HealthHero Assist Privacy Policy

This Privacy Notice concerns HealthHero services and products under HealthHero Assist. For privacy information concerning other services please visit the HealthHero website.

Please read this Privacy Policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal information.

We are committed to improving access to mental health and related support services whilst protecting and respecting your privacy and confidentiality.

We are a provider of a number of products and services found on our services page here. Depending on which products and services you access, the data we collect and how we process it may differ. Please see the ‘Service Related Privacy Information’ section below for more detail.

How and why we user your personal information

We collect and process your personal and sensitive information solely for the purpose of providing you with access to our services. When we do so, we comply with the General Data Protection Regulations (GDPR) and the Data Protection Laws in the territory where your healthcare is delivered from.

Under Data Protection laws, we can only use your personal information if we have a proper reason for doing so. For example:

– to comply with our legal and regulatory obligations.

– for the performance of a contract with you or a third party or to take steps, at your request, before entering into a contract.

– to collect feedback from you on our services.

– for our legitimate interests or those of a third party.

Personal information we collect about you

We routinely collect and use the following personal information about you and the service user, if different, including:

– your name and contact information, including your home address, telephone number and email address.

– your date of birth; and

– if necessary, the name of the partner organisation who provides you with access to our services (e.g. your employer, insurer, or membership group) and any access code, policy, or membership number you may have.

– special category data such as health data as necessary for provision of our services

How your personal information is collected

We collect personal information directly from you. This may be via:

– Telephone

– Email

– Online Services (Webforms/Progressive Web Apps)

– Mobile Applications (App)

– Third Party Applications via APIs (Application Programming Interfaces)

We may also collect information directly from third parties e.g. insurance companies and other organisations which you are a member of.

Who we share your personal information with

We will not share any personal information with any third parties without your explicit consent or as otherwise set out in this privacy policy. We only allow third parties to handle your personal information if we are satisfied that they take appropriate measures to protect your personal information.

Where we have a lawful basis to do so, we may share personal information with:

– other companies within the HealthHero Group we use to deliver our services to you.

– third parties we use to help deliver our services to you.

– other third parties we work with to provide services to you, e.g. insurance companies.

– other third parties we use to help us run our business e.g. website hosts or developers.

– third parties approved by you.

The partner organisation who provides you with access to our services may require us to share personally identifiable information to validate your eligibility or confirm that you have used the service. Where we do not already have a lawful basis to share this information, we will seek your consent to do so.

We may also need to share aggregated anonymised information with other parties, such as potential buyers of some or all our business, or during a re-structuring. The recipient of any information will be bound by confidentiality obligations.

We may share aggregated anonymises information publicly and with our partners or clients. For example, we may share information publicly to show trends about the general use of our clinical services.

Information that we may be obliged to share for other contractual or legal reasons

You may have been referred directly to our services by a partner organisation as part of their contractual obligations to you, for the purposes of metal health support, psychological services, critical incident support, or a fitness to work assessment. Where this is the case, we may be obliged to share special categories of personal data with them in order that they can fulfil their contractual obligations to you.

We will share personal information with other third parties if we have a belief in good faith that access, use, preservation, or disclosure of the information is reasonably necessary to:

– meet any applicable law, regulation, legal process, or enforceable governmental request.

– enforce applicable Terms of Service, including investigation of potential violations.

– detect, prevent, or otherwise address fraud, security, or technical issues; and/or

– protect against harm to the rights, property, or safety of , our partners, users, or the public, as required or permitted by law.

Where your data is processed

All data is processed within the UK and our applications and case management system are currently hosted within UK South. We process data at our trading offices at Inspired, Easthampstead Road, Bracknell, Berkshire, RG12 1YQ, UK and (under contract) at the sites of data processors and third parties appointed by us within the UK.

Data security

We take appropriate technical and organisational measures to maintain your personal information in a secure environment to prevent your personal information being accidentally lost or unauthorised access and use. Our partners are bound by contract to do the same. We limit access to your personal information to those who have a genuine business need to access it.

We use Transport Layer Security (TLS) to encrypt and protect data traffic generated as part of our normal operations. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit. Any data held at rest is encrypted with AES 256-Bit Encryption.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software and you have a responsibility to ensure that any email you send is within the bounds of the law.

We will notify you and supervisory authority of any suspected data security breach where we are legally required to do so.

Data Retention

Service User Records are retained in line with our Data Retention Policy for 6 years from the last date of your contact with the services.

All calls to our helplines and any returned call-backs are recorded with a retention period of 1 year in line with our Complaints Policy.

Our onsite booking records are retained for 7 years.

Service Related Privacy Information

Confidentiality

Service User confidentiality is one of the cornerstones of the clinical work delivered by us. Any information that you reveal, either during your assessment with our telephone staff or clinicians is confidential to us and your clinicians and will not be shared back to your organisation with the exception of Psychological Services. Your organisation does receive anonymous statistical information about the usage of the service.

In the case of Psychological Services, some session reports are shared with your organisation. You will always be provided the opportunity to read and request changes to these reports before they are shared. Further information will be provided when you access these services.

In some circumstances, a clinician may feel that it is in the your best interests to provide information to a third party – for example, informing your GP of emotional issues that are affecting you. In these circumstances, you will be asked to sign a form that authorises the release of information. Confidentiality will not be broken unless the form has been signed.

The only exceptions to the above are situations where information revealed by a client indicates that the client, another person, or the client’s workplace may be in danger. If such a situation does arise, the information disclosed will be confined to what is strictly necessary and, wherever possible, the client will be consulted before the disclosure is made.

It may also be necessary to share some information with your organisation if you misuse the service, for example, by making excessive calls to the helpline. Informing your organisation is always a last resort.

In order to offer support across the UK and Ireland, we may use affiliate clinicians to provide our services. Our affiliates have all been vetted rigorously and are regularly reviewed by our clinical compliance team.

Mental Health Support Programmes (EAPs), Psychological Services and Critical Incident Management Services

The above services are accessed either by contacting our helplines or through a referral from your organisation. Your data is stored within our case management system and is only accessed by our staff as a necessary part of their job role. Our affiliate clinicians are granted access to your case file for the duration of your case and access removed thereafter.

Your contact information is required by us to create a service user record. Depending on services accessed, health data may be collected along with other special category data if relevant to your service.

As part of our support programme you may also have access to legal, debt and health and wellbeing support. These services are provided by our partners/third parties. We do not transfer any data to our support partners except when investigating complaints following use of their services. Privacy information of these related services will be made available when you access the services.

Wellbeing Hub and eCounselling

Wellbeing Hub is an online portal used to access a variety of mental and physical health support articles, newsletters, videos and podcasts. When registering your account you will be asked to provide minimal information to set up your account and access services including your name, email and phone number.

Your account information is stored for the duration of the contract with your organisation and is then erased. If you wish to remove your account at any other time, please make a subject access request as described below.

You may also have access to eCounselling through Wellbeing Hub, a form of written structured counselling. Due to its clinical nature, data associated with this service is stored within the case management system and kept in line with other service user data for 6 years from the last date of contact with the service. Please be aware that if your Wellbeing Hub account is erased, your clinical information will remain in the case management system.

Management Referrals

Your organisation may also provide the option for referrals to our clinical services from your manager or your Organisation’s HR team. These referrals can be made through Wellbeing Hub or by sending us a completed management referral form and contain your contact details as well as a short description of the reason for referral. Management referrals will always require your consent before any referral is accepted and you are free to withdraw your consent at any time.

Onsite Bookings

Your organisation may offer you access to onsite bookings through our services. This service allows you to create a user account and create bookings to speak to one of our clinicians onsite.

Personal information collected as part of the account creation process includes:

– your name and contact information, including your home address, telephone number and email address.

– your sex assigned at birth

– your date of birth; and

– Reason for booking (may include health data or other special category data)

Once you engage with the clinician onsite, your personal data is processed in line with our mental health support program and a service user record will be created within our case management system.

Online services – Cookies

Our corporate websites and online services use cookies. Cookies are small text files that are stored on your device (e.g. computer, smartphone or other electronic device) to allow websites to store information about you in relation to the site. We collect statistics from our online services using Google Analytics, allowing us to record visitor numbers, number of pages viewed and referral source. This data simply helps us to administer and enhance the sites and services provided.

For full information on the cookies we use, please see our Cookie Policy.

You can manage your cookie preferences in your browser settings.

Third party links as part of our services

If you are using an online service provided by us, you may have access to links to other web sites. If you follow links to other sites from our hosted services, your data will be subject to the privacy policies of those sites. You should refer to these policies before providing any personal data to them. These other third-party websites may also use cookies or similar technologies in accordance with their own separate cookie policies.

The owners of these sites may be independent from us and we do not endorse or accept any responsibility for their content or services they may offer.

You may also access associated services through our support lines such as Debt Support, Legal Advice and Health & Wellbeing services. These services are provided by third parties and you will be presented with their own privacy information when accessing the service.

Your rights

Under the Data Protection Laws, you have several rights which may apply to the services we provide including the right:

– to ask us for copies of your personal information (the right of access).

– to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete (the right to rectification).

– under certain circumstances, to require us to delete your personal information (the right to be forgotten).

– under certain circumstances, to require us to restrict processing of your personal information e.g. if you contest the accuracy of the data (the right to restrict processing).

– under certain circumstances, to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party (the right to data portability).

– under certain circumstances, to object to our continued processing of your personal information e.g. processing carried out for the purpose of our legitimate interests (the right to object).

You can withdraw your consent to future processing at any time, but this right cannot be applied to data already processed.

For further information on each of those rights, including the circumstances in which they apply, please contact us.

Contacting us

Please note, while we may use affiliate clinicians as part of our services, HealthHero is the data controller and any Subject Access Requests should be addressed to, us rather than the clinician providing your direct support.

Should you wish to exercise any of your rights, if you have had a recent consultation you can make a Subject Access Request by calling the telephone number you have been given to access the service for support.

Alternatively, you may request access to information held about you by emailing compliance.eap.healthhero.com or by writing to:

For service users based in the UK:
The Data Protection Officer

Mental Health Services
HealthHero Solutions Ltd
Inspired,
Easthampstead Road,
Bracknell,
RG12 1YQ

For service users based in Ireland:
The Data Protection Officer

Mental Health Services
HealthHero Healthcare Ireland Ltd
2nd Floor, Palmerston House,
Denzille Lane,
Dublin 2
D02 WD37

If we are unable to confirm or have reasonable doubts concerning the identity of the person making a request to exercise the rights above, we will require additional proof of identity (e.g. a copy of your driving licence or passport and a recent utility or credit card bill) and/or evidence of the requester’s authority to exercise these rights.

We will ask for information on the right you wish to exercise and the information to which your request relates.

If you make a request, we will respond to you without undue delay and in any event within one month of your request.

Privacy Related Complaints

HealthHero Solutions Ltd is regulated by the Information Commissioner’s Office (ICO) in the UK and the Data Protection Officer for HealthHero Healthcare Ireland Ltd is registered with the Data Protection Commission in Ireland.

We hope that we can resolve any query or concern you may raise about our use of your information. However, if you are not happy with how we have processed your personal information, handled your privacy rights, or responded to a privacy related complaint, you can raise a concern with the appropriate supervisory authority:

For service users based in the UK:
The Information Commissioner’s Office
https://ico.org.uk/make-a-complaint/
Tel: +44 (0)303 123 1113

For serviced users based in Ireland:
The Data Protection Commission
https://forms.dataprotection.ie/contact

Notice Changes

If we are involved in a merger, acquisition, or asset sale, we will continue to ensure the confidentiality of any personal information and give notice to you if affected before personal information is transferred or becomes subject to a different privacy policy.

Changes may be necessary to this privacy policy from time to time to reflect contractual, legal or data processing developments. If we change this privacy policy, we will update them on our website.

Links checked and policy last updated on 25th April 2024