I am committed to protecting and respecting the privacy of my patients and clients. I comply with the Data Protection Act 2018 and the General Data Protection Regulations.
This policy explains when and why I collect personal information, how I use it and how I keep it secure.
I review this policy regularly and where necessary make updates to ensure it accurately reflects how I use your data. I will notify you if there are changes which affect how your data is processed.
If you have any questions you can contact me by email on email@example.com
I work independently in private practice offering Psychodynamic psychotherapy and counselling
What information do I collect?
-When you use this website
When you make enquiries
If you email or telephone me. I will ask you to provide your name and information about your enquiry. I may also ask for alternate methods of contacting you. I will only use this information to respond to your enquiry.
I store personal data in email.
I store personal information on my mobile telephone in the form of text messages and automated call logs. I don’t audio-record calls, and I don’t keep voicemail messages left on my phone.
I store personal information using Apple’s iCloud contacts functionality.
-At our initial meetings
If you meet me for a clinical consultation, before agreeing to treat you I will discuss my psychotherapeutic working methods and my terms of service.
This discussion includes, but is not limited to, my working practice, session duration, session rates, electronic billing and payment, holidays and missed sessions, potential therapy start-date and the personal data necessary for my delivery of psychotherapeutic services and for maintaining your safety and wellbeing. It may take us between one and four clinical consultation sessions to establish if there is a potential therapeutic alliance with your wellbeing and therapeutic need.
In addition to discussing my use of your personal data, I may need to discuss my use of your ‘special category’ data such as your General Practitioner (GP) or other healthcare professional’s details, your medication and associated medical information, as well as third-party assessments (eg psychiatric, social- or key-worker) where relevant. If you and I agree to work together, I will not intend to make contact with your healthcare professionals on a regular basis, but under some circumstances it may be helpful for me to contact them to arrange better-coordinated care. (I would usually discuss this with you beforehand.)
If we both agree to these terms, they create a verbal contract between us. Without your personal and ‘special category’ data I am unable to fulfil my obligations under the terms of our contract.
At your therapy sessions:
I adhere to a professional code of ethical standards which includes the principle of confidentiality. This is because the nature of therapy involves discussing personal and sensitive information, relating to relationships and family, with me during your ongoing sessions. If you have any questions about confidentiality please discuss them with me.
When we correspond:
Where applicable, I will usually retain correspondence between you and me.
- If someone has referred you to me
If someone, including a mental health professional, has referred you to me, they may provide me with some of your personal data on your behalf. In some circumstances the referrer may also tell me why they are referring you, which may include sensitive personal data relating to your health.
- If I refer you on to someone else
An analytic or psychotherapeutic society may ask you to meet me for a clinical assessment in order for me to refer you to another mental health practitioner. With your prior permission, when referring you on I may provide the analytic or psychotherapeutic society with some of your personal data on your behalf as part of this referral. In some circumstances, I may need to include ‘special category’ data relating to your health and wellbeing.
How else may I obtain your personal data?
- My bank statements
Depositor’s names may appear on my bank statements.
I may also receive your personal information indirectly, for example in one of the following scenarios:
- With your permission I contact an organisation on your behalf and that organisation gives me your personal information in its responses.
- Personal information is contained in reports of breaches of data protection law (‘breach reports’) given to me by third-party organisations.
How long do I keep your data?
I keep personal and ‘special category’ data for the duration of each contracted therapeutic relationship, and thereafter as required by statutory, legal, regulatory, government (eg HMRC), contractual (eg insurance) and governing industry bodies (UKCP).
I do not retain personal data for longer than is necessary for the purpose for which it was collected. Who do I share your information with?
I will not share information with, or or sell your data to, any third parties for the purposes of direct marketing.
Third-party data processors
I use third-party data processors to provide elements of services for me. I do not share ‘special category’ data with them. These third-parties have their own GDPR privacy policies on how they handle personal data:
- Videotelephony and messenger products
If I conduct remote, online therapeutic, supervisory and consulting sessions I store personal contact information in the following third-party systems:
When necessary, I may need to communicate your personal data to a healthcare professional or, if you are a trainee, a psychotherapeutic training institution. Where it is feasible to do so, I will discuss with you before sharing the information. I will not disclose information about you to a third party without your agreement, except in situations where there was significant concern about harm to you or someone else and this would normally be discussed with you beforehand. Unless the requesting party has a basis in law for demanding disclosure, my duty of confidentiality and your rights as the data subject may outweigh the reason behind the disclosure request.
Under some circumstances I am legally obliged to share information (eg a court order). I will always satisfy myself that I have a lawful basis on which to share the information, and document my decision-making.
In line with standard therapeutic practice and ethical requirements, I share patient names and contact information with two therapist colleagues, known as ‘professional executors’, in the event of an emergency. I provide these colleagues with an emailed password-protected PDF. I do not share ‘special category’ data this way. The sharing of this list is within the ethical and practice framework of the UKCP (United Kingdom Council for Psychotherapy)
- If you are my supervisee
- Peer-group supervision
My participation in peer-group supervision is in line with standard therapeutic practice. I do not share personal or ‘special category’ data during supervision as per the ethical and practice framework of the UKCP.
Keeping your data secure
Access to your personal data is restricted so that it is only accessed by myself or my authorised staff members.
Transferring your information outside Europe
In general, I do not transfer your data outside the EU. Transfer does occur in the following circumstances:
- Online therapy or supervision
If you are an international client, based outside of the EU/EEA, there will be data transfer outside Europe in order for me to deliver your therapy or supervision.
- Third-party providers
Some of my third-party data processors may use data storage locations outside of the EU using approved data-transfer mechanisms. The GDPR does not preclude EU personal data being stored (or otherwise processed) outside the EU, as long as there is a data transfer mechanism in place approved by the European Commission.
Links to other websites
The GDPR gives you certain rights in relation to the data I hold about you. You can exercise these rights by contacting me on firstname.lastname@example.org.
Under the GDPR you can:
- Find out what information I hold about you
- Access a copy of the information I hold about you
- Rectify any inaccurate or incomplete personal data
- Have the right to object to my processing of your personal information
- Ask me to delete or restrict how I use your personal information, but this right is determined by applicable law
- Have your contact information sent to another provider
- Have the right to appropriate decision making (I do not use automated profiling or decision making)
- Complain to a regulator if you think I have not complied with data protection laws. You can lodge a complaint with the Information Commissioners Office.
Review of this policy
I keep this policy under regular review. This policy was last updated on 4 May 2020.