In line with the General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 and as a professional registered with the Information Commissioner’s Office (ICO), I am required to inform you about the use and protection of your personal data. This document outlines the information I keep, how and why I keep it and what I do with it. It also outlines your rights under GDPR.
What information do I hold about you?
The contact details you have given me. This usually consists of your name, phone number and email address. I may also have your date of birth and GP’s details.
A handwritten record of what you tell me at our first meeting and brief on-going session notes.
I use a paper diary to keep track of session times and any instances when you might be away. You are identified in this diary by your initials.
Copies of any letters/emails exchanged with third parties that form part of your case records.
What is the lawful basis for me keeping this information?
The lawful basis of my collecting and storing your personal data is under contract law and the GDPR. I keep information you might reasonably expect me to keep in order to provide you with the service that we have contracted for.
What do I do with the information you have given me?
I use it to contact you and to keep a record of the work we do together so that I can ensure proper clinical oversight.
How do I store your information?
Your personal details are kept on paper in a locked safe in my office. Your clinical notes are identified by your initials and kept separately from your personal details in a locked filing cabinet in my office.
Your email address and any emails we exchange in the course of our work are stored on my computer which is password and fingerprint protected. Emails are vulnerable to human error and viruses. As emails are also retained on internet provider logs, there are not 100% confidential. Best practice is to only use email for non-confidential communication, such as arranging appointments.
I have a ‘Professional Will’ held securely on OneDrive. This has your name, phone number and the day and time of our sessions.
What third parties might be given identifying data about you?
There are circumstances when I might need to talk or write to other professionals about our work. I would normally seek to discuss this with you first. For instance, if I was worried that you were at risk of self-harm, I might need to contact your GP. I would tell you if I was going to do this unless it was impossible to do so.
I discuss my client work with or consult about my client work with my clinical supervisor and my peer supervision group. This is to support my work with clients. I do not share names or other identifying details.
In the event of my illness or death or being suddenly unable to continue our work, one of my peer supervisees would obtain your information from my Professional Will. In this instance they could contact you and assist you to make arrangements for ongoing support. I will not otherwise share any of your details or records with any other third party without your permission, unless ordered to do so by a court of law.
How long do I keep your data?
Your name and phone number are removed from the Professional Will when our work ends.
Two months after our work ends I will delete all our emails from my computer.
All other records relating to you are destroyed six years after the end of our work. This is the requirement of my professional insurance.
My paper diaries are kept are destroyed after six years in line with tax regulations.
What rights do you have concerning your data?
You have the right to request a copy of any data I hold on you (called a SAR, a Subject Access Request). If you wish to see your records or any session notes, please ask at any time. You also have a number of other rights, including the right to object to my keeping data about you. More information can be obtained by contacting the ICO: https://ico.org.uk