Privacy Notice for Therapy Clients
In accordance with the General Data Protection Regulations, (GDPR) I Suzie Shepperson am required by law to inform you about how I process and keep safe the data I hold that relates to you. The purpose of GDPR is to provide a set of standardised data protection laws and explains the personal or sensitive information that I collect, store and process about you as a data controller.
I am also required to gain your explicit consent to my holding and processing your data in certain ways.
What are your rights?
Please read and sign to indicate your consent. You may print a paper copy, or copy and paste digitally.
If you do not wish to give your consent, you have the option to discuss with me, and it may be possible to create a bespoke agreement between us.
You have the right to withdraw your consent at any time. We would need to discuss what this might mean in practice, with the primary aim being to keep you safe. However, there may be certain situations that require certain information to be retained, and I may need to seek legal advice in this case.
Why do I collect information about you?
I collect information about you to provide psychological assessment and treatment which supports the provision of a safe and professional service. It is therefore in my legitimate interests as an accredited therapist to collect your personal data. I also collect sensitive ‘special category’ data (such as details about psychological difficulty). My lawful reason for doing so is that is necessary for the provision of a safe and professional (mental) health treatment (psychological therapy).
I may also collect information about you as I am providing supervision, training or others services to you. If you are a supervisee, I will have a contract with you, which will be my lawful reason to process your data.
I may also ask for information on how you found my service for the purpose of marketing research. No information is passed without your consent. I will never sell your information to others.
The therapy client data GDPR I hold may include:
1. Your name and address
2. Your phone number and email address
3. An emergency contact’s name and phone number
4. Your GP name and contact details
5. Relevant medical information
6. Session notes
7. Payment information
8. My emails to you, and yours to me
9. Invoices
Some of this information will be collected directly from you, it may also be collected from a referring agency such as a GP, healthcare provider or intermediary. In such cases I will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and healthcare insurance policy number and authorisation for psychological treatment.
Supervisee’s
I will only use the information you supply to me to support your supervision. Data that I collect about you in addition to the above, may include:
1. CV
2. Professional registration details
3. Information regarding previous supervision
Where I want to disclose information to a third party, for example in providing a reference, I will not do so without disclosing this to you beforehand unless disclosure is required by law.
You have the right to know what therapy client data GDPR I hold, why I hold it, and for how long I hold it.
You also have the right to view it, and to ask for changes to be made.
When sensitive data is to be destroyed, it is shredded. If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible.
If you are concerned about the way that your information is being held please discuss it with me. If you are still unhappy you have the right to complain to the Information Commissioner’s Office www.ico.org.uk. I confirm that I am registered with the ICO.
How, why, and for how long is your data held?
1. Your name and address
How I keep this data
I keep your name and address in paper form in a locked filing cabinet. These are kept separate from your session notes.
My clinical supervisor has your first name, their notes are kept in paper form, kept in their locked filing cabinet.
Why I keep this data
This is required by my professional liability insurer and by my professional organisations (BACP).
How long I keep this data
My professional liability insurer advises that I keep this data for seven years. After that time, it is destroyed.
My clinical supervisor will destroy the data when you and I finish our work.
Who sees the data
Myself.
My clinical supervisor will see your first name but not your surname or address.
2. Your phone number and email address
How I keep this data:
I keep your phone number in my mobile phone. My phone is locked with a pass code when I am not using it. Your email address is held in my Email, which is encrypted.
Neither my computer nor my phone are shared with anyone else, unless it is required by a technician for maintenance.
I also keep your phone number and email address in paper form in a locked filing cabinet. These are kept separate from your session notes.
My clinical supervisor has your first name in paper form, kept in a locked filing cabinet.
Why I keep this data:
This is needed in case I have to contact you (for example for rescheduling sessions or sending an invoice).
I also keep your email address in case we agree to work therapeutically via email, either as a regular arrangement or just occasionally.
How long I keep this data
I will remove this data when we have finished our work, unless you tell me that you would like me to retain it in case we work together again in the future.
Who sees the data
Only myself.
3. Emergency contact’s name and phone number
How I keep this data
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
Why I keep this data
It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you.
You and I may agree together on some other reason that I might contact this person, based on your best welfare.
How long I keep this data
When we finish working together, I will delete this data, unless you and I decide to make other arrangements.
Who sees the data
Only myself.
4. Your GP name and contact details
How I keep this data
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
Why I keep this data
You and I may agree together on some reason that I might contact your GP, based on your best welfare, for example discussing diagnosis, treatment plan or safety procedures.
How long I keep this data
When we finish working together, I will delete this data.
Who sees the data
Only myself.
5. Relevant medical information
How I keep this data
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
Why I keep this data
It may be relevant to share certain medical information when:
(a) Your mental health history, diagnoses etc may inform my treatment plan to make it more appropriate for you
(b) There is any risk that health conditions such as seizures, diabetes, etc may impact a session
(c) Your medications may affect our work
(d) You have any allergies that I should be aware of in order to keep you safe
How long I keep this data
When we finish working together, I will delete this data.
Who sees the data
Only myself.
6. Session notes
Notes may include dates and times of attendance, and brief notes on important themes from the session. I do not keep detailed session notes. I keep a ‘clear desk’ policy, which means that session notes and other information are not left unattended.
How I keep this data
I may keep brief session notes in paper form in a locked filing cabinet. Your name or other identifying details are not kept with your session notes; only a code is used.
Why I keep this data
Brief notes may remind me of important points I want to be sure to remember to discuss in our next session, and/or in supervision.
How long I keep this data
After the work has been discussed in supervision, I may destroy any notes (or parts of notes) that my supervisor and I do not consider necessary to keep for longer.
My current policy is to destroy session records after five years in line with my liability insurance requirements. Where it is in our best interests to retain this personal information for a longer period, due to any issues arising out of our work, I will hold this for seven years.
Who sees the data
Only myself.
8. Payment information
How I keep this data
I make a note of payments you have made, on a password-protected financial spreadsheet for my business. I may also outline invoices and record payments in my paper diary, but under a code rather than your name.
Why I keep this data
As a small business owner, I am required by law to retain certain financial information, primarily for tax purposes.
How long I keep this data
I keep financial information for 7 years as advised by HMRC.
Who sees the data
Payment by cheque will be processed by my bank.
Banking transactions may be viewed by employees of the bank, my accountant, my financial advisor, and tax officers (HMRC).
When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.
9. Your emails and texts
How I keep this data
I may delete emails after I have noted the contents (for example, emails around scheduling). Any emails that I consider it necessary to keep are retained in my email account, which is encrypted.
Why I keep this data
I may keep emails if I consider it clinically necessary.
How long I keep this data
I will delete emails when our work ends, unless they form session notes (in which case, see above).
Who sees the data
Only myself.
10. Invoices
How I keep this data
I create invoices on my laptop using Pages, and then export as pdf. Invoices are kept as password protected documents on my computer.
Why I keep this data
I use the invoice to create the next one (in the case of ongoing work) so that I can revise and update it with new information.
How long I keep this data
I keep the invoice for a short time whilst I monitor payments (usually this is one month). Once payment has been made, and any further invoice has been created, I delete the invoice.
Who sees the data
Only myself.
Exceptions to who do I share your personal information with?
I take your privacy very seriously, however, there may be some instances where information is shared:
Reports to referrers or private health insurance companies:
If you were referred to me by a psychiatrist, with your consent, I may write them an assessment report and a discharge report. Some insurance companies require reports to grant funding/ extension of treatment. I will also share appointment schedules with that organisation for the purposes of billing.
Risk and safeguarding:
In certain circumstances, such as where I believed there was a significant risk to you (e.g. suicide), to others (e.g. child protection) or where a crime was reported to me, I may have a legal and professional obligation to share information with third parties without seeking your permission.
Website
This website is designed to comply with the following national and international legislation with regards to data protection and user privacy:
UK Data Protection Act 1998 (DPA)
EU Data Protection Directive 1995 (DPD)
EU General Data Protection Regulation 2016/679 (GDPR)
When an individual visits www.clearmindtherapy.net, Google Analytics who are considered a third party service, collect information about what visitors do when they click on my website, e.g. which page they visit most. Google Analytics only collect non identifiable data which means I or they cannot identify who is visiting. Clear Mind Therapy will always be transparent when it comes to collecting personal data and will be clear about how that data is processed. Google Analytics makes use of cookies, details of which can be found on Google’s developer guides.
Disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website.
Third Party data processors
I use Google to process personal data on my behalf. Google comply with the legislation set out under Relevant Legislation. Google is based in the USA and is EU-U.S Privacy Shield compliant.
Contact forms and email links
Should you choose to contact me using the contact form on my Contact me page or an email link like this one, none of the data that you supply will be stored by this website or passed to / be processed by any of the third party data processors defined under Third Party data processors. Instead the data will be collated into an email and sent to me over the Simple Mail Transfer Protocol (SMTP). My SMTP servers are protected by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet. The email content is then decrypted by my local computers and devices.
Social Media
Clearmindtherapy.net uses Twitter and Facebook business page. These third party providers have their own privacy policies in which you would have already agreed to when creating an account. It is not possible to comment on clearmindtherapy.net Facebook page. Any messages sent to the inbox of these media accounts are stored by the provider and I will regularly delete.
About this website's server
This website is hosted by web healer. This is a link to their Privacy Policy. http://www.phdinteractive.co.uk/privacy
Complaints or queries
I try to meet the highest standards when collecting and using personal information.
For this reason, I take any complaints I receive very seriously, I encourage people to bring it to my attention of they think that my collection or use of information is unfair, misleading or inappropriate. I would also welcome any suggestions for improving my procedures. If you have a complaint, contact me at clearmindtherapy@icloud.com so I can investigate on your behalf.
If you are not satisfied with the response from me or believe I am not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioners Office (ICO). My ICO registration number is ZA239778 and I (Suzie Shepperson) am the named Data Controller.
Changes to this privacy policy
This privacy policy may change from time to time in line with legislation or industry developments.
I will not explicitly inform website users of these changes. Clients will be informed as part of their GDPR contract.
I recommend occasional checks of this page for any policy changes. Specific policy changes and updates are mentioned in the change log below.
Change log
25/05/2018
Privacy policy instigated