Privacy Policy

Who we are

1. The Owl Centre Ltd is registered with Companies House (no. 07880303).
2. The Owl Centre delivers independent assessment and therapy services to adults and children online, at our clinics, in their homes, or in their educational or work settings.
3. The Owl Centre is directed by Nicola Lathey and Hugh Copping.
4. The Owl Centre’s website is www.theowltherapycentre.co.uk
The Owl Centre is committed to protecting the privacy of information provided by clients.

Collection of Personal Information

We may collect personal information from you when you interact with our private healthcare services, including but not limited to:

• Contact and identification details (e.g., name, address, phone number, email address, date of birth)
• Health and medical information (e.g., medical history, test results, diagnoses, treatment plans)
• Financial and billing information (e.g., insurance details, payment information)
• Employment details (e.g., CV, employment history)
• Other information relevant to the provision of our services

Information about clients will be collected via spoken or written media from clients themselves or their referrers. A referrer could be, but is not limited to, a parent/carer, education or work setting, or NHS Trust.

With consent, information may also be collected from other professionals working with the patient.
Information may also be taken about family members where this relates to the patient—e.g., contact details for parents and any relevant medical/developmental history.

Where personal information has not been obtained directly from the individual, The Owl Centre will inform the data subject of the source of that information where required by law.

You may use our website without providing any personal information, but if you wish to make an enquiry or contact us via the website or email, you are requested to provide relevant contact details such as your name, email address, and contact phone number to enable us to respond to your enquiry.

How we protect your data

We take data protection seriously and implement a range of security measures to ensure the confidentiality, integrity, and availability of your personal information. These measures include:

• Use of our in-house software called The NEST to store all patient data
• All staff complete annual Data Security training
• Annual penetration testing of software
• Meeting the standard of the NHS Data Security Protection Toolkit (DSPT)
• Annual Cyber Essentials Plus certification
• Role-based access to ensure authorised staff only access the data they need

Website Visitors

We may collect information from visitors to our website, including:

• IP addresses
• Browser type and version
• Pages visited and time spent on the site
• Device and operating system information
• Referral sources

This information is used to monitor website performance and improve user experience. Cookies may also be used. You can manage cookies via your browser settings.

Webchat

All conversations on webchat will be retained for one month and then securely deleted.

Staff, Students, and Applicants

Job Applicants
We retain application data for a period not exceeding six months from the date of submission. After this timeframe, all personal information will be securely deleted unless a longer retention period is required by law.

Students and Volunteers
We collect and store information required to support student placements and volunteer roles, including contact details, educational background, DBS clearance, and relevant experience. All personal data is retained securely and deleted once no longer required.

Private (Self-Funding) Patients

Making an Enquiry or Booking
If your enquiry does not result in you being seen by our service, we will remove identifiable information and retain anonymised data for up to one year to improve our services.

If you proceed with treatment, details from the enquiry will be added to your personal health records.

NHS and Other Patients

Sharing Your Information with Trusted Partners
For NHS and other clients, part or all of the assessment or intervention may be carried out by an external provider who meets our data protection, confidentiality, and security standards. All partners undergo due diligence and are contractually required to comply with UK data protection law.

Shared information is handled securely, used solely for the intended purpose, and not retained longer than necessary.

Comprehensive Patient Records

To ensure continuity of care, we maintain a unified patient record linking all interactions with our services.

Access to patient records is restricted to authorised staff directly involved in a patient’s care or record management, on a strict need-to-know basis.

How We Use Personal Information

We use personal information to:
• Prepare, plan, and provide appropriate assessments and therapy
• Communicate with clients regarding appointments, reports, resources, and invoices
• Conduct clinical audits using anonymised data
• Carry out administrative and management functions
Personal information will not be disclosed beyond what is necessary for service provision unless required or permitted by law.

How We Store Personal Information

Patient records are stored securely in our encrypted, password-protected system, The NEST.
Paper-based records are kept to a minimum and stored securely.

Videos or recordings, where used with consent for clinical purposes, are stored temporarily and deleted after use.

Records are retained in line with legal and professional guidance:

• Children’s records until age 25 if discharged aged 16 or under, and until age 26 if discharged at age 17
• Adult records for 8 years post-discharge
• Some mental health records for up to 20 years

Non-clinical emails and invoices are retained for six years.

After retention periods expire, records are securely destroyed in line with NHS England destruction protocols.

Data Disclosure

We may disclose personal information to:
• Healthcare professionals involved in your care
• NHS or public health services
• Referrers such as education settings or workplaces
• Third-party service providers (e.g. IT support, payment processors, secure printing) All third parties are required to comply with data protection law.
• Regulatory bodies or law enforcement where required by law

Data Outside the UK

The Owl Centre does not transfer personal data outside of the United Kingdom.
All personal data is stored and processed within the UK. Access to systems is restricted to authorised personnel based in the UK, and our IT infrastructure is configured to ensure data remains within UK jurisdictions.
In the event that access to personal data from outside the UK were ever required, this would only occur where lawful under UK GDPR and subject to appropriate safeguards being in place.

Automated Decision-Making

The Owl Centre does not use automated decision-making or profiling. All clinical decisions are made by appropriately qualified professionals using clinical judgement.

Breach Procedure

If personal data is lost, damaged, or accessed inappropriately, we follow a formal breach management process, including:

• Incident reporting to the Compliance team
• ICO self-assessment and advice where required
• Internal investigation and corrective action
• Notification to affected individuals where legally required

Professional and Legal Obligations

All clinical staff are registered with relevant professional bodies (e.g. HCPC, GMC, NMC), which impose duties around confidentiality, information sharing, and record-keeping.

We comply with the UK GDPR and the Data Protection Act 2018 and are registered with the Information Commissioner’s Office as a data controller.

Our Lawful Basis for Processing Personal Information

• Legitimate interests (Article 6 UK GDPR) – necessary to deliver healthcare services
• Provision of health or social care (Article 9 UK GDPR) – processing special category health data under professional confidentiality obligations

Your Rights

You have the right to:

• Access a copy of your personal data
• Request correction of inaccurate or incomplete data
• Request erasure of your personal data in certain circumstances
• Request restriction of processing in certain circumstances
• Object to the processing of your personal data in certain circumstances
• Raise a complaint directly with The Owl Centre
• File a complaint with the Information Commissioner’s Office (ICO)
Some rights may be limited where data must be retained for legal, clinical, or safeguarding reasons.

Accessing Patient Records (Subject Access Request)

Requests may be made verbally or in writing. Copies are provided free of charge unless requests are excessive or complex, in which case a reasonable administrative fee may apply.

We will respond within one month of verifying identity, or up to two months for complex requests.