Data Protection and Privacy Policy
Below is my data protection and privacy policy. If you decide to begin therapy with me, I will ask for your signature giving consent for me to hold your information (data) as outlined in this policy.
WHEN YOU FIRST CONTACT ME:
When you contact me through my website via email, SMS message or voicemail, if I have availability and have offered you an appointment, I will keep your initial contact email, SMS message or voicemail for up to one week. After one week, I delete it. If I have no availability, I will respond to you to let you know and immediately delete your initial contact communication.
I don’t recommend that you include personal information about your circumstances in emails or SMS messages as they are not 100% secure. If you do provide any information about your circumstances, and we have arranged to have an initial appointment, I will print the information you provided and store it in a locked filing cabinet, which only I have access to. I will delete the original email or SMS message. If we continue to work together I will keep this information as part of your information (see Clinical Notes and Information Relevant to Your Therapy section below). If you decide not to work with me, I destroy this information.
DATA PROTECTION AND PRIVACY POLICY
I take the privacy of your data seriously, and aim to be as clear as possible about what information (data) I hold, how I store it and for how long, so that you can be confident that your privacy is protected. I hold your information in accordance with the General Data Protection Regulation (GDPR) concerning the protection of personal data. I am registered with the ICO as a data controller.
This policy updates and overrides any statements about data protection included in the working agreement I provided at the start of your therapy.
What information I retain, how I retain it and for how long:
I hold your personal information in order to provide psychotherapy and/or counselling. I retain it according to what is required by law and by my regulatory bodies (UKCP and BACP) and in order for me to comply with my professional indemnity insurance and tax obligations.
Communication about your therapy:
In order to communicate with you about appointments or information related to your therapy, or in case of an emergency, I hold your name and contact details including a phone number and email address in my iPhone and Gmail accounts respectively. Both are passcode protected, as are the devices through which I access Gmail.
In communicating with you about appointments, I primarily use Gmail. I may also send an SMS message about appointments via my iPhone should you contact me first via SMS. I use a pseudonym instead of holding your name in my iPhone contacts. I keep a paper record of the pseudonymised code and associated name in a locked file that only I have access to. I keep emails and SMS messages about appointments for one month for invoicing purposes, and then I delete them.
I don’t include or recommend that you include personal or clinical information in emails or SMS messages as they are not 100% secure.
Once your therapy is finished, I immediately delete your phone number and email address.
Appointments:
I store appointments in my iPhone electronic diary. Appointment information is pseudonymised, so your name does not appear. After one month, appointment records are transferred to a password protected electronic file that only I have access to. These records are kept for seven years following completion of your therapy, in compliance with my professional indemnity insurance and tax requirements. After seven years I delete the records.
Billing:
I send invoices and receipts, if relevant, using GmaiI. I use an online accounts package, Easy Books, to generate and keep a record of invoices and payments. Easy Books is stated to be GDPR compliant. Financial records, invoices and receipts are also pseudonymised so that you are not identifiable. I keep billing records for seven years in order to comply with HMRC requirements. After seven years I delete all invoices, billing records and receipts. Records of BACS payments you make to me are stored in my bank account records, which are password protected.
Clinical notes and information relevant to your therapy:
I hold your clinical notes in a password protected electronic file that only I have access to. I use OneDrive software that is encrypted and is stated to be GDPR compliant. Notes I keep are a brief and factual record of each session. They are pseudonymised so that you are not identifiable. I am required to keep notes, and to hold these notes for seven years following completion of your therapy, to comply with my professional indemnity insurance requirements. After seven years I delete the notes.
Any other information I hold related to clinical work, including this signed document, the working agreement, pseudonymised handwritten paper assessment notes, correspondence or information you provide, is kept in a secure, locked file that only I have access to. If the original document containing personal information, including that which you provided in your initial contact with me, was sent via email or SMS message, I print and only retain the paper copy in a locked file. I delete the original electronic communication. This information is also retained for the seven year period from the completion of your therapy, in order to comply with my professional indemnity insurance as explained above. After seven years I destroy the files.
Other contact information:
If you have provided me with your address, GP details and/or an emergency contact including a name and phone number, I keep this information in a paper file in a secure locked file that only I have access to. After completion of your therapy I immediately destroy this information.
Skype:
If we agree to have sessions by Skype, I hold your name and Skype name on the Skype platform accessible on my laptop, both of which are password protected. I do not store any other information or messages on Skype. After completion of your therapy I immediately delete your Skype contact information.
How your information is used and when it is shared:
If you request that I share your information with a third party, I will first require your written consent. If you request that files containing your personal data or information to be sent electronically, I will create a password protected PDF file attached to an email using Gmail. The password will be sent separately and via a different channel, such as a mobile phone SMS message or communicated in person.
Aside from occasions when you request that I share your information as above, I do not disclose any information to a third party other than in the event that in my opinion there is a threat to your own safety or the safety of others, or if I am obliged to do so by law. If I do disclose information for these purposes, I will try to do this in discussion with you and with your prior consent.
I have regular supervision, as is required by the BACP and UKCP, where I may discuss my work with you. I do not identify you by name or reveal any identifiable personal information.
My clinical supervisor keeps your first name and phone number in paper form, in a locked filing cabinet. They hold this information so that you can be contacted in the event I am incapacitated or unable to contact you. This is required by the BACP and UKCP as part of my clinical will. My supervisor will contact you to inform you of the circumstances and offer support in making arrangements for ongoing support. My clinical supervisor is UKCP registered and abides by the same ethical and professional standards as I do. My supervisor also destroys this information upon completion of your therapy.
Your rights:
I have a policy in place in the event of a data breach. If there is a risk that your information could be accessed, I will inform you as soon as possible. I will report the breach to the ICO within 72 hours.
You have the right to request a copy of the information I hold by contacting me. I will comply with this within one month of receipt of the request. You also have the right to amend your information.
The GDPR includes a right for individuals to request to have personal data erased, unless legal or other requirements override fulfilling the request. As I am required to hold your information including notes and information related to your therapy by my insurer, and to maintain financial records by HMRC, I would be unable to fulfil your request to erase all of your personal information before the 7 years following the end of your therapy.
If you would like to raise a complaint or have an issue with my data protection and privacy policy or practice that we are unable to resolve between us, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk
I will review this data protection and privacy policy to ensure that it continues to comply with regulations, and therefore it is subject to change. I will notify you as soon as possible of any changes.
