GDPR & Confidentiality
General Data Protection Regulation (GDPR) is concerned with the personal information about you that I collect, store and share. GDPR is a law which ensures that everyone can feel safe and knowledgeable about how others use information they hold. As a clinical psychologist I am also required to demonstrate upholding stringent rules on how I collect, store and use other people’s data. These rules are overseen by the UK supervisory authority for data protection issues, the Information Commissioner’s Office (ICO)
I am happy to discuss my GDPR policy with you at any point. I provide these details on how your information is looked after, so that you may feel confident about this.
Personal information I will collect on from my website email contact form:
Your name
Your email address
The initial message you chose to leave
Personal information I may collect about you from our initial telephone contact and then through the course of therapeutic treatment:
name
email
phone number
date of birth
home address
Doctor’s (General Practitioner) name and contact details
medical conditions
prescribed medication
previous experience of mental health treatment / diagnosis
the nature of the difficulties you experience
occupation and education
gender or identity
religion, ethnicity, country of birth
sexuality
Relationships and family (past and present)
How will I store your personal information:
Paper – written notes will, on the same day, be scanned by me and transferred to an electronic storage with two factor identification and encryption. The paper copy will then be shredded.
Mobile phone – I may store within my work phone your contact telephone number for the duration of your treatment along with any text messages we exchange. This will be deleted from my phone within a week of your final session.
Email – your email address and email correspondence will be stored securely in my email account (Gmail). At the end of treatment these are transferred to my electronic storage with the session notes and the emails and address deleted.
Website – no personal information about you is stored on my website. Enquiries made are automatically sent through the contact form to my email account.
How I will use your personal information
Your personal information will only be used when legally permitted. The most common use of personal data is to provide the service agreed with me. Occasionally I need to comply with a legal or regulatory obligation such as to provide data on my activity, i.e. number of clients and sessions, but not specific details on the content of those sessions or any personal identifying detail.
How I process or share your personal information
Your contact details and personal information will never be shared with outside parties apart from the exemptions below:
Supervision
In compliance with my training and accrediting organisations, the Health & Care Professions Council (HCPC) and the British Psychological Society (BPS) I am required to have monthly supervision with an accredited therapeutic supervisor, also a clinical psychologist and who I have a supervisor professional contract with. Although aspects of your case may be discussed, your full name and contact details will not be revealed. My professional supervisor is bound by the same confidentiality and GDPR policies.
Breaking confidentiality
If I believe that yours or another person’s safety is at significant and current risk I may contact the suitable authority without your permission. This may include your Doctor, and/or the emergency services or the mental health crisis team.
I am also required by law to pass on information relating to acts of terrorism and any current abuse or risks of abuse to a minor or vulnerable adult.
These situations are very rare and in all cases, unless entirely inappropriate to do so (such as when it would increase the risk by doing so), I would make you aware first that this was my intent.
Erasing your information
All personal information I hold (detailed above) is held for 10 years after the last contact. This is a legal requirement to satisfy any accounting, professional body or reporting requirement. After this time all data is deleted completely.
Your rights under data protection law:
To be informed of what information I hold about you
To see information I hold about you, free of charge
To rectify any inaccurate or incomplete personal information
To withdraw consent to me using your personal information
To request that some or all of your personal information be erased – though I can decline this request if some of that information is needed for me to practice lawfully and competently.
To request restriction of processing your personal information
To request transfer of your personal information
You can see more about these rights here.
If you wish to exercise any of these rights then please email me at: louise@drltarranttherapy.co.uk
You will not have to pay a fee to access your personal data or to exercise any of the rights listed. However, I may charge a reasonable fee for my time processing your request if your reasons to do so are clearly unfounded, repetitive or excessive. Alternatively, I may refuse to comply with your request in these circumstances and I will provide reasons for this.
I will need to request specific information from you to confirm your identity and ensure your right to access your personal information (or exercise your rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
I will respond to all legitimate requests within 21 days.
International transfers of data:
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal information, so European law has prohibited transfers of personal information outside of the EEA unless the transfer meets certain criteria.
Whenever I transfer your personal information (such as within online storage systems) out of the EEA I first ensure that the required degree of security is provided by one of the following safeguards:
1) Only transferring your personal information to storage systems held by countries that have been deemed to provide the required level of protection for personal information by the European Commission
2) Where using certain providers, using specific contracts of codes of conduct or certification mechanisms approved by the European Commission which give the same protections it has in Europe
3) Where using providers based in the United States, only transferring information to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to the personal information shared between the Europe and the US.
Data security
I have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition I have limited access to your personal information to just myself and the holder of my therapeutic will instructions.
A therapeutic will is required within my profession and involves giving one person the basic minimum information to enable contacting you in the event of my unexpected death or very serious illness. The holder of my therapeutic will instructions is also my therapeutic supervisor, a clinical psychologist, who is held to the same legal and professional standards as myself.
An accountant also has very limited access to personally unidentifiable data where only time frames of therapy and number of sessions is given and these are allocated to a pre-assigned index number rather than your name or any other identifying data.