OWNER AND DATA CONTROLLER
As an independent sole trader of a private psychotherapy practice, under GDPR regulations, I am listed as the ‘data controller’ and my business is registered with the Information Commissioners Office, the UK authority for upholding data protection. (www.ico.org.uk)
THE LEGAL BASIS FOR PROCESSING
I collect and process your information on the lawful basis of legitimate interest as a Counsellor and Psychotherapist. This means that I am using your data in a way that you would reasonably expect me to do so, using contact details and brief records of sessions to assist with ongoing therapy.
The lawful basis for processing special category sensitive data is for ‘the provision of health or social care or treatment’.
WHEN DO I COLLECT YOUR PERSONAL DATA?
Personal Data is collected in the following ways:
• Communicating with me by post, phone, email.
• During initial assessments meetings and ongoing sessions.
• My website is powered by WebHealer and is secured using ‘https’ technology. Basic anonymous information is collected about visitor activity across the pages on the website. Cookies set by the site can be viewed and declined by accessing the cookie page at the bottom of the website.
WHAT PERSONAL DATA DO I COLLECT and HOLD?
The Personal Data I collect from you from you may include:
• Identity Data may include your first name, last name, date of birth.
• Contact Data may include your address, email address and telephone numbers
• GP details
• Who to contact in case of emergency.
• Sensitive information – may include background information about physical and psychological health and history, medications; prescribed and non- prescribed drug use, any criminal offences or alleged offenses, family circumstances, lifestyle and identity, relationships, spiritual and cultural background as well as reasons and hopes for therapy.
• Brief session notes
•Artworks and work you may create within sessions.
HOW AND WHY DO I USE YOUR PERSONAL DATA?
As a Psychotherapist, I take your privacy very seriously. I keep certain information about you so that I can work safely and ethically with you in line with the guidelines of my professional organisation, UKCP and my professional insurance.
The Data privacy law allows this as part of my legitimate interest in understanding you and delivering the best possible service.
HOW I PROTECT YOUR PERSONAL DATA
All records are stored within my home and only accessible to me.
• Names, contact details, agreements and GP details are stored in a locked filing cabinet in my house, separate to any other personal information you.
• I keep handwritten information, EMDR and session notes to an absolute minimum and anonymised by a reference number, in a second locked filing cabinet in the house.
• Your e-mail address is stored on my Outlook account on a password protected computer and will only be used for the purposes of setting up online Zoom meetings or to pass on information as agreed.
• If you choose to contact me via Skype, the contact details that you use are stored, but no therapy related information is stored on this platform.
• Your first name and contact number is stored in a password protected file on my computer.
• Any artwork or work produced by you within the session that you don’t take home will be stored in a locked filing cabinet within the therapy room itself. This room is locked and separate from the house.
• I will notify you and the ICO of a data within 72 hours breach where I am legally required to do so.¬
HOW LONG WILL I KEEP YOUR PERSONAL DATA?
I will only retain your personal data for as long as is necessary to for the purpose of our therapy work together, including for the purposes of satisfying any legal, accounting, or reporting requirements.
• E-mails sent for the practical purposes such as Zoom invitations will be deleted after the session is held. Emails exchanged with more personal information may be printed and stored alongside your personal records before being deleted.
• I will usually hold your personal details and session notes and my supervision notes for a period of seven years once our work together has ended, should you decide to return and in order to comply with my with my insurance terms and conditions. However, I may need to hold information for longer than this, in order to defend myself in a claim situation.
• Artwork produced in the sessions will be disposed of securely when our work together ends, if you choose not to take them.
• I keep financial information for 7 years, as advised by HMRC. If your name appears on any of my bank statements, it will be redacted.
Once the retention period expires, Personal Data will be deleted from the computer and written records will be destroyed.
HOW I MAY SHARE YOUR PERSONAL DATA?
• I am required to attend regular clinical supervision with another professional therapist as part of ongoing accreditation with UKCP. They abide by the same UKCP Code of Ethics and Professional Practice and discussions will not include identifying details about you.
• Professional Will – my supervisor is also the executor of my Professional Will. This contains information about my computer passwords and the location of personal data and records. This information is stored securely by them and held in a sealed envelope which would only be opened in the unfortunate event of me being unable to work (death, accident, serious illness etc.). If this occurs, they would access my current client list with contact numbers, inform clients of the situation and deal with records kept, destroying them if necessary.
• LIMITATIONS TO CONFIDENTIALITY – It may become necessary to share your data with a third party if I feel that there is a significant risk of harm to self or other, including child protection. Unless the risk is imminent, I will aim discuss this with you before appropriate disclosure. I do have a legal obligation to break confidentiality in compliance with a court orders requesting information regarding therapy as well as knowledge regarding money laundering, drug trafficking and act of terrorism.
• Covid 19 - Due to the government’s ‘test and trace’ system, if either of us test positive for Covid-19, I may have to disclose the names of individuals I have been in contact with ‘in the public interest’. However, I will only provide the minimum information necessary for their data collection and will not go into any details about the nature of our contact. I will let you know if I have to do so, but by attending face to face sessions you are agreeing that I may do so without an additional signed consent
• Right to Access: You have the right to make a request in writing for a copy of the personal information that I hold about you. In extremely rare cases, this right may be refused where the result of that disclosure could cause serious harm to an individual’s own or another’s physical or mental health (including children)
• Right to verify and seek rectification: If you believe that any information I am holding on you is incorrect, incomplete or needs updating, please let me know and I will make the appropriate changes.
• Right to have their Personal Data deleted: You can request to have your personal information deleted, unless I have legal obligation to retain, in a claim situation or to comply with my insurance terms and conditions.
• Right to object. You have the right to bring a claim before their competent data protection authority.
HOW TO EXERCISE YOUR RIGHTS
Any requests to exercise your rights can be directed to me, through the contact details provided in this website. These requests can be free of charge and will be addressed by me within one month
DETAILS ABOUT THE RIGHT TO OBJECT
As your personal data is processed on the legal basis of ‘legitimate interests’, you may object to such processing by providing a ground related to your particular situation to justify the objection.
CONTACTING THE INFORMATION COMMISSIONER’S OFFICE (UK)
If you are not happy with any aspect of how your data is collected and used, I would be grateful if you would contact me first, so that I can try to resolve it for you.
If you have any issue with how your Data has been handled or are not satisfied with the response you have received to any request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues by calling 0303 123 1113 or going online to www.ico.org.uk.