As a sole trader, I am the director/manager of my psychotherapy practice, and in terms of GDPR, I am the data controller for my practice, too. GDPR stands for the General Data Protection Regulation that was introduced by the European Union in April 2016 and is enforceable from 25th May 2018. I am registered with the ICO (Registration Number ZA335737). ICO stands for Information Commissioner’s Office, ie the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and privacy for individuals.
If you have any questions or concerns about how your data is processed or shared, please contact me by emailing firstname.lastname@example.org.
How is information about you collected?
When you visit my website
When you enquire about my services via email and I reply to you via email, I cannot guarantee that your email, or my reply, is 100% secure. Therapy related emails tend to include some level of personally identifying or sensitive information, even if it is to simply book another appointment with me, or if I send an email to remind you of your next session, as emails from me identify me as a therapist. Please choose an appropriate email address accordingly. For the purpose of introducing an extra layer of security, you could consider sending your information to me by attaching a Word document that you have protected with a password. You could then let me know the password via phone, text or another email. You are also welcome to create two paper copies of completed forms and questionnaires to bring to sessions where we are meeting in person (one for each of us), if you would prefer not to send them password protected by email.
If you choose to make contact with me over the phone, I may collect information from you before inviting you in for an assessment (see below “What type of information is collected”?). If you become a client, I may store your mobile number in my phone for the duration of therapy, identifying you only by first name and the first or first and second letter of your surname. I would do this in order to be able to contact you on the day of a session if either you or I are late or need to rearrange, or to text session reminders to you if you wish me to do so.
When we have arranged for you to attend an assessment session, I will ask you to complete a client details form. This form is about personal information, including your name, date of birth and address. After the first session, this form will not be kept in the same place as my session notes (which do not contain any identifying information) but will be stored in a locked filing cabinet in my home office.
I may also invite you to complete one or several other forms, such as the GAD-7/PHQ-9 for mood self-assessment purposes, and a form collecting information pertaining to the context of the issue you are consulting me about, and your therapy goal. You never have to fill in these forms beforehand, but if you did, it would save session time. See “via email” above for how to make the conveying of the details in these forms more secure, should you wish to do so.
Face to face
When you attend therapy sessions with me, I collect and record data from you in order to get to know you, understand you, and help you work towards your goals.
From third parties
I may receive information about you from third parties I work with, including other health professionals and your health insurance company. Third parties including analytics providers provide me with information that helps me ensure my website is user-friendly and provides my website visitors with the information they seek. In most cases, the only third parties who I will have reason to obtain information from in relation to your treatment are your insurance company and/or referring GP or psychiatrist. Your insurance company may refer you directly to me, and if they do, they will often provide me with your personal information. If your GP or consultant psychiatrist refers you to me for CBT, they may also write a referral letter which may contain both personal and sensitive information, and if you have had an assessment with them, also with sensitive information. If you have any concerns about whether the above third parties are GDPR compliant, please contact them directly. I will never knowingly obtain data about you from any third party without your knowledge or consent.
What type of information is collected, and why?
I collect the personal and sensitive data below from you to ensure that the service I provide to you is adequate, and for monitoring and evaluation purposes.
I may collect some or all of the following personal information from you, either before our first meeting (on the phone/via email), or face to face, throughout the course of therapy:
- personal details
- Health insurance details (if applicable)
- GP name and contact details
- emergency contact (next of kin)
- family, lifestyle and social circumstances
- employment and education details
Special Category Data (Sensitive Data)
Given the nature of therapy related data, some of the information I may collect from you can be classified as sensitive.
- physical or mental health details
- religious or other beliefs of a similar nature
- offences and alleged offences
What will your information be used for?
I process personal information to enable myself to provide cognitive behavioural therapy to my clients, which may include:
- making appropriate referrals
- coordinating your care when working with other health professionals who may be involved in your care
- communicating with you regarding your treatment/appointments
- account for my clinical decisions and/or respond to complaints
What happens to the notes I take in therapy sessions?
For me to fulfil my role as a psychotherapist, I take notes in each session and store these notes in your file, in order to help me remember significant details and reflect on your treatment plan and progress. I don’t need to have a written record of everything you share with me, and only use your data in ways you would reasonably expect. I will encourage you to keep your own notes and thus take ownership of your therapeutic journey, including goals, monitoring progress, homework tasks, and regular self-reflection. I keep session notes separate from your identifying information (surname, date of birth, address). In between sessions, your notes are kept in a locked filing cabinet, to which only I have access.
Your insurance company
If you are claiming the cost of your sessions through your insurance company, they may request details of your treatment and progress from me in order to authorize further funding for your treatment. Under these circumstances, I will share the minimum amount of information necessary with your insurance company.
Your consultant psychiatrist
When you are referred to me by a psychiatrist, I normally write to them after about every four to six treatment sessions as part of good practice. When I refer you to a psychiatrist, I normally write to them before your first appointment with them.
It may be sensible and in your best interest for the GP involved in your care to be advised that you are being treated by a CBT therapist, as well as updated on your progress. This could mean me writing to your GP at the beginning and end of your treatment if you would like me to, or after every few sessions.
I would not normally write to your psychiatrist or GP without your consent – exceptions see under “Safeguarding” below.
In the interests of quality control and continued professional development, psychotherapists are required by their professional bodies to undergo clinical supervision. The professional body of CBT therapists, the BABCP, of which I am a member, stipulates a minimum of 90 minutes of clinical supervision per month. Supervision can take the form of the therapist bringing questions regarding treatment planning, engaging the client, suggested interventions, discussing homework tasks. Occasionally, for training and supervision purposes, I may ask a client, or a number of clients in a particular week, for their permission to record (either sound only, or video) a therapy session. This would not contain any identifying information and I would use it to play an excerpt, or all of it, to a supervisor. You would be absolutely free to decline my request to record a session. I would never share your surname, date of birth or contact details with a clinical supervisor. Clinical supervisors are in any case also bound by strict confidentiality rules.
As per the BABCP Standards of Conduct, Performance and Ethics, I have to take appropriate action to protect the rights of children and vulnerable adults if I believe they are at risk. I would normally discuss any concerns I may have about safeguarding issues with you before I get in touch with anyone else.
There are three situations where I might share your information with third parties without your consent:
If I am required to disclose data about you under a Court Order
If I am concerned about the welfare of a child, i.e., where there are child protection issues
Risk to self or others
Where there is an imminent risk of harm to yourself or others, i.e., you have expressed an intent to kill yourself, or to kill someone else, imminently.
Duration your data is stored for
Starting as of January 2018, I will keep files for seven years. My professional indemnity insurance requires that I store data for seven years. According to the Limitation Act 1980, you, as my client, have six years within which to bring against me a complaint of breach of contract, breach of trust or a claim in relation to negligence. It is therefore in both our interests that I store your data for this period of time. Also, in my experience if a client returns to me for further therapy in future, they normally do so within seven years. Once you have stopped having therapy sessions with me, your file is stored securely in a locked filing cabinet in my home for seven years, after which your file is securely destroyed.
Security of information shared over the internet
I process your personal data in line with GDPR legislation (EU) 2016/679, and take all appropriate measures to keep it secure. You can find out more about this legislation here.
I make every effort to ensure that your personal information is held securely and to safeguard against unauthorised access to your personal information.
- You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.
- You acknowledge and agree that you share and transmit the information at your own risk.
See “via email” above for more secure ways of sharing information over the internet.
Your Individual Rights
You have a number of rights (including Right to be informed, Right to access, and Right to lodge a formal complaint) when it comes to your personal data. Please refer to the ICO’s website for full details of your rights.
Right of Access
You may request details of personal information which are held about you. Requests for information must be put in writing. If you would like to request access to the information held on you, please email me.
Requests that are considered excessive or unreasonable may be refused. In the event your request to obtain details of information held about you is refused, you will be provided with an explanation as to why that is.
Right to lodge a formal complaint with a supervisory authority
If you believe that your rights under the GDPR regulation have been infringed, or that the processing of personal data relating to you does not comply with this regulation, you can inform the ICO (Information Commissioner’s Office) or by phoning their helpline on 0303 123 1113.
Take your first step and get in touch today.
ACT and CBT Therapy South West London
Covering South West London Areas
including Barnes, Chiswick, Richmond, Kew, Sheen and Surbiton