Policy On Data Protection & Privacy 2020
Who I am and What I do
My name is Theresa Cawley and I am a psychotherapist who specialises in delivering counselling/psychotherapy to adult clients and couples, and in this capacity I am what’s known as a Data Controller.
How I Protect and Manage Your Personal Data
Although I need to collect and hold certain personal data in order to deliver a service as part of my duty of care to you and as part of our contract for the work together. I am committed to protecting and respecting your privacy.
This policy provides an overview of how I comply with data protection legislation for good practice within the current General Data Protection Regulation 2018. The policy outlines the basis on which any personal data that you provide to me will be processed by me.
How I Obtain Personal Information & Purpose Specification
If you contact me by telephone, email, or by other means, I may keep a record of that contact. I may keep records of any meetings or sessions in the form of written or electronic notes both within and outside of sessions. I may receive correspondence from you or from other healthcare professionals relating to your care.
The information I hold on you falls into two categories, Personal Data (name, address, telephone number, email) and Special Category Data (racial/ethnic origin, political opinions, religious/philosophical beliefs, criminal convictions, health (both physical and mental health), sex life or sexual orientation). Both categories of information are held in order to deliver a service to you and I will ask for your explicit written consent for holding this data so that I may be able to provide a competent service to you.
I only hold information that is relevant to the purpose it serves and ensure that it is not excessive. If you have a preferred means of contact between sessions for scheduling/changes made to scheduling, please let me know and I will endeavour to respect this. Please read my Policy on Emailing/Texting and Social Media in conjunction with this policy, so that you are making an informed decision around this.
I may also hold information relating to your reasons for contacting me, your address, date of birth, who referred you (if relevant), the name and contact details for your GP, the name and contact details for other healthcare professionals involved in your care, significant physical or mental health details including medication, the type of therapeutic service being offered to you, correspondence from or to you about your care, correspondence from or to other healthcare professionals about your care, correspondence to or from third parties about possible referrals, completed consent forms, a record of appointments and attendance, fees paid (for my financial records), a nominated next of kin (for compliance with sensible health & safety arrangements) and session notes. Some of this information enables me to comply with my legal or regulatory obligations, and some of it is used in delivery of my service to you.
I do keep very brief sessional notes to support the therapy work, and notes are kept to a minimum of headings and abbreviations as an aide memoire. Session notes are anonymised and kept separate from any identifying personal details.
Who I Share Your Data With
Client records are private and confidential. However, there are occasions where I may be ethically or legally obliged to share your personal/sensitive data with others. In the event of any risk arising either to your own well-being or to third parties, I will request consent from you to speak to an appropriate person, such as to your GP or another health related professional/police or your next of kin, before breaking confidentiality. Information relevant to the situation may be shared with such a person in the event of risk. This is something I am ethically bound to do in the interest of your or others safety. In situations where there is an immediate risk of harm, I may have to share your data with others in the interest of safety.
Likewise, your records may be shared via a court order for disclosure or under a legal requirement (e.g. Mandatory Reporting to protect children or vulnerable adults, terrorism or drug money laundering). I may also be required to give your contact details to a 'contact tracer' in the event of me contracting Covid 19. Please refer to my Policy On Confidentiality for detailed clarification on this. However, except in the most extreme cases I will endeavour to seek your consent on this before disclosing this information.
All psychotherapists are required to undergo formal supervision and supervisors are bound by their Associations Code of Ethics. As part of these sessions it may be necessary to discuss your Personal or Special Category Data with the supervisor who will be a qualified healthcare professional operating under terms of confidentiality. This information is shared in a way which protects your identity.
To preserve confidentiality and to respect the integrity of the therapeutic process I do not provide reports, legal or otherwise, or any documentation representing the process of therapy.
Data Retention and Destruction
Any information supplied by you in session will be stored in an encrypted password protected system, that is only accessible by me. I change my passwords regularly to ensure they are secure. All physical material is secured in locked storage when not in use. This includes information about your contact details, consent forms, letters of referral, next of kin and GP’s details as well as any other information you may share during the course of your therapy. In additional to this I may receive correspondence from other health care professionals relating to your care which will be kept in physical form.
Contact, whether by telephone, email, website, or other means, to make appointments will not be saved beyond what is necessary. Texts and emails are regularly deleted after the appointment is made. I will keep records of the dates of any meetings and minimal session notes as aides’ memoires as appropriate and if helpful to the therapeutic process.
In the unlikely event of data being lost/stolen or compromised I will tell you what has happened, unless you have stated that you do not wish to be contacted by me, and inform the office of the Data Protection Commissioner.
I do not keep information about you any longer than is necessary. I do not keep personally identifying information beyond our work together. Upon completion of our work together I delete your number from my phone within 6 months, and incinerate details including your address, date of birth, GP details, next of kin, referral source, medical details.
The length of time I keep your session notes may be determined by statutory or regulatory requirements. Currently my Professional Indemnity Insurance requires me to ‘maintain accurate descriptive records…. for a period of at least ten (10) years from the date of treatment’.
On completion of our work together session notes are stored anonymised, encrypted and password protected on an external hard drive which is kept off site to where the counselling is completed for additional security. The code with your name on it, is stored separately for additional privacy.
Physical consent forms are and if necessary, letters which are anonymised as far as is possible i.e. removing your name & address, are retained in locked storage. After a period of ten years, all data that I hold about you is deleted or destroyed by incineration. Purging of data occurs on an annual basis.
Your Rights under Data Protection Legislation
You have various rights under the relevant data protection legislation. If you wish to exercise any of these rights, then please contact me.
• You have the right to see what information I hold about you. There is no fee for this.
• You have the right to ask me to correct any personal data I hold about you that is wrong. If you feel this is the case, then please let me know.
• You have the right to ask me to erase any information I hold about you. However, this right may be limited by my need to comply with statutory or regulatory requirements for retaining data.
• You have the right to ask me not to contact you. This may be for specific purposes or you may not wish to be contacted at all. Obviously, I will need permission to contact you if you are an active client so that I can continue to deliver the agreed services to you.
Restrictions on Access to Medical Data and Social Work Data
In the event of your request for access to our records, the following restrictions may apply:
Right to Access Exemptions
Health data relating to an individual should not be made available to the individual, in response to an access request, if that would be likely to cause serious harm to your physical or mental health.
Information about Other Individuals
I am not obliged to comply with an access request if that would result in disclosing data about another individual, unless that other individual has consented to the disclosure. However, I am obliged to disclose so much of the information as can be supplied without identifying the other individual, e.g. by omitting names or other identifying particulars.
Expressions of Opinion
Where personal data consists of an expression of opinion about you by another person, you have a right to access that opinion except if that opinion was given in confidence. If the opinion was not given in confidence, then the possible identification of the individual who gave it does not exempt it from access. If you would like any further information, please contact me.
Formal Consent Agreement as per Contract for our Work
I have read and understand the above and hereby give my consent for you to process my personal and special category data in the ways outlined above, so that you may provide me counselling/psychotherapy, with a view to protecting my and others vital interests, as required by counsellors/psychotherapists Legal, Professional Indemnity Insurance and Regulatory/Best Practice requirements.
Latest version 30/06/20