Updated 23rd July 2022
I promise to keep any data you share with me during our sessions together safe and secure. I promise not to share it with anyone unless I have a professional or legal obligation.
I am responsible for protecting your privacy and any personal information you may share with me when we work together. For this purpose and according to the EU General data Protection Regulation (GDPR), and the Data Protection, Privacy and Electronic Communications (amended) Regulation 2019 (UK-GDPR) or where appropriate, any other relevant data protection law, I would be a “data controller” which means I am responsible for taking measures to ensure your data is safe and for policies on such things as how long data is kept and who if any, I might share it with.
This notice explains the kinds of personal information I may collect about you and that are necessary for us to work effectively together. It also explains how I store and handle the data and how I keep it safe.
First of all, it’s important to understand a few terms. “Personal data” is information that identifies you, it will also be information about your problems and progress in therapy and will include any notes I make about our meetings.
“Processing” your data includes various activities using your data. These may include collecting, recording, organising, using, disclosing, storing and deleting it.
A “Condition for processing data” is essentially my justification for processing the information. I will for example ask you for your Explicit Consent for me to process your data to deliver psychological therapies to you.
2. The law requires me to apply the following Principles to the processing of your data:
2.1 To process your data in a lawful, fair and transparent way – I promise to always be clear about what data I am processing and why;
2.2 To only collect your data for explicit and legitimate purposes – I can only collect your data that is with reference to your therapy;
2.3 To only collect data that is relevant, and limited to the purpose(s) I have told you about – I won’t record any data that isn’t directly relevant to your condition;
2.4 To ensure that your data is accurate and up to date – I am required to ensure data is up to date, I may check with you from time to time to make sure of this;
2.5 To ensure that your data is only kept as long as necessary for the purpose(s) I have told you about – I have strict policies on how long I will keep your information after which it will be securely destroyed;
2.6 To ensure that appropriate security measures are used to protect your data – I am very careful about my security arrangements and constantly update my systems and procedures.
3. Accountability Statement
The Accountability Principle as detailed in the GDPR Article 5(2) means I must be able to demonstrate that I am responsible for these principles of data protection law. To ensure this is the case;
I regularly review my data protection policies and procedures. This helps me to ensure I continue to comply with the law and my intended processing is both clearly explained, necessary and absolutely transparent. Where I rely on Explicit Consent, I ensure it is gathered in accordance with the law. When I rely on other conditions, I consider the rights of others before I proceed.
I assess the risks I may, from time to time, create when processing data to ensure I uphold the Rights and Freedoms of every individual. This is especially true when I process data in a new way.
I only share data where I have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with ‘Standard Contractual Clauses’ where necessary.
I keep extensive records of my processing. For example, Activity and Incident logs measure my compliance and help me to identify any weaknesses in my procedures. I actively consider the opinion and advice of others both here, in the EU and beyond. I monitor case law and the guidance of the Information Commissioner’s Office (ICO) and the European Data Protection Board (EDPB). I positively welcome enquires from the public concerning their personal information.
To ensure I protect personal data I constantly review my security measures, both technical and physical and have instigated appropriate safeguards. This includes regularly training where required. Access to data is based on the ‘Least Privileged’ principle (POLP)*.
I am the ’Accountable person’ for processing activities.’ I am registered with the ICO as a data controller and have a clear data breach reporting procedure.
The following sections should answer any questions you have but if not, please let me know.
It is likely that I will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact me by any of the means shown below.
4. Conditions for processing your data.
The law on data protection sets out a number of different conditions or justifications for which an organisation or individual may collect and process your personal data. When collecting your personal data, I will always make all of this very clear to you. Most commonly, I will process your data on the following lawful grounds:
5. Your Explicit Consent
In most situations, I can collect and process your data with your explicit consent.
I discuss your personal information in supervision with my supervisor who is another psychologist or psychotherapist for the purposes of ensuring that my practice is safe and effective, and as mandated by my professional bodies. I do not reveal your name when I share your information in supervision. My supervisor does not share your personal information with anyone else. If applicable I will from time to time write to your referrer with a summary of your treatment and progress and will always obtain your consent and show you the content of such letters before sending them.
If you have not engaged with me for more than six years, you may be flagged as an inactive individual and I will delete your file. If you would like me to keep our information for future reference, then please make this clear to me. Where I may have a legal or professional obligation, I may keep data for longer.
On rare occasions I may process your data without your consent. For example, when I believe you, members of your family, intimate partners or children may be at risk. These conditions relate to the processing of special category data and are detailed in the Data Protection Act 2018. The law states that for me to do so, I must have an Appropriate Policy Document in support of the processing. When data is processed in this way some of your rights may not apply. If you are at all concerned about this, please let me know.
6. We may have some contractual obligations
When we begin working together, I will ask you to agree to my therapy contract. This is normal practice and lays out what we expect of one another. For example, I promise to give you the support you asked for, in return you promise to promptly pay your fees. By entering into these terms, we enter into a contract together.
7. Vital use of data
I may also use your data, typically in an emergency, where this is necessary to protect your life, or someone else’s life. In a small number of cases where other lawful bases do not apply, I will process your data on this basis and in your best interest.
I do not discuss your personal information with third parties, except for the purposes of supervision. However, if my professional opinion was that there was an immediate and serious risk that you might harm yourself or someone else then I may have to share your personal information with a third party such as your GP or the emergency services without first obtaining your consent. This might be because it is not practically possible to obtain your consent or because attempting to do so might lead to a delay in accessing help and therefore endanger your life or that of another.
In situations where I did have to share your personal information with third parties to protect you or another, I will only share your personal information in so far as it is relevant and necessary to protect you or someone else. I will inform you what personal information I shared and to whom.
8. Legal Obligation.
It is possible that your personal information may be requested by the Police, a Court of Law, Coroner’s Office or Professional Body in which circumstances I would have no option but to comply with the law.
9. Legitimate Interest
In certain circumstances, I may require your data to pursue my legitimate interest in a way which might reasonably be expected as a Psychologist or Psychotherapist. When I process data in this way, I will make sure there isn’t a chance of any impact upon your rights, freedom or interests. I will never use my Legitimate Interest to process your sensitive data such as your case notes relating to your mental health.
10. Special Category Data.
I collect information about your current and previous psychological and physical health, and where relevant sexual health, and your current and previous social and family circumstances during your appointments. I will also collect information about you when you voluntarily complete questionnaires. This sensitive personal information is defined as “Special Category Data” and I collect it because I am providing psychological assessment or treatment to you. "Special categories" of particularly sensitive personal data require higher levels of protection. I need to have clear justification for collecting, storing and using this type of personal data. I aim to collect and process only the special category data relevant to your mental health. On rare occasions I may need to process your data without your consent but in your best interests. This might be when I judge you, or a family member to be at risk. When I do this, I will need justification and a legal basis for processing your data. The law says that I should process your data in this way, I am required to have in place the necessary ‘Appropriate Policy Document’.
Processing data in the public interest.
Occasionally, there will be the necessity to process your data in the interests of the public as a whole. For example, during the Coronavirus pandemic. The public interest condition allows for such processing when it is in everybody’s best interest. However, this is a last resort and always undertaken with your privacy in mind. The law is very strict about what may be shared with third parties and usually this information is anonymised or aggregated to ensure your identity is not revealed. This type of processing may also require supporting policy documentation.
How I might collect your data:
I collect your data in different ways that may include, but are not limited to:
10.1 When you write to me about any subject by any means;
10.2 When you enquire about my services but do not engage;
10.3 When you attend an appointment;
10.4 When you complete questionnaires;
10.5 When you access or engage with our website.
I collect personal data in order to deliver my services. The data collected is most likely in electronic format but can also be in paper form
For your security, we use all appropriate organisational and technical security controls to safeguard your data.
I am committed to your data protection rights.
You have important rights detailed in the GDPR and the Data Protection Act 2018, here’s a brief explanation of them:
11. Right to Object
You have the right to object to my processing or use of your personal information. But remember in some cases I am bound by law to process your data. If you have given consent for me to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent. However, please remember that if you withdraw your consent, because of the nature of my services, I will not be able to continue supporting you.
12. Right to be Forgotten
You have the right to ask me to forget you from my records. I will uphold this right unless there is a legal obligation such as a contractual agreement or it is in my legitimate interest to keep your data.
13. Right to be Informed
You have a right to be informed, to know what I am doing with your data and why. I promise to publish privacy notices wherever they may be required to clearly explain our reasons.
14. Right to Restriction
You have the right to ask me to stop processing your data for several different reasons. For example, it might be because you think the data I hold about you is incorrect. Or maybe you think I am doing something wrong. Please contact me for further details.
15. Your Right of Portability
If I hold information about you and you want me to ‘port’ it or send it to another organisation that does similar work to me or provides a similar service, you can ask me to do this. This service will be free of charge and we will endeavour to provide this service without undue delay.
16. Data retention and how long I may keep information
Whenever I collect or process your personal data, I will only keep it for as long as is necessary for the purpose for which it was collected. I keep your personal information and the record of our work together for six years. I then erase your records.
17. Right to a copy of your information and a chance to correct inaccuracies
You have the right to request a copy of any information about you that I may hold at any time to check whether it is accurate. To ask for that information, please contact me in the normal way. To protect the confidentiality of your information and the interests we will ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
18. How to complain about my processing of your data
If you feel that your data has been handled incorrectly, or you are unhappy with the way I have dealt with your query regarding the way I use your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.
If you are based outside the UK, you have the right to complain to the relevant data protection supervisory authority in your country.
If you would like to discuss any aspect of this policy or the way I process your information, please contact me by email – firstname.lastname@example.org
Least privilege, often referred to as the principle of least privilege (PoLP), refers to the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorised activities. Privilege itself refers to the authorisation to bypass certain security restraints. A ‘least privilege’ security model entails enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role. However, least privilege also applies to processes, applications, systems, and devices, in that each should have only those permissions required to perform an authorised activity.