Under GDPR you have certain rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
Under GDPR I must have a lawful basis for holding and processing your personal data. There are different lawful bases which apply to me holding information about you.
If you are contacting me to consider therapy or are having therapy at the centre then I use the lawful basis of a contract to use your information as it is necessary for the performance of our contract.
If you have had therapy with me and it has now ended, I use legitimate interest as a lawful basis for holding and using your personal information.
The GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is that it is for the provision of health treatment (in this case therapy) and necessary for a contract with a health professional (in this case a contract between me and you).
Information I collect about you and how I use it
Upon enquiring about therapy, basic personal information will be collected for contact and identification reasons. I need to keep your contact details to be able to get in touch with you to offer or alter appointments and to send appointment reminder requests if you would like them.
I collect and store personal information such as name, email address, phone number, date of birth, address and name of GP – I would only contact your GP under certain circumstances and only with your consent. I will keep notes of what we discuss in therapy, to remind us of the work we are doing when I next see you. These will include personal and sensitive details about your life. The notes are used solely for the delivery of a therapy service to you.
Under GDPR the lawful basis for I use for storing and processing your personal data is through a verbal or written contract. This is because I am providing you with a service and require information to be able to provide you with that service.
How I keep and use your data
I use a client management database which is GDPR compliant (Write Upp). I use this to store your personal details, make and record appointments in an online diary system, and keep session notes.
If you use the contact form on this website to make an initial enquiry this information is kept securely and in an encrypted format.
Any paper information (including contracts signed by the client) are kept in a locked filing cabinet.
Clinical notes are kept electronically – paper notes I take during sessions are securely shredded and disposed of. Digital notes are mainly kept in the client management database as detailed above. These are password protected and only accessible to me.
In accordance with insurance guidelines, I keep your notes for 7 years, after which they are destroyed. If you are under 18 at the time of therapy I keep your notes for 7 years from the date you would turn 18 years old.
If you would like to amend any of the contact details I hold about you then please let me know, and I will amend your records.
I recognise that on rare occasions clients may wish to exercise their rights under the General Data Protection Regulation May 2018 and request a copy of any data I hold about you (a subject access request). Sometimes during counselling, information is provided by more than one individual. In these cases, I will only release information if consent has been given by all of the individuals involved. If at any time you wish to exercise your right under the GDPR you should put your request in an email to me and provide evidence of your identity, such as a copy of your passport or driver’s licence and proof of your address. When I receive your written request and evidence of identity I will respond to your request within 30 calendar days.
I take your privacy seriously and will take all reasonable steps to ensure the protection of your data. In the event of a data breach, I would follow GDPR guidelines and notify you and the ICO within 72 hours.
Under the GDPR guidelines you have the right to be forgotten and your information deleted. Please note that your right to be forgotten may not override the legal requirements to keep clinical notes for the mandatory periods. You can request a copy of any data held about you by submitting a subject access request as detailed above