Privacy Notice (updated 25 May 2018)
On 25 May 2018, the law changed with regard to how organisations have to protect your ‘data’ (personal details and records) and this is called the General Data Protection Regulation or GDPR. The following summary highlights how GDPR is being implemented by therapists who advertise their services on this website, by explaining why confidential information is held and how this is protected. https://ico.org.uk
Your therapist provides psychological services, including psychological assessments and therapy. You will be asked to provide your therapist with personal and sensitive information. It is assumed that by engaging with this service you are consenting to records being kept.
What personal data is processed?
Your therapist collects and processes the following personal data from therapy clients:
Personal data: Basic contact information including name, address, email, contact number, video conference ID (if online therapy), and GP contact details.
Sensitive personal data: Signed therapy contract agreement, mental health therapy records (therapist notes, letters, reports, drawings, outcome measures).
If you are referred by your health insurance provider, solicitor, rehabilitation company or other health-related agency, then your therapist will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment.
These activities require your therapist to act as a ‘Data Controller’, and by law they are required to be registered with the Information Commissioners Office (ICO). This register is an online public register of Data Controllers and visible for anyone to check. https://ico.org.uk
The lawful basis for processing personal data
Your therapist has a legitimate interest in using the personal data and sensitive personal collected to provide health treatment. It is necessary to provide psychological assessment and therapy to clients.
Your therapist may also ask for information on how you found the service for the purpose of marketing research. No information you provide is passed on without your consent. Your therapist will never sell your information to others.
What is done with your personal information?
Your therapist will use the information collected to provide psychological assessment and therapy services to you. Your personal information may also be required to process payment for such services.
Your therapist takes your privacy seriously, and will only use your personal information to provide the services you have requested. Your therapist is committed to protecting and respecting your privacy.
If you do not provide the personal information requested, then your therapist may be unable to provide a service to you.
How long personal information will be stored
Your therapist will only store your personal information for as long as it is required. Basic contact information held on a therapist’s mobile phone is deleted within 6 months of the end of therapy.
The sensitive personal data defined above is subject to special legislation:
Adult records are retained for 8 years after the last contact with the service.
Children’s records are kept until age 26.
After this time, this data is carefully disposed of at the end of each calendar year.
Some records may be held indefinitely if there were any issues of concern that could lead to police investigation in the future
Who personal information may be shared with
Keeping records is an essential component of healthcare, which helps in understanding how best to help and forms the basis of any reports needed. Your therapist will only collect and retain your personal information that enables them to perform their services. Your therapist will hold information about each of their clients and the therapy they receive in confidence. This means that they will not normally share your personal information with anyone else. However, there are exceptions to this when there may be need for liaison with other parties:
If you are referred by your health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then your therapist will share appointment schedules with that organisation for the purposes of billing. They may also share information with that organisation to provide treatment updates.
In cases where treatment has been instructed by a solicitor/rehabilitation company, relevant clinical information from therapy records will be shared with legal services as required and with your written consent. Your therapist will share appointment schedules with that organisation for the purposes of billing. They may also share information with that organisation to provide treatment updates.
In exceptional circumstances, your therapist might need to share personal information with relevant authorities:
When there is need-to-know information for another health provider, such as your GP.
When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
When the information concerns risk of harm to the client, or risk of harm to another adult or a child. I will discuss such a proposed disclosure with you unless I believe that to do so could increase the level of risk to you or to someone else.
Your therapist will never use your personal information for marketing purposes or send you marketing materials without your explicit consent.
How security of personal information is ensured
Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients using e-mail services which are GDPR compliant (which means that the content of emails is encrypted from user to user). Any sensitive data attached in an email attachment will be password protected. Email applications use private (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. Your therapist will never use open or unsecure Wi-Fi networks to send any personal data.
Personal information is also stored on an office computer. These are password protected (entry password, and encrypted and password protected digital storage vault). Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode/thumbprint scanner, mobile security and antivirus software.
Confidential digital information may also be stored in a secure cloud service offering high levels of security which is GDPR compliant.
Your right to access the personal information held about you
You have a right to access the information your therapist holds about you by making a ‘subject access request’ (SAR).
Your therapist will usually share this with you within 30 days of receiving a request.
There may be an admin fee for supplying the information to you.
Your therapist may request further evidence from you to check your identity.
A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy).
You have a right to get your personal information corrected if it is inaccurate.
You can complain to a regulator. If you think that your therapist has not complied with data protection laws, you have a right to lodge a complaint with the Information Commissioner’s Office.
In the event of death or incapacity of the therapist, arrangements have been made for records to be held by a named professional colleague who will continue with the above obligations
Your therapist reserves the right to refuse a request to delete a client’s personal information where this is therapy records. Therapy records are retained for a period of 8 years in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000)and The Health and Care Professions Council (HCPC; 2017).
The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.
Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.