Your confidentiality and privacy are very important to me. As a registered member of the British Association for Counselling and Psychotherapy (BACP), I abide by their standards and ethical requirements which include strict guidance on the requirements of confidentiality.
What sort of data do you hold?
I keep client data you provide so that I can work safely and professionally following the BACP Ethical Framework. The therapy client data that I hold may include:
How will you store personal data?
I will store your personal information electronically and physically. Your personal data is stored electronically on devices that are password and fingerprint protected, and in files that are also password protected. I store client names and contact details separately from other personal information, which I keep in an anonymised format. My paper records of clients are held in locked storage in an anonymised format. These records can only be accessed by me.
The only exception to this is under the terms of my clinical will, which I have in place for the protection and of my clients in the event of my incapacity or sudden death. Under those circumstances only, the executors of my will can access the contact data I hold, in order to inform all of my clients, and to ensure that all records from my practice are subsequently destroyed. My executor will not read any clinical records.
How long will data be stored?
The GDPR requires that personal information should be stored for no longer than is necessary. I am required to store your information for a minimum of 7 years following the end of our sessions. However, there may be situations when I need to store your information for longer, for instance to comply with my insurance terms and conditions.
Under what circumstances might you share my personal data?
Some of your personal information may be shared with your GP, or other healthcare professional, under certain exceptional circumstances. These include the requirements of a court of law or the threat of serious physical harm to you or to others.
In less urgent circumstances I will discuss with you if I feel it is beneficial to contact your GP and will endeavour to obtain your permission. It may be relevant to share certain medical information when:
Is there anyone else you discuss my details with?
I have regular consultations with my professional supervisor, to support my work. But they do not have access to any identifying information relating to you, except a first name.
Are there any other types of information you store on me?
I write brief, handwritten sessional notes. These are stored in a secure cabinet. They are stores under a pseudonym and I take care that they are separate from your full contact details. My notes are kept securely. They are not detailed but do include dates and times of your attendance and important themes discussed during each session. I may destroy all or part of any notes I do not consider necessary to retain.
What about financial data?
I am required by law to retain certain financial information, primarily for tax purposes, and as advised by HMRC will retain this information for seven years. Any bank statement showing identifiable details about you are kept in a locked filing cabinet. If it needs to be submitted for tax reasons I block out any identifiable details. When payment is made via BACS your account name (or the name of the person who is paying) and any reference used may show up on my online or paper bank statements, which I keep in a secure place. Please discuss alternative payment option with me if this is not comfortable for you.
What about online security?
I take appropriate security measures to keep your data confidential and to prevent unauthorised access or disclosure. In some cases, the data may be accessible to external parties who I have appointed such as, web host providers, IT companies or a legal firm. When appointed by me, they are known as data processors and a list of these parties can be requested from me at any time.
My phone is passcode protected and my email accounts are protected with two-factor authentication. Any emails that I consider necessary to keep are held securely, but I cannot be held responsible for any messages or emails you send to me where a third-party provider holds the responsibility for the data.
Some of your personal information such as website visits, telephone call data, or payment information, is shared with the website provider, mobile phone operator, or card payment provider respectively. These providers operate under their own privacy policies.
Analytics allow me to track the traffic to my website. The information generated by the cookies regarding your use of this website (including your IP address) is transferred to, processed and stored on third-party servers.
Can I see what information you hold on me?
You can request to see any personal information that I store about you by requesting a copy of it. I will respond to your request promptly, within a month at the latest. You can also request for your information to be deleted. This should be done in writing. I will comply if I can, but I may need to retain some information to comply to insurance terms or in a claims situation.
I hope that the policy outlined above will reassure you about the security of your personal information, but should you have any concerns about how your personal information is being handled, please let me and I will do my best to address your concerns and try to resolve the matter.
Any more questions?
If you have any questions regarding how your personal data is used, please contact me, Emma Fogden, as the Data Controller at firstname.lastname@example.org