Imagine Health

Privacy Policy

In 2020, Imagine Health transitioned from Helix Health CRM to WriteUpp for practice
management. WriteUpp is professional software designed for clinics and healthcare
professionals. It is ISO27001 certified and GDPR compliant, utilising two-factor
authentication and encrypted data replication across multiple servers to ensure the security
of your records.


All Imagine Health employees have unique, secure logins to access client details. Imagine
Health records all client personal information, including referral details and collateral history
if applicable. Each client interaction with an Imagine Health therapist results in a session
note containing relevant session details and the therapist’s reflections/opinions. These notes
are accessible only to the relevant therapist and the administration team. Upon referral, each
client is assigned an identification number to anonymise personal information.


All data is stored in accordance with the Data Protection Act 2018, the UK GDPR, and strict
guidelines from the Psychological Society of Ireland (PSI), the British Psychological Society
(BPS), the Irish Medical Council (IMC), the General Medical Council (GMC) in the UK, and
the Health and Care Professions Council (HCPC) in the UK.


Imagine Health has a detailed policy on data protection, file sharing, and encryption, which
provides clear guidelines for staff on data collection, storage, sharing, and deletion. Imagine
Health uses WriteUpp Practice Management software to store confidential client information,
ensuring GDPR compliance. Imagine Health is registered with the Data Protection
Commissioner, and its inclusion can be viewed on the public register at
www.dataprotection.ie.


1.1 Data Protection


Confidential Information
This policy provides clear guidance on the storage, transmission, and disposal of confidential
information.
This policy is mandatory and must be adhered to by all users (including employees,
affiliates, volunteers, and students) of Imagine Health’s IT resources and all who have
access to confidential information.


Information Classification
All information (irrespective of its format) owned, created, received, stored, and processed
by Imagine Health can be classified into one of the following categories based on its
sensitivity:


Public: Information intended for distribution outside the Company, with no impact if
mishandled.
• Examples: Client information leaflets, media releases, web content, job postings.
Internal: Information for internal distribution among Imagine Health staff and authorised
third parties, with minimal impact if mishandled.
• Examples: Internal telephone directory, internal policies and procedures, some training
documentation, inter-office memoranda.
Confidential: Information whose unauthorised or accidental disclosure could seriously
impact the Company, its staff, business partners, or clients. It is essential to treat uncertain
information as confidential until clarified.


1.2 Storage of Confidential Information


General Principles
All electronically held confidential information must be stored on a secure Imagine Health
network server with strict access controls. If stored elsewhere, it must be encrypted and kept
secure.


Desktop Computers
Certain desktop computers, especially those in public or third-party facilities, or used by staff
working from home, must have encryption software installed.
Laptops, Mobile Computers, and Smart Devices
All Imagine Health laptop and mobile devices must have encryption software installed and
be password protected with up-to-date anti-virus software. Confidential information must be
deleted from these devices daily.


Removable Storage Devices
All confidential information on removable storage devices must be encrypted and stored
securely when not in use, and deleted daily.


USB Memory Sticks
Confidential information may only be stored on approved encrypted USB memory sticks,
which must be used and purged appropriately.


Printed Information
Confidential printed information must be stored in locked filing cabinets within Imagine
Health offices or suitable locations with business partners. Efforts must be made to secure
the location of keys.


1.3 Sharing Confidential Information


General Principles
Confidential information must be shared on a “need to know” basis and only with authorised
individuals. Personal information for non-client care purposes must be anonymised or
consent obtained.


1.4 Disposal of Confidential Information


Disposal Protocols
Hardcopies of confidential information must be shredded, and electronic copies deleted and
purged from devices. Records should be retained according to specified timelines unless
litigation is likely.


1.5 Data Protection Breach: Management Plan


Breach Management
In the event of a data breach, details must be recorded, reported to the line manager, and
investigated by the Management Team. Post-incident reviews ensure appropriateness and
identify improvements.


1.6 Responsibilities


IT Manager
Responsible for encryption facilities, deployment, management, training, and routine audits.


Office Manager
Ensures adherence to the policy and conducts audits as deemed appropriate. Users
All users must comply with the policy and report breaches.


Line Managers
Implement the policy within their business areas, instruct staff, consult with the Clinical
Director on breaches, and manage email access termination.


Enforcement
Imagine Health reserves the right to take appropriate action against individuals or third-party
providers who breach this policy. Breaches may result in disciplinary action, including
suspension and dismissal, or contract cancellation for third-party providers.


Electronic Password Standards
Passwords must meet specific complexity requirements, be unique, and change regularly.
Users must keep passwords confidential and not reuse them across multiple systems.