The Mix / About Us / Privacy Policy

Privacy Policy

Who we are

This Privacy Notice describes how Mental Health Innovations  (the “MHI”,  “we”, “us”, “our”) collects and uses your personal information, including your sensitive health data, in connection with providing The Mix services which includes supporting children, the young and vulnerable adults suffering from mental health challenges by the provision of our remote counselling and associated services (our “Mental Health Services”).

Our address is: Mental Health Innovations (“MHI”), PO Box 78319, London, W10 9FE. MHI’s registered charity number is 1175670.  We are registered with the Information Commissioner’s Office under number: ZA480522. Our data protection officer’s contact details are here.

The charity YouthNet, that previously provided The Mix services, merged with MHI. Both charities offer complementary mental health support services to the public, at a distance, using digital technology.  Following the merger, MHI is the sole controller of your personal information.

We are committed to safeguarding your personal information (also known as “personal data”) in line with all applicable laws, including the UK Data Protection Act 2018, the UK General Data Protection Regulation (collectively the “GDPR”) and the common law of confidentiality.

What this Privacy Notice does

This Privacy Notice explains:

  • The data we collect from Service Users and others
  • How we use your personal information and the lawful basis/ground(s) relied upon
  • With whom we may share your personal information and where we may transfer it
  • How long we retain your personal information for
  • How we protect your personal information
  • Confidentiality and disclosure to third parties
  • Police, social, and medical services
  • Your data subject rights regarding your personal information
  • What to do if you do not wish for us to collect or hold your personal information
  • Contacting us and the UK’s data protection supervisory authority

In some cases, additional or supplemental privacy notices may be created to apply to specific circumstances when we may collect your personal information. For example, this Privacy Notice does not cover our volunteers or donors and funders, see our Volunteer Privacy Notice  and Marketing and Fundraising Privacy Notice.

We may amend this Privacy Notice from time to time, therefore we encourage you to refer to it periodically. If the alterations are material or affect your GDPR rights, we will let you know before the updated version becomes effective so that you may exercise your right to object if you wish. If you have any questions, please contact us at  [email protected].

The data we collect from Service Users and others

We collect personal information about individuals who:

  • submit comments or questions to us (“Enquirers”);
  • individuals who register to receive or otherwise use our services (“Service Users”); and
  • visit our website (“Visitors”).

We group the types of data we collect together into the following categories:

  • Demographic Data: age, gender);
  • Identifiers: first and last name, postal address, telephone number and username;
  • Internet Data: including your device’s browser type and version, operating system and platform, browser plug-in types and versions, browsing history, device ID, IP address, MAC address, data about how you have interacted with our website;
  • Registration Data: data of birth, email address and IP address; and
  • Special Category Data: including physical and mental health and disability data, racial or ethnic origin, religious or philosophical beliefs, sexual orientation and sex life;
  • Location Data: postal address, city, town, country.

We allow third-party controllers to undertake Research on personal data that we control, either in a form which can no longer directly identify them because their identity is hidden by the application of a code either by us or the researcher (“Pseudonymous Data”), or in a form which is fully anonymous and cannot identify the individual (“De-identified Data”). Research in the public interest into the mental health challenges facing our Service Users is one of our important charitable aims. We may make the results of the research publicly available to help inform the wider societal debate about the state of the nation’s mental health and to inform policy on how best to rise to this challenge.  Under no circumstances will any Service User be identifiable in the publicly available results of the Research.

We take appropriate steps to keep all personal information accurate, complete and up to date. If you believe your personal information is out of date or incomplete, please contact our data protection officer.

How we use your personal information, and the lawful basis/ground relied upon

Activity Type of person Lawful processing ground(s) and condition(s) as defined below
Providing, securing, protecting and improving our website and other communication channels ●   Enquirers

●   Service Users

●   Visitors

 

 ●   Consent

●   Legitimate Interests in running, improving and maintaining our website and other communication channels to provide Mental Health Services

 
Administering our relationship with you, including with our Service Users ●   Enquirers

●   Service Users

 ● Consent

● Legitimate Interests in preventing abuse of our services and protecting the safety and interests of other service users

● Legal Obligation

● Services in the Public Interest

● Performance of a Contract
Delivering and measuring the success of targeted online communications ●   Enquirers

●   Service Users

●   Visitors

 

 ● Consent

● Legitimate Interests in achieving our charitable aims, running and improving our charity by understanding better the success of online campaigns to continue and improve our Mental Health Services

 
Raising awareness of our charity its aims and activities, including by sending newsletters and surveys

 

 ●  Service Users

●  subscribers

 ●   Consent

●   Legitimate Interests in keeping stakeholders up to date on our strategy, achievements and aims and seeking feedback by way of surveys
Fulfilling legal and/or regulatory obligations and/or compelling requests ●   Enquirers

●   Service Users

●  Visitors

 ●   Comply with a Legal Obligation

●   Legitimate Interests in responding to mandatory or compelling voluntary requests for information

●   Services in the Public Interest

●   Legal Claims

 
Managing and improving  our provision of our Mental Health Services

 

 ●   Service Users ●   Legal Obligation

●   Legitimate Interest in responding to Service Users’ requests to receive our Mental Health Services and in training our employees, volunteers and counsellors

●   Performance of a Contract

●   Vital Interests

 
Internal audit and compliance purposes ●   Enquirers

●   Service Users

●  Visitors

 ●   Comply with a Legal Obligation

●   Legal Claims

●   Legitimate Interests in ensuring compliance with internal policies and procedures and law/regulation

●   Services in the Public Interest

 
Research into the state of the nation’s mental health, the challenges Service Users face and the efficiency of our Mental Health Services ● Service Users ●   Legitimate Interests in achieving our charitable aims including the provision of free at point of use Mental Health Services and using data for research purposes

●   Research
Processing personal data into De-identified Data, Pseudonymous Data and/or anonymous data ●   Enquirers

●   Service Users

●   Visitors

 

 ●   Legitimate Interests in conducting research on survey feedback data and protecting individuals’ privacy by undertaking analysis of aggregated and anonymous data

●   Research

Explanation of the lawful processing grounds/conditions

Comply with a Legal Obligation means processing your personal information where it is necessary for us to comply with a legal obligation.

Consent means an explicit, specific, informed, freely given unambiguous indication of your agreement to our processing of your personal information.

Legitimate Interests in general means our interest in conducting and managing our charity, providing our Mental Health Services and working towards our charitable aims, as further explained in Table 1. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information in our legitimate interests by undertaking an assessment. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your Consent, to Comply with a Legal Obligation, to conduct Legal Claims, protect Vital Interests or for the provision of the Mental Health Services). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific processing activities by contacting our data protection officer here.

Performance of a Contract means processing your personal information where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering such a contract (i.e., when you agree to our Terms and Conditions online).

Additional lawful processing conditions: Special Category Data

Legal Claims means processing your special category data because it is necessary for us to establish, exercise or defend legal claims.

Services in the Public Interest means processing your special category data to provide confidential counselling, advice or support in the public interest, including where necessary protecting you or another individual from neglect, physical, mental or emotional harm, or protecting the physical, mental or emotional well-being of children or vulnerable adults;

Research means scientific research undertaken in the public interest, on the minimum amount of Pseudonymous Data necessary to achieve the research’s purpose. We ensure our research is unlikely to cause substantial damage or substantial distress to you or another and that the results are not to be used for the purpose of taking decisions about individuals;

Vital Interests means processing your special category data where it is necessary to protect your (or another individual’s) life or death interests and you are incapable of giving Consent (e.g., a violent domestic disturbance).

Our use of cookies and other similar technologies

We use cookies and equivalent technology to enable the website to function effectively and to improve the experience. Some cookies are used to collect Internet information.  For more information about our use of cookies, and your options for accepting or declining them, please see our Cookie Policy and cookie banner. You may change your cookie settings at any time via the cookie consent management tool on our website.

With whom we may share your personal information and where we may transfer it

We respect and seek to preserve the confidentiality of the personal information we control. However, in certain circumstances, including as discussed below, we may share your personal information with third parties, including with: (a) our authorised volunteers, directors and third-party service providers; (b) further independent controllers (including professional advisers, accountants researchers) with whom we have appropriate agreements; (c) government and regulatory entities; and (d)  police, medical and/or social services to keep Service Users safe and protect them from harm (collectively “the “Recipients”). A current list of all our Recipients is available upon request by contacting us. Further, we may disclose your personal data to third parties to whom we may sell (or buy), transfer or merge part(s) of our charity or assets.

Restricted transfers

Your personal data is primarily stored within our charity’s servers located within the European Union and/or the UK or other countries deemed adequate under the GDPR (“Adequate Countries”). However, subject to the application of suitable safeguards, we have the right to move your personal data and our servers (including those provided by our third-party service providers) to areas outside the Adequate Countries. In the absence of a decision on adequacy by the UK’s Secretary of State, the suitable safeguards include undertaking transfer risk assessments, guarantees of a contractual or negotiated nature, including Binding Corporate Rules and approved international data transfer agreements. In the absence of a decision on adequacy or the other suitable safeguards described above, the transfer to and/or processing of your personal data outside the Adequate Countries will only be carried out with your Consent. You can ask to seek redacted copies of the international data transfer agreements which protect your personal data by contacting us.

How long we retain your personal information for

We retain your personal information in accordance with our retention policy which sets out retention periods as may be required by law, or where there is a reason to keep it because of our need, legal action (actual or in reasonable contemplation), or for internal or external investigations. After that, we will permanently delete your information. You can ask to seek a copy of our retention policy by contacting us. Anonymised and aggregated data from your indirect Interactions with us, from which you cannot be identified, may be retained indefinitely and used for research.

How we protect your personal information

We adopt a variety of security measures and technologies to help protect your personal information from unauthorised access, use, disclosure, alteration or destruction in line with the GDPR. We oblige our third-party service providers to implement at least equivalent standards of data protection as stipulated in our contract with them.

Confidentiality and disclosure to third parties

MHI respects and seeks to preserve the confidentiality of Service Users. This confidentiality is based on the common law ‘duty of confidence’ and is shared between the Service User and MHI.  MHI’s volunteers and staff also have an obligation of confidentiality to Service Users. They will only use and disclose any information provided to them within the rules set by MHI. No identifying information or discussion between a Service User and MHI is disclosed to an external third party except in the exceptional circumstances outlined below.

We will always endeavour to get a Service User’s consent before we contact a third party. However, there are situations, described below, where we will pass on information without consent. This may include where we are under a legal obligation to do so, or we need to share the information to protect the Service User’s vital interests. If we deem that the situation is safe for the Service User, we will work with them in making decisions about involving a third party. We will only share information with people or entities when the law allows us to do so.

We will always think carefully about whether we need to break confidentiality. This is especially important if a Service User is a young person, aged under 18. We may need to break confidentiality and engage with a third party in the following circumstances:

  • We believe that a Service User’s life is in imminent danger;
  • We believe that a Service User or someone else is at risk of significant harm;
  • A Service User is a young person, aged 17 or under, who is being hurt, abused or neglected;
  • A Service User is identified as an adult at risk, because of vulnerabilities that are disclosed, who is being hurt, abused or neglected;
  • A Service User tells us, or we suspect that a Service User has committed or is about to commit a serious crime; and/or
  • A Service User tells us that they are endangering the safety of another person.

We are also unable to provide confidentiality in the following circumstances:

  • A message sent to or through the Mental Health Services that contains specific information about a terrorist suspect or terrorist activity that will take place or has taken place in the world. This information must immediately be disclosed to the police;
  • MHI is forced through legal action to disclose specific confidential information; this can include legal action taken under the Data Protection Act 2018 and during criminal investigations.

Police, social and medical services

If one of MHI’s volunteers or staff identifies an imminent risk of harm to a Service User or someone else (there is the desire, plan, means, timeframe) or suspects emotional/physical abuse or neglect, they may let a Service User know they’re concerned about their safety. At this point, they might ask for additional information (such as the Service User’s age, where they are and their name). If we have concerns about their safety or they share information about the abuse of a child or young person, we may contact the police, medical, or social services. Where possible, we will obtain consent to contact police, medical, or social services. However, in situations where a Service User is unable to consent, or where we think their judgement may be compromised, we may still contact the police, medical, or social services in order to protect their vital interests and get them the help and support they need.

Your data subject rights regarding your personal information

We comply with the GDPR which gives individuals a number of rights over their personal information. Depending upon the lawful processing ground/condition(s) relied upon to justify our processing of your personal information you may be entitled to request:

  • Access to your personal information (commonly known as a “data subject access request”) such as to receive a copy of the personal information we hold about you;
  • Correction of the personal information that we hold about you, if the information is incomplete or inaccurate;
  • Erasure of your personal information where there is no good reason for us continuing to process it or where you have exercised your right to object to processing;
  • Objection to our processing of your personal information where we are relying on a Legitimate Interests (or those of a third party) as the lawful basis;
  • Restriction or suspension of processing of your personal information where we are relying on our Legitimate Interests;
  • Transfer (portability) of your personal information to another party where we are relying on your Consent or Performance of a Contract as the lawful basis; and
  • Withdrawal of your Consent to the processing or your personal information, where we previously obtained it.

What to do if you do not wish for us to collect or hold your personal information

If you would like to exercise your rights, please contact us. We may ask you to verify your identity before fulfilling the request. Verification ensures that your personal data are kept secure. If you would like to make a complaint, please refer to the Contacting us and the UK’s data protection supervisory authority section for more information.

Depending on the nature of the request, you may not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded or excessive. Alternatively, we may refuse to comply with the request in the exact terms in which you made it.

Contacting us and the UK’s data protection supervisory authority

If you have any questions specifically about this Privacy Notice, or wish to make a request to exercise your GDPR rights, please contact our data protection officer:  [email protected]

Address: PO Box 78319, London, W10 9FE

If you are dissatisfied with how we have handled your personal information or request, please contact us in the first instance and we will aim to resolve the matter. However, you have the right to submit a complaint to the data protection supervisory authority in the United Kingdom being the Information Commissioner’s Office details here. In addition, and in the alternative, you also have the right to bring a claim in the courts.