FAQs
      Back to home
      1. Help Center
      2. PeopleSense Booking Experience
      3. FAQs

      FAQ: Booking System Security. What if someone shares our custom booking link or organisation code to someone ineligible for care?

      We take the issue of illegitimate access to our services very seriously. This article covers our approach to security and access.

      Because clients are able to book "straight-through" using the new PeopleSense booking system, we're using an enhanced series of check points that build on how we currently verify client access with calls or emails to our Reception team.

      In summary, there are several certifications and declarations clients will have to supply when making a booking online:

      • The client will need your organisation's custom booking link or organisation code - the 6-character code at the end of your booking link. Clearly, a link or code can be shared, but this is only our first level of protection. Custom booking links and the organisation code use a random 6 character alphanumeric code to identify your organisation. This means there are nearly 600 million possible codes with an approximately 1 in 1.2 million chance of someone guessing a valid code. We have procedures in place to prevent automated code scanning or attempts to guess codes, as well as other protections on the site. Access codes and booking links can also be changed if there is evidence that a significant sharing has taken place or, if needed, can be refreshed on an periodic basis in coordination with customer contacts.
      • We next ask the client to define their relationship to your organisation. They are required  to read a definition of that relationship and make a declaration that this is who they are. For example, if ‘Acme Corp’ defines a family member as a “spouse/partner or dependent child of an employee”, the client will have to explicitly agree that this applies to them.
      • We then collect detailed client profile information, which is needed to create the client's file. Accurate email and phone numbers are required and we validate them via verification codes. Bookings can not be made without this step.
      • If the client is representing that they are an employee or member of your organisation, we will additionally collect their detailed Company Demographics – these will be required.
      • Lastly we will conduct audits of activity and have various lock out mechanisms available to us, including preventing online booking for individuals or whole organisations.

      We keep in mind that clients are choosing to book a psychology treatment session with a psychologist. We believe that fraudulently mis-representing who they are to receive such treatment would significantly undermine the value of their counselling and treatment. Additionally, our psychologists are well attuned to behaviours that would lead to misrepresentation of this kind and our system provides mechanisms for sessions to not be billed in the event that we suspect this unlikely type of activity. We believe the service is robust and these check points allow for appropriate detection and handling of any such activity, whether sessions are booked directly by the client, or through our Reception team.

      Additional Option: Individual Activation

      Some customers require that we verify eligibility for service against an employee list, or that services are only delivered via a referral.

      Both of these operating paths are supported by the booking system. A customer's site can be set to require eligibility checks to be performed by the PeopleSense Concierge team before an individual can make a direct online booking.

      Prior to this verification, a client can make a booking request against a provisional entitlement to sessions. Once confirmed by the PeopleSense team, the client can then use full online booking and can see their active and available session entitlement. 

      What additional restrictions or checks did you consider?

      We should note that in designing our new system, we considered stricter registration methods, but our current perspective is that this would unreasonably restrict access or create a significant impression that the care received in not confidential. For example

      • Requiring registration via a company login would exclude family members, and gives the feeling to employees that the company is monitoring their EAP service access individually.
      • A family member needing to ask an employee to book for them breaks clinical confidentiality, as we ask for insights into the care needed while onboarding new clients. Eligible clients should be able to receive care without a family member's permission (with the careful consideration of dependent teen and child bookings, which the system appropriately handles).
      • Having to verify employment eligibility is not a feature of most of our programs – a small number of customers do require employment verification, and where they do, we won’t allow online booking. In this case, our new booking system will act as a booking request form and send an email to our Reception team  for direct follow up.

      In the future we may, for example, automatically refresh registration codes on a periodic basis to further ensure clients who have previously had access are required to source the new link, or implement additional mechanisms as we work closely with our valued partners to deliver the appropriate access.


      As a psychology care service, we have chosen “trust” over “distrust” – or maybe better put, “trust and verify”.