You may be aware of new laws relating to General Data Protection Regulation (GDPR) that came into effect from 25 May 2018. The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries. This document sets out how I comply with these laws. It will look at why I keep data about you, what I do with it, how I store it and what your rights are. I am registered with the Information Commissioner’s Office (ICO) and I, Dr Charley Deacon, am the data controller.
What personal data is processed
As a psychologist, in order to be able to do my job well, I collect and process the following personal data from therapy clients:
Personal data: name, address, email, contact number, and GP contact details.
Sensitive personal data: signed therapy client agreement, therapy records (therapist notes, letters, reports and/or outcome measures).
Financial data: If you pay by BACS your name will be on my bank statements.
If you complete a web-based enquiry form, I will also collect the information provided. All web services I use are GDPR compliant.
If you are referred by your health insurance provider, then I will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, health insurance policy number and authorisation for psychological treatment.
The lawful basis for processing personal data
This personal data is processed because it is in my legitimate interests as a psychologist to do so. It is necessary to see and use this information to provide psychological therapy to clients.
How your personal information is used
Your personal information will only be used to provide the services you have requested and to process payment for such services. If you do not provide the personal information requested, then I may be unable to provide a therapy service to you.
How long we store personal information
Your personal information will only be stored for as long as it is required. Basic contact information held on a therapist’s mobile phone will be deleted within 6 months of the end of therapy.
The sensitive personal data defined above is stored for a period of 7 years after the end of therapy. After this time, this data is deleted at the end of each calendar year.
Any notes I make and data I process for an enquiry about therapy which does not lead to my involvement will be deleted after 6 months.
I am required by HMRC to keep all bank statements for 6 years plus the current accounting year.
Who we might share personal information with
Information about clients and the therapy they receive is held in confidence. This means that your personal information will not normally be shared with anyone else. However, there are exceptions to this when there may be need for liaison with other parties:
If you are referred by your health insurance provider, or are otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation for the purposes of billing. We may also share information with that organisation to provide treatment updates.
In cases where treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared with legal services as required and with your written consent.
In exceptional circumstances, it may be necessary to share personal information with relevant authorities:
When there is need-to-know information for another health provider, such as your GP;
When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order;
When the information concerns risk of harm to the client, or risk of harm to another adult or a child. I will always try and discuss such a proposed disclosure with you unless to do so could increase the level of risk to you or to someone else.
Your details will never be sold to a third party for marketing purposes.
Keeping your data safe
Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients in an email attachment that is password protected. Email applications use privacy (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. Open or unsecure wi-fi networks will never be used to send any personal data. Personal information stored on a computer is password protected. Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode/thumbprint scanner.
Your right to access the personal information held about you
You have a right to access the information held about you.
This will usually be shared this with you within 30 days of receiving a request.
We may request further evidence from you to check your identity.
A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy).
You have a right to get your personal information corrected if it is inaccurate.
If you think that data protection laws have not been complied with, you have a right to lodge a complaint with the Information Commissioner’s Office.
I reserve the right to refuse a request to delete a client’s personal information where this comprises therapy records. Therapy records are retained for a period of 7 years in accordance with the guidelines and requirements for record keeping.
Dr Charley Deacon
Chartered Counselling Psychologist & Owner
Updated August 2018