Compliance with General Data Protection Regulations (GDPR)
From 25th May 2018, new regulations are in force regarding data protection. As I process personal, identifiable information (data) about you, this privacy policy sets out how and why I collect this information, how I use it and how I keep it secure. I am registered with the Information Commissioner's Office (ICO).
I will keep this privacy policy under review. New regulatory and technological developments or requirements stipulated by my professional associations (UKCP, BACP) may require adjustments to be made.
If you have any further questions or concerns, please do not hesitate to contact me on 07980 751045.
What information is kept and why
I hold you personal information in order to provide psychotherapy and counselling services.
I hold the information according to what is required by law, by the UKCP & BACP, by my professional indemnity insurance company and in order to fulfil my tax obligations.
I collect and hold personal information such your name and contact details. I need these in order to be able to contact you to make arrangements regarding our work and to be able to reach you in case of emergency.
I use your contact details to invoice you, if we agree this together.
I use your contact details to send you email invitations for online sessions, if we agree to work together online.
I keep a record of sessions scheduled, attended and fees paid.
I collect and hold your GP details which I would only use if I had a serious concern regarding your safety or that of someone else (see 'Sharing your information' below).
I keep very brief factual notes about our sessions. I use these as an aide-memoire for me and they might be used as a basis for discussion in Supervision (see 'Sharing your information' below).
How the information is stored
I store your personal information in such a way as to minimise the risk of unauthorised access or breaches of confidentiality.
Your name, contact details, GP details and a sign copy of this document are kept in a locked filing cabinet.
Sessions scheduled are recorder in a paper diary using an anonymising code.
Records of sessions attended, fees paid and clinical notes are kept on bacpac, a secure, cloud-based, electronic system which is GDPR compliant and has been vetted by NHS and Ministry of Defence for hosting confidential, medical information.
When paying by BACS, your account name or reference appears on my bank statements. These statements are only accessible electronically via my bank's secure portal and are stored there.
I explicitly ask for your permission to use email, text and/or WhatsApp, for administrative purposes, on the understanding that these systems are not entirely secure. Levels of security are in line with that given by the relevant service provider. No clinical material is to be included in these and where there is some (e.g. in an initial referral email), the message is deleted as soon as contact has been made. Access to my computer or phone where emails, texts or WhatsApp messages may be viewed is password protected. If you have any concerns about these forms of communication, please let me know so we can make alternate arrangements.
Online sessions are conducted via Zoom which uses end-to-end encryption and is GDPR compliant.
How long the information is stored for
I keep the information for 7 years after we have finished work together in accordance with the recommendation made by my insurance company and to comply with tax obligations.
After this time, paper records are shredded and electronic records are deleted. Your contact details on my phone, emails and texts are deleted as soon as work together ends.
Sharing your information
Our work together is confidential. However, your personal information may be disclosed under the following circumstances:
- Supervision: In order to achieve high standards of professional practice and meet the obligations of my professional bodies, I engage in regular clinical supervision. My supervisor is bound by the same codes of confidentiality as I am and is UKCP or BACP accredited.
- GP: If I have a major concern for your wellbeing and need to safeguard you or others from harm, I may need to contact your GP. I would always aim to discuss contact with your GP with you in advance and gain your consent, but in an emergency, this may not be possible.
- Clinical will: In the event of my death, serious illness or some other form of incapacitation that prevents me from being able to contact you personally, I have appointed an executor of my clinical will. This is a requirement of my professional associations. The executor is a trusted colleague who is also UKCP or BACP accredited and is authorised by my to communicate with you. This person has access to your name and contact details so that they can provide you with information as to why they are acting on my behalf and to support you in making arrangements for ongoing support, if this is what you wish.
- Legal obligation: I may have to disclose some personal information if required to do so by a court of law.
I will report any breaches to the security of your personal information to the ICO within 72 hours and I will also inform you, as appropriate.
You have the right to
- Request access to a copy of the information I hold on you
- Request changes to, or the deletion of all or part of the information I hold. Where possible, I will respect your request to no longer retain all or part of the information I hold for the purposes agreed, unless I have a legitimate basis for doing so (e.g. to comply with insurance or tax requirements) or I am legally obliged to retain all or part of the information
- Make a complaint about how I handle your data. In the first instance, please contact me. If your complaint is not resolved to your satisfaction, you have the right to complain to the ICO
The information in this privacy policy is also available in hard copy and at the point at which we contract to work together, I shall ask for your written consent to your personal information being used in the way described here. If we are already working together, I shall provide you with a copy of this policy and also ask for your written consent.
