- Necessary to provide services set out in our contract: when you become our patient/client a contract is formed between us. The service we provide to you necessarily entails you providing us with some personal information.
- In our or a third parties legitimate interests: We may process information on the basis there is a legitimate interest, either to you or us, of doing so. For example, we may process your data for the processes of record keeping for proper and necessary administration of the business, or for protecting and asserting your rights, our rights, or the rights of any third party. Where we process your information on this basis, we do so after having given careful consideration to whether we could have achieved the same objective by other means, whether processing (or not) might cause you harm, whether you would expect us to process your data, and whether you would consider it reasonable to do so. Additionally we may use information and data you provide for analysis, research or screening purposes for example to help us understand the performances of the services we provide. If we use the information for this purpose you as an individual will not be personally identifiable.
- Required or allowed by law: Sometimes we must process your information in order to comply with a statutory obligation. For example, we might be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. This may include your personal data.
- Standard personal information: this includes your name, gender (or preferred identity), address, date of birth, email address, phone numbers, the name and policy number of any health insurance policy.
- Special category information: this includes information about your mental and/or physical health, prescribed medication, psychological history and current difficulties, sexuality. I may collect some of this information from your insurance company or referrer, if you have one, and some of this information will be collected directly from you. We will ask for your consent to share information with your GP, and seek consent for us to occasionally communicate via email or text, for example when arranging appointments. When you are a patient we record all details of your appointments and assessment/treatment so we can plan and review your treatment appropriately. At the end of therapy we will ask you to complete a service evaluation form that we use to evaluate and improve our clinical practice. This is anonymous. We will ask you whether you consent to sharing any comments on our website as anonymous testimonials.
We take your privacy very seriously and make best efforts to ensure it’s security. All personal information and special category information is stored in compliance with EU General Data Protection Regulations (GDPR) rules. Clinical records are kept on a secure cloud-based practice management software designed for healthcare professionals, which uses two-factor authentication login and encrypted data replication to keep information safe. Electronic information is stored on encrypted devices. We use an encrypted email system (ProtonMail) nonetheless I would recommend that you do not send us sensitive information via email as we cannot guarantee the confidentiality of this.
The Data Protection Act (1988) states that personal data processed for any purpose or purposes should not be kept for longer than is necessary for that purpose all those purposes. This means I will not store or keep personal data for longer than is necessary or required by law.
Personal data will need to be retained for longer in some cases than in others. A decision in how long personal data will be retained will be based on individual needs. A judgement will be made about:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information;
- and the ease or difficulty of making sure it remains accurate and up to date.
The minimum recommended period for retention of adult mental health personal data is seven years.
- Right of access: the right to make a written request for details of your personal information and a copy of that information.
- Right to rectification: the right to have inaccurate information about you corrected or removed
- Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased
- Right to restriction of processing: the right to request that your personal information is only used for restricted purposes
- Right to object: the right to object to processing of your personal information based on legitimate interests
- Right to data portability: the right to ask for personal information you have made available to us to be transferred to you or a third party in machine-readable formats.
- Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which affects you, unless it is necessary for entering a contract with you, or you have given your explicit consent.