So what is the GDPR?
The GDPR (General Data Protection Regulation) is legislation that exists to give you greater transparency and control over how your personal information (data) is held.
Why do you have my personal data and how is it used?
During your psychotherapy/counselling assessment I usually collect some personal data from you. This is to get a sense of how you’ve been feeling, what has been happening for you and what you’d like to get out of the process. This information also helps me to find out relevant information about you, how best to support you and to ensure your safety and wellbeing by conducting a risk assessment. I additionally seek this information to adhere to ethical framework of the UKCP (United Kingdom Council for Psychotherapy) as well as the requirements of my professional liability insurance body.
The information requested from those coming for psychotherapy usually includes the following:
- Date of birth
- G.P details
- What is bringing you to therapy and therapy goals
- Any relevant physical or mental health symptoms
- Risk assessment information such as suicidal thoughts and self-harm thoughts or intent.
What if I only see you for supervision?
The minimal information requested from those coming for supervision is usually includes the following:
- Placement and supervision details
- Training institution
Do you use any site visitation tracking?
I’ve noticed you use contact forms on your website and your out-of-office email…what happens to my information?
This information comes directly to me into my email accounts only.
What devices do you use and how do you store my data?
This written assessment information is held in my locked filing cabinet, only accessible by me and I am the sole key holder. I also hold a paper diary which I carry for session appointments, with no data that would personally identify you.I additionally keep minimal electronic records on my electronic notebook of your session attendance and any brief pertinent ‘treatment intervention’ notes as requested by my professional liability insurer.
For clients who request invoices and/or receipts, I also have this stored on my notebook. My notebook is stored securely and locked away only accessible by me. I do not use any remote memory software such as iCloud to back up computer data. However, I do regularly back up my notebook to a USB which is locked a secure filing cabinet.
I have access to client emails and texts via my smart phone. Again, I do not back up client contact data to any remote memory facility such as iCloud. All email accounts have passwords only known and used by me.
I hold client records for 6 years after which time they are automatically destroyed (paper items by shredding and electronic items through my recycling bin on my lap top which is then emptied by me only). Any financial information such as receipts or invoices are retained for 5 years.I use and keep up to date anti-virus software and firewalls to protect data.
What if I’m a supervisee, what applies to me?
For supervisees, I keep supervision notes on my electronic notebook and some hard copy notes. All data is anonymised.
Is there CCTV at any of the therapy rooms where we meet?
There is now 24-hour CCTV at the clinic at 265 Upper Street, London, N1 6UQ. This is for maintaining security in the building and for building managers wishing to monitor the movements of practitioners in the building.
How can I access my personal data?
You can make a request for your data at any time. This is called a subject access request. Should you wish to make a subject access request, please specify that you are requesting your personal data or making a subject access request. This can be done either in writing to firstname.lastname@example.org or email@example.com or you can submit this by post or verbally if you’d prefer.
I will respond first by confirming that I have received your subject access request, that I am processing your request and I will get this to you within one calendar month. This is free of charge. If the request is complex, or I have received a number of requests from you I will let you know within one calendar month that an extension is necessary and will extend by no more than a further two calendar months. I may request identification of the person making the request in proportion to the request being made.
I will give the information in electronic format unless you request otherwise. For formats that are not electronic a ‘reasonable fee’ may be charged for administrative purposes. A reasonable fee may also be charged for extra copies of data.
In some instances, I may refuse to comply with a subject access request. This is only where the request is ‘manifestly unfounded or excessive’. If this is the case I may request a ‘reasonable’ fee or refuse the request. If a reasonable fee is charged, the request will not be responded to until the reasonable fee is paid.
Should your request need to be refused, I will explain why within one calendar month of the receipt of your request, and you will be able to make a complaint to the ICO should you wish to, by going to the ICO (Information Commissioners Office) which is an independent authority that aims to uphold information rights. You may also complain through other supervisory authorities or via judicial means.
Should you find data to be factually incorrect, you are able to request that this be amended e.g. wrong date on an invoice sent, etc.
Should your data content potentially breach a third party’s confidentiality, this will be removed prior to being sent.
Your information is not used for any purpose other than is specified here and is not passed on to anyone else, unless you are making this request. If you wish me to disclose any information about you would need to sign a consent form, specifying what information you’d like disclosed, prior to me passing this on to a third party.
However, in line with existing confidentiality procedure, I reserve the right to breach confidentiality should I have any serious concerns about your well-being such as:
- Suicidal or self-harm thoughts with intent to harm yourself or suicide attempts
- Potential harm to another adult or child
- Serious harm or potential harm to you from someone else
- If I am subpoenaed by a court of law
I will aim to work collaboratively and transparently with you should the above concerns arise.
I may be asked by police of solicitors to assist them in a case by releasing client notes. Should this be the case I will seek legal advice from my insurer and will also seek consent from you for any information being passed on.
How can I request that my data stops being used or be destroyed?
You can request for all information about you to be erased at any time. This is called ‘the right to be forgotten’. Should you make a request I will respond to confirm receipt of your request and then consider the grounds for your request and make a decision as to whether to comply or whether the law permits me to refuse.
You are permitted to object to your data being processed. However, where this caused conflict with professional insurance requirements, this may mean session work cannot continue.
So, what exactly is a personal data ‘breach’ anyway?
A personal data breach is defined by the ICO as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data’.
The ICO goes on to explain that personal data breaches include:
- ‘access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data’.‘
'A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed’.
Should an incident occur, I will promptly establish if a data breach has occurred and assess the severity of the incident. If there is not risk that your rights or freedoms have been placed at risk I am not required to report this to the ICO. However, I must report to the ICO if it’s likely that there will be a risk. In the instance where I do not report, I need to justify this decision and document it accordingly.
Should a data breach occur where there will be a risk, I will inform you promptly either verbally or in written form within 72 hours.
It matters to me that you are clear on and comfortable with how your data is dealt with, so, please read this information carefully and do let me know if you have any questions of concerns at any time. I am happy to talk this through with you.
There’s also lots of information available online at the ICO. You can also contact my registering body, the UKCP by clicking here and click the tab at the bottom of the page for GDPR or call the UKCP on Tel: 020 7014 9955 for more information on the GDPR.
Will this policy change again?
There may be some changes to this policy from time to time to ensure it’s in line with any legislative changes that might happen. I encourage you check this page periodically to keep up to date.
Last updated 30 May 2018.