in which we are instructed has been recognised in the DPA18 and there are several exemptions that apply to our work, particularly where children are involved. In such cases we will generally provide information rather than documents so where specific documents are required, we would advise that you approach the court or your legal advisors for disclosure.
The right to rectification. This right allows you to request correction or completion of personal data held about you. We are happy to receive requests to correct or update basic contact information from you. However, we may be unable to rectify personal data received in relation to court proceedings particularly those relating to children. Where you are interviewed by an Expert you have the opportunity to raise concerns of inaccuracy which they will consider alongside the instructions. Beyond this, the court is generally the best venue to challenge the inclusion of information or conclusions in any medico-legal report that you believe are incorrect.
The right to erasure. Often called the right to be forgotten, this right would generally only apply where we were relying on your consent, for example if we obtained this to enable us to provide direct marketing to you concerning services unrelated to those we provide at present.
The right to restrict processing. This right will rarely apply as our involvement will be governed by contract or our performance of a public task on behalf of the courts or others. However, if you wish for us to contact you in a particular manner, we would be happy to restrict communications to your preferred method and will of course consider any other requests in line with the GDPR.
The right to data portability requires us to provide your data in a manner that allows you to pass it to another organisation who may process it through their systems. As the majority of the data we store is in scanned documents this has little application. We do not use computer processing to deal with data in this way, focusing instead on the provision and development of human expertise.
The right to object allows you to raise issue with how your data is processed but does not apply where it can be demonstrated that there are legitimate grounds for continued processing. The circumstances in which we receive instructions will generally provide legitimate grounds and we would set these out in response to any objection received that could not be dealt with as a result.
The right to not be subject to a decision made automatically by a computer. As noted above, we do not use automated processing but rather the experience and expertise of our Experts.
We deal with every rights request individually and the information above is not exhaustive, merely providing an indication of the common reasons that our response to a request may be restricted.