What personal data do you process and why?
When you supply your personal details to me they are stored and processed for the reasons listed below:
I need to collect your name, address, phone number, GP details, insurance company details and date of birth, so that I can identify you and contact you occasionally in order to confirm, change or cancel appointments with me or to send you something directly related to our session or update you on matters related directly to your healthcare. I need to know your GP in case I needed to contact them if there was a risk to you. I collect personal information about your health, emotional well-being, life history and current circumstances in order to provide you with the best possible treatment and manage any risks.
Your requesting treatment and my agreement to provide that care constitutes a ‘contract’ (this is the relevant term used in law). You can, of course, refuse to provide the information, but if you were to do that I would not be able to provide treatment as I would be unable to do my job professionally and safely.
According to my professional liability insurers, any insurance claim needs to be made within 6 years for an adult, or 6 years after someone turns 18 if they are a child. My assessment and the notes of our sessions would be part of this process.
How long will you keep my data?
Because of the above reasons I will keep your records for a minimum of 6 years after your most recent appointment (or age 25, if this is longer, 26 if you are currently 17), but after this period, you can ask me to delete your records if you wish. Otherwise, I will keep your records for 20 years in order that I can provide you with the best possible care should you need to see me again. If we only conducted an assessment and not treatment I will delete your records after 6 years. Records will be destroyed under confidential conditions.
How will my data be stored?
- Your assessment and treatment records are stored on paper, in locked filing cabinets at my home.
- Your name, address, phone number, GP details, insurance company details and date of birth are also stored on paper and kept locked separately in another filing box.
- A copy of your name, address, phone number, GP details, insurance company details and date of birth, will be kept electronically, on a password-protected memory stick, in case the paper records are destroyed by fire.
- My computer is password-protected and backed up regularly on a separate device which is also password-protected.
- Any letters or reports related to your care is stored on my computer which is password-protected. If I need to send this information to a third party (see below for more on third parties), it will be password-protected or sent in the post marked 'private and confidential'.
- My mobile phone is password-protected.
Who will have access to my data?
I will never share your data with anyone who does not need access (outside of supervision) without your explicit consent, unless I believe that you or someone else is at risk of serious harm at that point. As discussed with you at your assessment and as set out in my terms and conditions, I am legally obliged to share information which helps to protect you or a third party from harm. Examples of third parties would include a psychiatrist, your GP, a parent if you are under 16, social services, the insurance company funding your treatment or the police. I would also have to produce your notes and personal details if I was required to do so by a court of law. Before communicating with any insurance provider, I will ensure they have given me their assurance that they are also have policies to take care of your personal data.
No personal data is ever collected within my website and my contact page does not record your information and does not use any form of tracking or logging to identify you. Any contact made via the website is sent direct to me using industry standard secured email systems and are only accessed by myself. Other than email communications I do not store your notes or medical data online. My web and email services are both hosted in the UK via a single trusted source, the administrator of which does not review, analyse, record or store any data at any time. For ultimate privacy, you may prefer to relay particularly sensitive information to me in person at our session rather than via email.
Administrative staff at Wellspring Clinic will have access to your name only for the purposes of booking a room. They will have no access to medical notes. I will use your first name in my supervision sessions when I discuss our work and, as you will be aware from my terms and conditions, my supervisors are governed by the same rules of confidentiality as me.
In the event of my sudden death, my supervisor would be provided with your notes and personal details and may contact you to inform you and discuss finding alternative support. Should this happen, they will ensure that they treat your information with respect and they are governed by the same rules of confidentiality as me.
What access do I have to the data you hold about me?
You have the right to see what personal data of yours I hold, and you can also ask me to correct any factual errors. Provided the minimum period of 6 years has elapsed, you can also ask me to erase your records. If at any point you would like access to the information I hold about you, please let me know and I will provide you with them within 30 days.
GDPR Compliance (General Data Protection Regulation, 25 May 2018)
You can be absolutely confident that your personal data is handled appropriately and that any processing of that information is done in strict accordance with GDPR guidelines (just as I did before the GDPR was implemented).
How do I make a complaint about my data being mishandled?
Of course, if you feel that I am mishandling your personal data in any way, you have the right to question or complain. Please address any issues directly to what is referred to in the jargon as the “Data Controller”, which in this case is me. Please use my details from the Contact page
If you are not satisfied with my response, then you have the right to raise the matter with the ICO (Information Commissioner’s Office).