The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (ie to provide therapy) and that it is data that you would reasonably expect me to hold and use.

 

For those who enquire about therapy, the data I hold includes any information you have sent me by email/text/message.

​

For those who book and attend at least one session, the data I hold includes:

• Basic information such as name, email address, phone number

• Information that you give me as part of the work we do together

• Audio recordings of each session

• Records of what interventions that I use (or potentially do not use) in our sessions

• Emails, texts and/or messages that are sent between us

• Information sent from any third party, eg GP, insurance company, EAP

​

Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. Special category information is defined by the GDPR as being information that is more sensitive than other personal information, and therefore requiring of higher levels of protection. Examples of this type of information could include information about your health, race, sexuality, sex life, or religion. In order to lawfully process special category information, I am obliged to identify a specific condition for processing it under Article 9 of the GDPR and communicate this to you. With this in mind, the condition of the GDPR that I apply to the processing of your special category information is that it is “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”. This means that, if you begin psychotherapy with me, or ask me to assess whether or not you are eligible for me to offer psychotherapy to you, then I will likely need to process some special category information about you. Usually, this is information about your mental health or medical data for health purposes, and I need to process it in order to fulfil my contractual obligations to you in delivering safe, effective psychotherapy.

 

If you choose to share any information with me about your relationship or sexual history or orientation, your family, lifestyle, employment, religion or cultural background, this is also respected as 'sensitive'.

Any data on any criminal offences (including allegations, proceedings and convictions) will require your specific consent in order to hold any such information.

​

Data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure which are detailed and discussed when we first meet. 

​

The data is primarily used to enable me to provide therapy for you and for my capacity as a therapist to be assessed. It may also be used scientific research purposes and statistical purposes.

​

Details of where data is held:

• I access my work email only from a work laptop or a work cell phone to ensure increased level of security. Work laptop is only used in my office, protected by a password and is never left unattended without being locked both by a password and locked in a cabinet.

• Any texts relating to logistics are only sent from my work cell phone and are stored on my work cell phone, access to which is password protected.

• Your notes are held in a locked cabinet in my office. For additional security your notes do not have your name or contact details on them, they are coded. Codes matching with your contact information are located in a different file, stored in another secure location.

​

Your data is kept for 7 years. The length of time is based on the requirements of my insurance company. After this time any paper records are shredded and computer records permanently deleted.

​

I take the security of data seriously and as such:

• I access my work email only from a work laptop or a work cell phone to ensure increased level of security. Work laptop is only used in my office, protected by a password and is never left unattended without being locked both by a password and locked in a cabinet.

• My email account is password protected and my work mobile phone and laptops are password protected and have anti – virus software on them.

• Any email correspondence will be deleted within one month unless necessary to keep it. If it is necessary, I will print it and store in a locked filing cabinet, together with your case notes, anonymized together with case notes.

• I use a secure payment provider for accepting card payments – Stripe, as well as an official Stripe’s partner ChargeStripe for mobile payments. In order to ensure the security of your data, I am anonymizing your payment references by coding them when I am exporting these for accounting purposes. The codes matching them to your contact details are stored in a safe locked location filing cabinet. In addition to electronic payments described above I accept cash payments. I will issue you with the invoice upon payment and store copies of these in the locked filing cabinet. I will anonymize these invoices in preparation of accounts and store codes matching to your name in a locked filing cabinet.

​

If there is any breach of data security I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.

​

You have rights with regards to the data held:

• The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).

• The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).

• The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone

• The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure

• The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.

 

• The right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). I do not engage in these things

  • direct marketing. As of now I do not intend to send out any direct marketing out. If this changes you will be notified.

  • processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.

  • automated decision making and profiling. I do not engage in automated decision making or profiling.