I am aware of my obligations under the General Data Protection Regulation (GDPR) and am committed to protecting the privacy and security of your personal information. This privacy notice describes, in line with GDPR, how we collect and use personal data about you during and after your time as a patient of this clinic. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This notice applies to current and former clients.
Data protection principles
In relation to your personal data, I will comply with data protection law. This says that the personal information I hold about you must be:
- processed fairly, lawfully and in a clear, transparent way
- collected only for valid reasons that I find proper for the course of your time as a client and not used in any way that is incompatible with those purposes
- only used in the way that I have told you about
- accurate and up to date
- kept only as long as is necessary for the purposes I outline
- processed it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed
- kept securely
All clients in a therapeutic contract with Andrea Simson counselling have their personal data stored in a variety of ways. Personal data stored is: Full name, contact phone number; emergency contact phone number; email address; physical address; GP name, address and contact details; date of birth; gender, occupation; employment status; medication and fee level. Data about partners and/or dependants include relationship length and status; age; gender and occupation
The above data (known as the client registration form) is stored and collected via hard copy format.
Client Notes – In addition to the above, I make and keep brief weekly client session notes in an online format accessible only by me. Online and phone access is password protected and known only by me. Personal data is not used or referred to in the making of client notes.
Audio Recorded Sessions – Occasionally I audio record sessions with the consent of the client usually at the start of the contract. The consent form is hard copy only and outlines the conditions of the audio contract. Personal data shown includes the name and signature of the client and is in hard copy format.
Keeping of Client Data
Client registration forms are kept securely in a locked drawer throughout the duration of the therapeutic contract (except a separate recording or ‘record log’ of your name and contact number which is to be accessed by a nominated person other than me, to contact you in the event of my incapacitation or death). Client registrations forms and record logs are destroyed once the therapeutic contract has ended.
Any personal data stored in an online format is kept securely under password protection known only by me throughout the duration of the therapeutic contract and is deleted once the therapeutic contract has ended. *, with some exceptions (see below).
Audio Recorded Sessions – The hard copy consent form is kept securely in a locked drawer throughout the duration of the contract and destroyed once the therapeutic contract has ended. Each audio presentation is transferred from the recording device to online and phone and kept under the same conditions as online personal data and deleted once the therapeutic contract has ended. The recording device does not hold a copy of the audio presentation after transferring.
Client Notes – I am obliged to keep all weekly client session notes for 6 years. These are kept and maintained online under password protection known only by me and then deleted once 6 years has passed.
Each client has assigned a unique ‘client code number’ as a client-identifying reference in place of your name when making session notes. In order to correctly match clients to their appropriate session notes, I keep a separate online ‘file key’ with your full name and assigned code number together. This enables me to identify clients where the contract has long ended. This file is kept for 6 years and under additional security password protection to ensure that both the ‘key’ and the session notes cannot be accessed with the same password.
Confidentiality and Anonymity
My therapeutic contract with you stipulates that all sessions are confidential with the exception of the following:
- If I assess you to be at risk of harm to yourself or others
- If I assess that you are involved in or have information about others involved in terrorism
- In medical emergencies
- To fulfil legal requirements
I share some contextual details of the therapeutic relationship with my supervisor, who is bound by the same ethical agreements as me, and only your first name is declared for the benefit of the supervisory session. My supervisor throughout the duration of our therapeutic contract keeps brief supervision notes and my supervisor knows only your first name. Only under extreme circumstances stated above, will confidentiality be broken.
I also keep a Supervisory Log in order to assess how I allocate my client load within the supervision session. It is kept online under the same protection protocol as stated above for online personal data. Only your first name appears on this log and it is kept as an on-going document throughout my contract with my supervisor and will be deleted when my supervisory relationship ends, or after 6 years, whichever is sooner.
I do not collect any personal data from visitors to my website unless they fill in my contact form. In this situation, any personal information given is stored in my emails and the admin section of my website. Both of these areas are secure and are password protected.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data I hold on you:
• the right of access. You have the right to access the data that I hold on you. To do so, you should make a subject access request.
• the right for any inaccuracies to be corrected. If any data that I hold about you is incomplete or inaccurate, you can require I to correct it.
• the right to be informed. This means that I must tell you how I use your data, and this is the purpose of this privacy notice. I also must inform you of any changes to how we use your data.
• the right to have information deleted. If you would like me to stop processing your data, you have the right to ask me to delete it from my systems where you believe there is no reason for me to continue processing it.
• the right to restrict the processing of the data. For example, if you believe the data I hold is incorrect, I will stop processing the data (whilst still holding it) until I have ensured that the data is correct.
• the right to portability. You may request to transfer the data that I hold on you for your own purposes.
If you want to access your data, review, verify or correct your data, request I erase your personal information, object to the processing of your personal data, or request that I transfer a copy of your personal information to another party, please contact me via email firstname.lastname@example.org.
What I may need from you
I may need to request specific information from you to help confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, I may continue to use the data where so permitted by having a legitimate legal reason for doing so.
To withdraw consent, contact email@example.com .
Making a complaint
If you have any questions about this Privacy Notice or how we handle your information, please contact me in my role of Data Protection Officer at firstname.lastname@example.org
You have the right to make a complaint at any time to the supervisory authority in the UK for data protection matters, the Information Commissioner’s Office (ICO).