top of page

White Oaks Privacy Policy 

​​

White Oaks and whiteoaks@org.uk are trading names of White Oaks Limited (“White Oaks”, “we”, “us” or “our”). 

 

The registered company address for White Oaks Limited is White Oaks, 87-89 High Street Chobham, GU24 8AF. We are registered in England.  

​

www.whiteoaks.org.uk is a website, owned and operated by us (each a “Site” and together the “Sites”). 

 

This Privacy Policy was last updated on 7th September 2024. 

 

This Privacy Policy is designed to ensure that the rights to privacy of individuals are protected. 

 

White Oaks are committed to the principles set out in the General Data Protection Regulation 2016/679 (“GDPR”), as implemented in the Data Protection Act 2018, and UK GDPR and aim to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. 

​

This Privacy Policy describes how White Oaks manage your information when you use our services and / or our Site(s), if you contact us or when we contact you. 

​

It also provides extra details to accompany specific statements about privacy that you may see when you use our websites (such as cookies). In respect of cookies the policy includes information about the types of cookies used and how you may disable these cookies. 

​

White Oaks Limited ‎ is the data controller in relation to personal data that you disclose to us. If another party has access to your data we will tell you if they are acting as a data controller or a data processer, who they are, what they are doing with your data and why we need to provide them with the information. We will also tell you if the data is held outside of UK or EU. 

​

“data controller”, “data processor” and “personal data” have the meanings given to them in the UK GDPR. Personal data broadly means any information about you that enables you to be identified. Personal data covers ‎obvious information such as your name and contact details, but it also covers less ‎obvious information such as identification numbers, electronic location data, and other ‎online identifiers.‎ 

​

If we collect health-related data this is considered ‘sensitive’ and is subject to specific processing conditions (see section 2.3.1). 

​

If you have any questions regarding this Privacy Policy, you can contact our Data Protection Officer, Sharon Swanston (see section 15 for contact information). 
‎ 
If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner’s Office (ICO) via https://ico.org.uk, Email: casework@ico.org.uk, Telephone: 0303 1231113‎. White Oaks ICO certification number is Z3109168. 

​

1.Why do White Oaks need to collect your personal data? 

We need to collect information (lawful basis is consent) about you so that we can: 

  • Know who you are so that we can communicate with you in a personal way. The lawful basis for this is a consent. 

  • Deliver goods and services to you. The lawful basis for this is consent. 

  • Process your payment for the goods and services. The lawful basis for this is the contract with you. 

  • Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is consent. 

  • Optimise your experience on our website. The legal basis for this is a legitimate interest. 

  • Provide you with useful and relevant Sites. The legal basis for this is a legitimate interest. 

  • Provide you with useful and relevant marketing material. The legal basis for this is consent (we will request specific consent and you may rescind this at any time). 

2. What personal information do White Oaks collect and why do we collect it? 

2.1 When you access our websites 

On our websites White Oaks use cookies to gather information about visitors in order to monitor the quantity of website traffic. White Oaks do not identify you or any other individuals from this information. 

2.2 When you make an enquiry through White Oaks.co.uk 

If you contact White Oaks through our website we will ask your permission to store the following information to ensure that the site works correctly: 

  • Your name 

  • Your email address 

  • Your telephone number 

2.3 When you commission White Oaks to provide mental health (including neurodevelopmental assessments and Educational Psychology) services: 

Should you choose to engage us to provide Psychology Services, we need to collect information through our pre-assessment forms so that we can provide the best possible service to you: 

  • You and your child’s names, contact details and your child’s date of birth 

  • Your health insurance details (where applicable) 

  • Details of the issue that led you to commission our services 

  • Information on your child’s developmental history and relevant family history 

  • We will not contact your GP or child’s school without explicit permission 

  • When we take payment via bank/credit card, this is though our payment solutions provider. You will provide your credit/debit card information directly via the card machine or if you phone to pay we will manually enter this for you and not store the information.  The payment solution provider will process payment details and authorising payment using a secure server and ‎encryption.  Information you provide to the payment solutions provider is subject to their own ‎terms and conditions.  This is not within our control and we have no liability for these. 

2.3.1 Sensitive Data:  The information above is considered to be “sensitive data” in UK GDPR law.   The lawful basis for processing this data is “If the party concerned has given his or her explicit consent”. 

3. How do White Oaks use the information that we collect? 

White Oaks use the data we collect from you in the following ways: 

  • Operate and improve our Sites, services and goods 

  • Send you advertising or promotional materials (if you have consented to this) 

  • Provide and deliver goods or other services you request, process transactions, and send you related information 

  • Respond to your comments, questions, and requests and provide you with requested customer support 

  • To create your invoice. 

  • Comply with legislation regulations and auditors 

4.  Where and why do we keep the information? 

White Oaks keep information in the as described below. This is to ensure a high quality service for our clients.  Please note that we do not transfer or store any personal data outside the EU. 

4.1 Clients who are actively engaged in services with White Oaks may have: 

  1. A paper based notes folder as these items are referred to in subsequent appointments. These are kept in a locked filing cabinet. The information is uploaded to our electronic notekeeping system and cross-shredded within 12 months of completion. 

  1. Electronic documents stored on White Oaks devices using a EU located secure cloud based system (Microsoft Azure). 

  1. White Oaks uses an encrypted package designed as a specialist system for confidential notes and holding full GDPR compliance. This service is classified as an additional data processor. White Oaks has its own Microsoft SQL Server database separate from any other customer data.  

4.2 In our accounts package so that we can invoice for services and keep track of payments: We use a cloud based accounts package known as Microsoft Business Central, provided by Microsoft plc that stores the information in the EU. Our accountants firm is called Kirk Rice who are classified as an additional data processor and who have access to the online book-keeping accounts for accounting purposes. They keep no physical storage of personal data records and there are contractual arrangements with these parties to retain data in accordance with UK GDPR. 

5.   How long do we keep the information? 

5.1 If having made an enquiry you subsequently decide that you to do not wish to proceed with White Oaks services, your information will be kept for a maximum of one year before being safely destroyed in accordance with our policies and UK GDPR. This is to ensure we provide the best possible service should things change and you contact us again. 

5.2 If you do commission services through White Oaks we store information for children and young people in line with Department of Health recommendations: Retain until the patient’s 25th birthday, or 8 years after the last treatment date or death. 

An annual check is made and clients data removed as appropriate.

http://www.bma.org.uk/ethics/health_records/retentionrecords.jsp 

​

5.3 Financial records: The default standard retention period for HMRC records is 6 years plus current, otherwise known as 6 years + 1. This is defined as 6 years after the last entry in a record followed by first review or destruction to be carried out in the additional current (+ 1) accounting year. 

Records will only be retained beyond the default HMRC retention period if their retention can be justified for statutory, regulatory, legal or security reasons or for their historic value. The disposal periods for records retained for extended duration must be included within line of business retention schedules. 

 6.   Who do White Oaks send the information to? 

We will only send information necessary to achieve business purposes and as agreed with clients. We send invoices and reports to health insurance companies and other professionals as required professionally. 

As previously stated, cloud storage providers will have information shared with them in compliance with GDPR. Information is shared to the degree necessary for accounting and tax purposes. White Oaks never permanently stores any personal information in cookies that can be used to identify you, such as your name or account numbers. The exceptions to the above rule would be: 

  • Risk of harm: if we perceived that the child, or someone else, was at risk of harm. If we needed to breach confidentiality for any reason (and this is very rare) we would always discuss this with you first unless in an emergency situation e.g. we felt the child to be in immediate danger. 

  • To comply with applicable laws; respond to governmental enquiries (or enquiries from a legal, governmental or quasi-governmental or local authority agency); comply with a valid legal process or procedure; or protect our rights or property; To comply with legislation regulations and auditors 

7.  Informed consent and sharing information from therapeutic sessions 
All children and young people, whatever their age or status, have a right to express their views freely and be involved in any decision-making that affects their lives. Therefore, we will gain their informed consent. Any direction or guidance provided by parents or other caregivers must be ‘in accordance with the child’s evolving capabilities’ and support the ‘exercise by the child of his or her rights’. The onus is then on the adults to provide appropriate support to enable the child or young person to express their views and contribute to decision-making. Our team will discuss and agree how information is shared with parents with an awareness that young people who are ‘Gillick competent’ can consent to information not being shared with parents. 

The exceptions to the above rule would be: 

  • Risk of harm if we perceived that the child, or someone else, was at risk of harm. If we needed to breach confidentiality for any reason (and this is very rare) we would always discuss this with you first unless in an emergency situation e.g. we felt the child to be in immediate danger 

  • To comply with applicable laws; respond to governmental enquiries (or enquiries from a legal, governmental or quasi-governmental or local authority agency); comply with a valid legal process or procedure; or protect our rights or property; to comply with legislation regulations and auditors 

Occasionally, a disagreement over consent may arise between parent/carer and child or young person and/or between parents/carers. The psychologist would make every effort to resolve the difference of views, perhaps seeking, with agreement, involvement of an appropriate family member and/or a colleague, although as discussed above, a young person who is ‘Gillick competent’ can legitimately request that family members (including parents) are not involved or informed of any involvement. If the disagreement is not resolved, the psychologist will draw on their professional experience to act in the best interest of the child or young person seeking consultation and support through appropriate channels, including safeguarding and legal departments, and consultation with appropriate colleagues including other professionals. 

8.  How can I see all the information you have about me? 

You can make a subject access request to us. This should be via email (see section 15 for address).  We may require further additional verification that you are who you say you are to process this request. We may withhold personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests. 

9.  What if my information is incorrect or I wish to be removed from your system? 

Please contact us (see section 15). We may require additional verification that you are who you say you are to process this request. If you want to have your data removed we will have to determine whether we need to keep the data, for example to comply with professional bodies or HMRC. If we decide that we should delete the data, we will do so without undue delay. 

It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data. 

10.  Will I send emails and text messages to you? 

As part of providing a service to you we may communicate via email, keeping the information in the body of the text to a minimum. Any reports with personally identifying or sensitive information that I send to you will be password protected. All emails are deleted as soon as practically possible. 

We will not send you any marketing communications without your express ‎consent.‎ 

11.  How do I opt out of receiving emails and/or text messages? 

If you do not wish to receive information through these means, please contact us. (see Section 15). 

12.  What happens in the event of a data breach? 

The data protection Officer is responsible for responding to personal data breaches. He or she notifies the ICO as necessary and also data subjects where the risk to them is high. Breaches which carry any risk to data subjects must be reported to the ICO within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again. All personal data breaches, however minor, and whether reportable or not are recorded. 

13.  Changes to this Privacy Policy 

13.1 We may change this Privacy Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. 

13.2 Any changes will be immediately posted on our Sites and you will be deemed to have accepted the terms of the Privacy Policy on your first use of either Site following the alterations, or if we have made you aware of the changes via email or text. We recommend that you check this page regularly to keep up-to-date. 

14.  Summary of your rights 
Under the GDPR, you have the following rights, which we will always work to uphold: 

  1. The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the contact details given at the start of this Privacy Policy. 

  1. The right to access the personal data we hold about you. Clause 8 will tell you how to do this. 

  1. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Clause 9 will tell you how to do this 

  1. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we hold. Clause 9 will tell you how to do this. 

  1. The right to restrict (i.e. prevent) the processing of your personal data. 

  1. The right to object to us using your personal data for a particular purpose or purposes. 

  1. The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time. 

  1. The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent, it is in our legitimate interest or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business. 

  1. Rights relating to automated decision-making and profiling – we do not use your personal data in this way. 

15.  How to contact us: 

Our email address is admin@whiteoaks.org.uk  

bottom of page