I am de facto the Data Controller and Processor for data that I collect from all client(s).
The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (i.e. to provide therapy) and that it is data that you would reasonably expect me to hold and use.
For those who enquire about therapy, the data I hold includes any information you have sent me by email/text/message.
For those who book and attend at least one session, the data I hold includes:
- Basic information such as name, email address, phone number
- Information that you give me as part of the work we do together
- Audio recordings of each session
- Records of what interventions that I use (or potentially do not use) in our sessions
- Emails, texts and/or messages that are sent between us
- Information sent from any third party, e.g. GP, insurance company, EAP
The data is primarily used to enable me to provide therapy for you and for my capacity as a therapist to be assessed. It may also be used scientific research purposes and statistical purposes.
Details of where data is held:
- Any emails sent between us are held in a password-protected computer.
- Any texts messages via SMS or WhatsApp sent between us are held in a password-protected phone, which only myself has access.
- Your notes are held in a password-protected computer, within an encrypted folder.
- Audio recordings of your sessions are held in a password-protected computer, within an encrypted folder.
Your data is kept for 7 years. The length of time is based on the requirements of my insurance company. After this time any paper records are shredded and computer records permanently deleted.
I take the security of data seriously and as such:
- For online video session, which will be delivered via Zoom, communications are established using TLS encryption and all shared content is encrypted using AES encryption. Also, password will be required to access the meeting.
- All stored data will be held in password-protected computer, within an encrypted folder.
If there is any breach of data security I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
All data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure, which is detailed below.
Requirements for Disclosure
It is important that you know that the law forbids our normal confidentiality if:
- I become aware of information, which I either know or believe might help prevent another person carrying out an act of terrorism, or might help in bringing a terrorist to justice in the UK, or about specified activities related to money and property used to assist terrorist activities.
- If I observe physical signs that an act of female genital mutilation may have been carried out on a girl under the age of 18 or I am informed by a girl under the age of 18 that she has undergone an act of female genital mutilation.
- The police request information about the driver of a vehicle at the time of an offence it must be disclosed by me, as failure to do so would constitute a criminal offence on my part.
- I become aware of drug trafficking or money laundering that may be required to be reported under the Drug Trafficking Act 1994, Proceeds of Crime Act 2002 or the Money Laundering Regulations 2007, if this happens, I may seek legal advice as to any statutory duty.
- I must disclose information that I am ordered to by a court or by a statutory request for access to personal data made under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018
I may break our normal confidentiality if I become aware (or have good reason to suspect) that you have knowledge of:
- A past, present or future incident/situation that may be dangerous or harmful to you, another adult or a child and that is not known to the relevant authorities.
- Future or past criminal activity that has not been resolved in law. This means any criminal activity, of which the relevant authorities are either unaware or a case they know about which they consider not to be closed (provided you do not present information in therapy which would reasonably re-open the case). This does not include parking or traffic offences unless there is intent, by you or anyone else, to cause danger to yourself or others, or that it is deemed to be a serious offence. In such circumstances, I will work with you to see if we can work together to make appropriate disclosures.
- For our purposes a serious offence is: ‘Murder, manslaughter, rape, treason, kidnapping, child abuse or other cases where individuals have suffered serious harm or there is serious harm to the security of the state or to public order and crimes that involve substantial financial gain and loss’
Other than as required by law, I may discuss your case with my clinical supervisor, my clinical supervisor will have access to your details if I am suddenly unavailable to contact you and offer you ongoing care. I may talk or write to your GP but I will not give any personal details beyond what we are working on.
Your rights with regards to the data held
· The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
· The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
· The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone
· The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure
· The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.
· The right to object to:
o processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). I do not engage in these things
o direct marketing such as contact via e-mail and SMS
o processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
o automated decision making and profiling. I do not engage in automated decision making or profiling