Privacy Policy and Data Retention Statement - Effective from 25th May 2018
I aim to be fully compliant with current GPDR legislation and to let you know how I
use and protect the data you have given me. GDPR replaces the previous Data Protection Act.
I wish to be transparent with regard to the processes I have in place.
Identifiable information, if shared, will only be used in accordance with this privacy
statement. I follow guidance from my governing body, UKCP, and my insurers, Towergate
Insurance.
As a private practitioner, I am considered the data processor and controller in my practice.
As the data controller, I process some of your personal data on the lawful basis of
contract as defined by Article 6(1)(b) of the GDPR, to fulfil my contractual obligations to you.
During the assessment process, information such as next of kin, family members and
medication are gathered and held. This is anonymised, coded and securely stored. No one but
me can access this information. I process your special category data on the lawful basis of
contract, under the condition (h) of Article 9(2) of the GDPR.
The GDPR rules for sensitive (special category) data do not apply to information about criminal
allegations, proceedings or convictions. Instead, there are separate safeguards for personal data
relating to criminal convictions and offences, or related security measures, set out in Article 10. I
process criminal offence data on the lawful basis of contract, in accordance with Article 10 of
the GDPR.
Data Processing means obtaining, recording or holding information. The definition is
very wide, and most of what I do involves a degree of processing. I process the
personal data I have collected as controller. I maintain records of personal data and
processing activities and hold responsibility should there be a breach.
Consent.
This is a primary concern and is separate to other terms and conditions. As my
client, you can withdraw consent at any time without detriment. I hope to offer you
choice and control. As a therapist who occasionally uses creative interventions, I want to ensure
you know that any drawings or art done in session is yours. I will store this material safely
and dispose of it in a timely manner. I will never use any of your data/artworks for writing,
publishing, research, marketing or training purposes.
I have bi-weekly ongoing supervision to support and ensure my practice is safe. When I
share client material or images this is always done confidentially to protect your identity.
Nobody but me has access to any of your data. I will keep this process under review
and refresh it if anything changes.
Note keeping.
I do not keep process notes. When I decide to do so I shred and dispose of this confidential
material asap, often after supervision. I keep minimal anonymised content notes in a single
handwritten paper copy stored in a lockable cabinet separately from your personal details.
In line with guidance from my governing body and insurers, I hold content notes for seven years.
After this time frame, they are disposed of securely.
You have a right to see the information I hold about you should you wish to. You have a right
to change any information which you consider to be incorrect. You can also ask me to delete
all/ any of the information that I hold. There are however some details I need to keep due to
legal and professional obligations.
Data Storage.
I promise to keep all sensitive data safely. This involves my anonymising, using passwords and
encrypted documents. I keep all sensitive data in a lockable cabinet or on a password-protected
computer. I dispose of data by shredding paper copies and deleting emails. I dispose of emails
within one calendar month of the date of cessation of your therapy.
While we work together I will store your name and phone number on my mobile phone. I only
contact you in response to you or concerning appointments.
When we discontinue working I will delete your number. I do not engage with clients
through any social media.
In the event of a complaint.
Please contact me directly. And if we cannot resolve this you could then contact the
Information Commissioner Office (ICO) which I am registered with, and my reference number is ZA390378.
https://ico.org.uk/concerns/handling/ or Guidance for GDPR Compliance.
Clinical will.
In the event of a sudden cessation of practice eg through an accident or death, I
have appointed a professional executor who will manage things on my behalf. This is
arranged for your welfare as my client and every step is taken to ensure GDPR
standards are met.
Policy Review.
I will regularly review consent with you to check that the relationship, the processing and the purposes have not changed.