Privacy Notice for Service Users and Service User Representatives

Welcome

Here at Mental Health and Well Being Services Ltd (MHWS), we value your privacy and are committed to protecting your personal information. We are dedicated to safeguarding the privacy and security of your personal information and being transparent about why we need your data and what we do with it.

This Privacy Notice explains how we use your personal data, outlines our commitment to data security, and provides you with important information about your rights in accordance with the UK General Data Protection Regulation 2021 (GDPR), the Data Protection Act 2018 (DPA), and other applicable UK laws.

This applies to the following data subjects:

• Service User: An individual who has expressed an interest in, currently utilises, or has utilised services provided by MHWS.
• Service User Representative: An individual who represents a Service User in any capacity and may be their parent, guardian, friend, or relative.

Who Are We?

We are MHWS, a dedicated team offering services to support mental health and well-being. When you use our services or represent someone who does, we may need to collect and process personal information about you to ensure we provide the best possible care and support.

Purpose

We are committed to safeguarding the privacy and security of your personal information and being transparent about why we need your data and what we do with it.

This Privacy Notice describes how we process this personal information and explains your rights regarding your data, in accordance with the UK General Data Protection Regulation 2021 (GDPR), the Data Protection Act 2018 (DPA), and other applicable UK laws.

Processing Information

By law we need to tell you how we process your personal information. 'Processing' includes collecting, recording, organising, storing, using, sharing, erasing, or destroying data as defined in data protection law.

Types of Information

We may process both your paper and your digital data and this may include special category data which includes data relating to:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health
• Sex life, or sexual orientation

It may also include:

• Genetic data
• Biometric data

Why Do We Process Personal Information?

We process personal information for several reasons, such as:

• To provide and improve our services
• To process your requests and fulfil our commitments to you
• To communicate with you effectively
• To personalise and tailor your experience with us
• To conduct research and analysis to enhance our services
• To comply with legal requirements and regulations
• To provide medical diagnoses, treatment, and care services

What Information Do We Collect?

We collect various types of personal information to help us deliver our services such as:

• Basic details i.e. name, date of birth, email address, phone number, address, next of kin
• Account credentials i.e. username, password
• Payment information i.e. name, email address, phone number, address
• Communication preferences i.e. your preferences for how we contact you
• Usage data i.e. information about how you use our website, such as website analytics
• Special Category Data i.e. race or ethnic origin, health information (including diagnoses, medication, treatments)
• Other information you voluntarily provide to us

How Do We Use Your Information?

We use your information for a wide range of purposes. These may include:

• Providing and improving our services to meet your needs
• Processing and fulfilling your requests efficiently
• Communicating with you to keep you informed and respond to your enquiries
• Personalising your experience to make our services more relevant to you
• Conducting research and analysis to improve our services and operations
• Complying with legal obligations to ensure we operate within the law
• Providing medical diagnoses, treatment, and care services to support your health

Our Lawful Basis for Processing

Under the UK GDPR, we process your personal information based on one or more of the following legal grounds:

• Performance of a contract: Necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract
• Consent: Based on your consent, which you can withdraw at any time
• Legitimate interests: Necessary for our legitimate interests, such as improving our services and ensuring the security of our website
• Legal obligations: We may process special category data to comply with legal obligations, such as fulfilling our duty of care or reporting notifiable diseases.
• Vital interests: In emergency situations where an individual's life or health is at risk, we may process special category data to protect their vital interests.

Your Rights

You have several rights regarding your personal information under the GDPR, including:

• Right of access: Request access to the personal information we hold about you
• Right to rectification: Correct or update your personal information if it is inaccurate or incomplete
• Right to erasure: Request the deletion of your personal information, subject to legal and regulatory requirements
• Right to restrict processing: Limit the processing of your personal information under certain circumstances
• Right to data portability: Receive a copy of your personal information in a structured, commonly used, and machine-readable format
• Right to object: Object to the processing of your personal information unless compelling legitimate grounds override your rights
• Right to withdraw consent: Withdraw your consent at any time if we rely on your consent to process your personal information

You can exercise any of these rights by contacting us. The best ways of doing this are listed within the ‘Contact Us’ section below.

Keeping Your Information Up to Date

To help us maintain accurate and current records, please let us know if your personal or contact details change as soon as possible. This helps ensure we can continue to provide you with the best possible care and support.

You can update your information by contacting us and the best ways of doing this are listed within the ‘Contact Us’ section below.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, regulatory, or business requirements. We have implemented a Record Keeping Policy and procedures to ensure that all personal data is securely deleted or anonymised when no longer needed.

Data Security

We use appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of your information until it is disposed of.

• Confidentiality: Only those people who need to see the information to perform their function will get to see it - we call that role-based access control
• Integrity: We commit to ensuring that data remains accurate and unaltered while we hold it
• Availability: We make sure that all the information we hold is available to those that need it for their jobs and decision making

Sharing Your Information

At times we may need to share your data with other people or organisations including:

• Legal representatives
• Healthcare professionals
• Court officials

If we do have to share your information, we will make sure we have a clear lawful basis to do so.

Service User Recording of Consultations

For the purpose of this section, references to 'Service Users' also include Service User Representatives acting lawfully on their behalf.

Some Service Users choose to make an audio or video recording of their consultation for personal note-taking purposes. This may fall within the UK GDPR's 'domestic purposes' exemption, depending on how the recording is used.

MHWS does not capture the audio or video of consultations, and we do not provide or support any technical tools for Service Users who wish to make their own recordings. Therefore, we cannot guarantee or troubleshoot any private recording methods, and we cannot recreate consultations where personal recordings fail.

Personal Note-taking Includes:

• Keeping a personal reminder of advice or guidance
• Reviewing the consultation privately later
• Sharing with a close family member or carer
• Sharing with your GP or another health professional involved in your care
• Sharing with a legal representative acting for you

These activities fall within personal use and remain your responsibility.

When Use Falls Outside Personal Note-Taking

The following types of use are unlikely to fall within the UK GDPR 'domestic purposes' exemption. Where this exemption does not apply, UK data-protection law, confidentiality law, safeguarding law, harassment law, or other legal obligations may apply to the individual making or sharing the recording.

In addition, such uses may breach MHWS policies and may affect our ability to continue providing services safely.

• Posting or sharing recordings on social media or public platforms
• Sharing with journalists, campaign groups, media outlets, or the public
• Editing recordings to misrepresent MHWS personnel
• Harassing, exposing, or targeting staff
• Sharing identifiable information about another person without an appropriate lawful basis (which may include consent)
• Any use that breaches MHWS policies or applicable UK law

Consequences of Unlawful or Inappropriate Use

If a Service User uses a recording in a way that is unlawful, harmful, or breaches confidentiality, MHWS may take one or more of the following actions:

• Restrict how we communicate with you in future, including types of appointment eligible for (in-person, remote/at distance)
• Refer the matter to the MHWS Senior Information Risk Owner (SIRO) or Data Protection Officer (DPO)
• Report the matter to external authorities where legally required (e.g., police, the ICO, safeguarding bodies)
• Where behaviour poses a risk to staff safety, clinical safety, or the safe operation of our service, this may affect our ability to continue providing care. Any decision to restrict or end services would be made proportionately and in accordance with our legal and professional obligations.

Your Responsibility if You Record a Consultation

If your use of a recording goes beyond purely personal or household purposes, you may become a Data Controller under UK data-protection law. This means you would be legally responsible for how the recording is stored, used, and shared.

UK GDPR and the Data Protection Act 2018 may apply to your recording if you use or share it beyond your own personal, household, or note-taking purposes.

Your Responsibilities Include:

• Keeping the recording secure and preventing unauthorised access
• Ensuring you have an appropriate lawful basis under UK data-protection law before sharing the recording beyond personal use (which may include obtaining consent where required)
• Ensuring any sharing or further use complies with UK law, including privacy, confidentiality, and data-protection requirements

Nothing in this section affects a Service User’s legal right to make personal recordings for their own use.

National Data Opt-Out Programme (NDOP)

The National Data Opt-Out Programme generally gives you the ability to stop health and social care organisations from using or sharing your confidential patient information for purposes beyond your individual care and treatment, except where specific exemptions apply.

Although NDOP is an NHS initiative that automatically applies to NHS Service Users, we have implemented it for both our NHS and private Service Users. We have adopted this singular approach to provide a consistent and fair experience for everyone, regardless of your relationship with us.

The NHS publishes comprehensive information about NDOP. To learn more, you may wish to visit:

• www.nhs.uk/your-nhs-data-matters
• Opt-out of sharing your health records - NHS

Please note that whilst reading these resources, our implementation covers both private and NHS Service Users, though NHS documentation primarily refers to the NHS and NHS Service Users.

To manage your NDOP preferences, you can use the NHS service online, by telephone, or by posting a printed form. For detailed information on this process, including contact details, please visit: https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out/setting-or-changing-a-national-data-opt-out-choice.

We review our data processing annually to assess whether the national data opt-out applies and record this in our Record of Processing Activities (ROPA). All new data processing is evaluated against NDOP requirements. For any processing that falls within the scope of the National Data Opt-Out, we check against a centralised database to respect the preferences of Service Users who have opted out.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the revised version on our website or through other reasonable means. We encourage you to review this Privacy Notice periodically for any updates.

Contact Us

If you:

• Would like to inform us of changes to your contact details
• Would like to exercise any of your rights under UK GDPR
• Have any questions or concerns, including regarding any aspects of this privacy notice

Please contact us, with the best ways to do so being listed below:

• Email us via our website contact form: https://www.mentalhealthandwellbeing.co.uk/contact.php
• Visit or send a letter to our address:
  • Mental Health & Well-being Services Ltd. ,Oak House Sitka Drive, Shrewsbury Business Park, Shrewsbury, SY2 6LG
• Telephone us within business hours: 01743 297 937

Definitions and Clarifications

• Service User: An individual who has expressed an interest in, currently utilises or has utilised services provided by MHWS
• Service User Representative: An individual who represents a Service User in any capacity such as their parent, guardian, friend, or relative
• National Data Opt-Out Programme (NDOP): An NHS provided service that allows individuals to opt-out of having their confidential patient information used or shared for purposes beyond patient care (MHWs employs this service for both private and NHS patients)
• Data Processing: Includes collecting, recording, organising, storing, using, sharing, erasing, or destroying data as defined in data protection law.

Last updated: 12/02/2026

Website Cookie Notice

Essential Cookies (Session Cookies)

A session cookie is temporary and lasts only as long as that 'session' of browsing. The cookie will last from the time it was set (usually once the website was visited), to the website being left and / or the browser being closed.

In most cases the data that is stored by Session Cookies holds no real personal information - its most common use is to hold state information such as keeping you logged into a website, storing choices made or holding what's in your basket during online shopping.

How We Use Session Cookies

This website uses session cookies to perform tasks which enable the functionality of the website. We use session cookies to store whether or not you are logged into the website, restriction of certain areas of the website, ascertaining your cookie preference in line with UK GDPR and enabling general administrative duties.