HOW I USE AND PROTECT YOUR DATA
I am committed to protecting your privacy and data. I will use the information that I collect about you in accordance with the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation 2003.
WHO I AM AND WHAT I DO
I am a sole trader therefore no other individual has access to your information or data. I take the security and privacy of my clients’ data seriously and I am registered as a Data Controller with the Information Commissioner’s Office (ICO). The lawful bases for collecting and storing your data may be either, or both, consent or/and contract. The nature of my business also means that I may need to process data of the type classified as sensitive (including, but not limited to, information about your health, your ethnic origin, sexual orientation or other sensitive personal data). The lawful basis for collecting and storing this type of information is explicit consent.
WHAT INFORMATION ABOUT YOU I MAY NEED
I need to process a certain amount of personal information about you in order to be able to correspond with you, contact you about your appointments or your therapy and to provide relevant services to you. This might include information about:
- Your name(s) and contact details (telephone numbers, address, email address)
- Your age or date of birth (this may be relevant to what services I may provide to you or fees applicable)
As well as the above information, I might ask you to provide me with other information that will be relevant to the work we will do together, this may include:
- Your marital status and current living arrangements
- Information about your partner, family or children
- Your occupation or past occupations and/or your education or past education
- Your religion or faith and whether this is important to you
- Any current or past medical problems and any medications taken (this may affect whether or not I can take you on as a client)
- Your weight and height if relevant to the work we will do together
- Your GP’s name or GP surgery name – I require this information in case I ever have a serious safeguarding concern about you or someone else. In some cases, I may want to contact your GP about your treatment but unless there is an emergency, I will always discuss this with you first.
- Lifestyle information such as your exercise, diet and eating habits, your sleep patterns, whether you smoke, drink alcohol or use recreational drugs – this information may be relevant to your treatment plan
- Information about recreation and your social life – again this may be relevant to your treatment
In addition to the above I will ask you about your reason(s) for seeking therapy with me and how it affects you. I will make notes from what you tell me about the above, for my own use only.
HOW I KEEP YOUR DATA SAFE
Information that I collect about you is stored and used as follows:
I may make brief notes of some of the information you provide. My initial intake notes and brief session notes are kept on paper and are stored securely in a locked filing cabinet to which only I have access. They are filed according to a unique client reference number and do not contain any information that might identify you. Your name and contact details are stored in a separate location. Your name and contact details, plus brief details of each session (date and basic treatment notes) are also securely stored in my online practice management software (Cliniko – see below).
I am required by my professional insurers to securely store your records for a period of 7 years following your treatment, or for 7 years after your 18th birthday if you were under 18 when you were my client. The practical basis for storing your records is in case you decide to return for more therapy at a later date. The legal basis for storing your records is to investigate any complaints or for future court orders. After 7 years have passed, I will delete or securely dispose of any records or information about you.
For accounting purposes, I maintain statistics about client attendance and revenue, however this data is anonymised and does not contain any of your personal information. These are stored digitally on a password protected secure cloud-based server (see below).
While you are my client I may store your name, phone number and/or email address on my business phone or tablet, to enable me to contact you if necessary and to identify your calls to me. I will remove your contact details from any mobile devices approximately one month after the end of our work together.
My email correspondence with you is stored on a secure email server and deleted after 12 months, except for any information relevant to your treatment which may be transferred to your stored data. Emails sent and received on my mobile device (phone or tablet) are deleted after one month. My mobile devices are protected by passcodes and can be remotely wiped if they are lost or stolen.
If required by UK law I may be asked to provide client details to the police or law courts. Should this be requested I will always seek legal advice from my professional insurance provider before disclosing any client information in this way.
THIRD PARTY SERVICES TO WHOM I MAY TRANSFER YOUR DATA
I will never pass on your information to any other individual, except in the case that I become unable to work and cannot contact you myself, when a suitable trusted person I have delegated may contact you on my behalf.
In order to operate my business effectively and securely, I use some third-party service providers who may require access to some of your data, you will find more details below. I will not share any of your personal data with any other third parties without your agreement, unless required in order to fulfil my contract with you, or allowed by law. Whenever I share your data with a third party I will always do so securely and in line with current legislation on data sharing. I have taken steps to verify that the third-party services I use are also compliant with current EU data protection legislation and therefore they also protect your data to the required standards, even if they are not based within the EU. Where necessary I have signed data processing agreements (DPA) with suppliers to safeguard any data processed outside the EU/ EEA.
In general, the third-party providers I use to facilitate the service I provide to you will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to me. These providers include my practice management software provider, email service provider, phone and telecoms providers, my web host and online directories on which I advertise who may handle client enquiries on my behalf (including BACP, Counselling Directory, Hypnotherapy Directory, National Council for Hypnosis and the National Centre for Eating Disorders).
When you pay me for my services by bank transfer, credit card or cheque some of your data may be transferred to my card payment processor or bank, in order to process your payment. I will never store your credit card number or details.
I use secure online client management software which is provided by Cliniko, who are specialists in client data management for clinics and medical practices. The data that I may enter onto this system includes your title, your name, address, phone number(s), email address, date or year of birth. Cliniko also logs details of your appointment dates, attendance and your payments (but does not require details of your credit card or bank details). Cliniko allows me to send you appointment reminders by email or text message and also allows me to give you access to an online booking facility whereby you can select and book an appointment in my online diary at a time of your choosing. Nobody else can see your online bookings and your data is encrypted. Only I have access to your personal information in Cliniko and my account is password protected.
PROTECTING YOUR RIGHTS
I will only contact you about our work together during our therapeutic alliance, unless you ask me to keep you informed of any services or information about my business. If you do opt in to receive updates you may opt out from these communications at any time and I will make it clear on my communications how you can do this.
You have the following rights related to your personal data:
- The right to request a copy of personal information held about you
- The right to request that inaccuracies be corrected
- The right to request me to stop processing your personal data (however please note that if you ask me to delete your personal data, I may seek guidance on whether there is a legal basis for me to maintain your data).
- The right to lodge a complaint with the Information Commissioner’s Office
WEBSITE AND COOKIES
CHANGES TO THIS POLICY
CONTACT OR COMPLAINTS