I take your privacy seriously and I am fully committed to ensuring that your privacy is protected. I hope this policy is everything you need to know about how I use and protect any information that you give me, from when you first make an enquiry, right through till after therapy and coaching comes to a completion.
Third party privacy statement
Your information does not get shared with anyone else within my private practice, as I manage my practice myself, and operate my business as an independent ''sole trader''.
From the moment you get in touch with me I will never try to obtain information about you from any third party without your knowledge and consent.
I will never share your information with any third party - unless you have explicitly told me that you would like me to, in order to help you get good support or healthcare.
I am required to have regular supervision with another specialist therapist as part of my ongoing accreditation with the British Association of Behavioural and Cognitive Psychotherapy (BABCP). I never disclose any personally identifying information about my clients within supervision.
There are only three lawful exceptions where I do not need your consent to share information to a third party: child protection, court order and risk to life. I'll explain this more - read on!
The lawful basis for processing your data
I only use information about you in ways that are legally and ethically essential for me to fulfil my role as an effective, safe and responsive CBT therapist to you.
I never keep or use your information in non-essential ways. For example: as a matter of principle, I do not have any social media linked to my website and I do not send newsletters or marketing campaigns.
Under GDPR regulations 2018, I am what is known as the 'data controller' and also the 'data processor', and I have specific responsibilities and requirements, accompanying these roles to protect your privacy.
My business is registered with the Information Commissioners Office, the UK authority for upholding data protection, (www.ico.org.uk). I am bound by their policies with regards your privacy, as well as the British Association of Behavioural and Cognitive Psychotherapy (BACBP) code of professional practice.
Disclaimer: Your role in protecting your own privacy
You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.
You therefore acknowledge and agree that you share information via the internet at your own risk.
You agree to take responsibility for your own role in safeguarding your data privacy in the email address you choose to use and whether or not you choose to password protect information you send to me.
My policy is to request that clients to take the following actions wherever possible:
To email me from an email address that does not have your full name in it
To only include your first name in any documents you send me
To password protect documents that you may send me
How do I obtain information about you?
I obtain information from:
what you choose to share with me when you first contact me via my website's contact form, or you phone or email me to make an enquiry.
what you choose to share with me - information you send me by email (and attached documents) and over the phone (text or voice message)
sessions we have together in person face to face, by phone and online (Skype, Facetime or Zoom)
your health insurance company or healthcare provider, if relevant, and with your consent
If we agree to 'go for it' in teamwork together, I will of course want to get to know you, your needs and aims and life context so we can work really well together, with a really good shared understanding!
Your privacy when you first get in touch
I'll only keep your contact information if I have the capacity to respond and be of help to you.
My website's contact form
If you get in touch via my useful contact form, you've got options to choose what information you wish to share with me.
Your information is not stored anywhere on my website platform - I've disabled that option, so your contact form goes directly through to me via email.
About your initial free phone consultation
If you make initial contact with me over the phone, or choose a free telephone consultation, you can rest assured, I do not typically ask my clients to provide sensitive information at that stage of our contact.
The purpose of your initial free telephone consultation is about the practical set up of teamwork: to find out if our schedules are mutually workable, for you to ask any questions about my approach and for me to provide you with some key information about how get the most out of your sessions.
I won't be expecting you to share sensitive information in your free consultation: a simple overview of your aims or goals is usually best in this space, unless of course, there's anything you think would be essential for me to immediately know about.
Your privacy in our teamwork together
Emailing each other
Once we've agreed on a day/time for our first therapy or coaching session together, I'll ask you for an email address to send your ''starter pack'', which has all the information you need to create an effective start. As emails from me identify me as a therapist, and I'll be sending you documents like an initial questionnaire to help us collaborate well together, please choose an email address with this in mind!
You're most welcome to bring paper copies of completed forms and questionnaires - one for each of us - if you'd prefer not to return them password protected by email.
Skype, Facetime and Zoom services have updated their privacy measures to ensure they are fully compliant with GDPR regulations 2018.
You're welcome to install Zoom as an option for online sessions, if you wish to keep our meetings entirely separate from your Skype or Facetime account.
Sessions where we meet in person
The rooms I use on a weekly basis are dedicated therapy rooms, situated within mixed office spaces, and are therefore very discreet as you will not be heading to a clinic. There are no therapy signs on the door.
I've sound tested all of the rooms that I use, and it is not possible to make out the words people are saying from outside the room - even when deliberately trying to listen in for testing purposes!
Walk and talk sessions outdoors
I will never discuss therapy matters with you in a public space. If you'd like to experience 'walk and talk sessions' outdoors, we'll use these sessions for mindfulness practise, i.e. practising being present and noticing what's around us, and/or for coaching conversations. Before we meet in an outdoor space, I'll always check in with you on the parameters of a conversation that you feel fully comfortable with.
Obtaining information from third parties
If your therapy is being funded via a health insurance company, your insurance company may provide me with information, but this would never be without your prior knowledge and consent, in accordance with your agreed contract with them. Insurance companies typically encrypt or password protect sensitive information that they share.
On occasion, with your prior knowledge and consent, I may have reason to ask to obtain information from other healthcare providers involved in your care, for example if you are working with a psychologist, psychiatrist or another therapist. This will only be to ensure I am providing the most appropriate, safe, responsive and effective therapy for your needs.
If you're working with another healthcare provider, such as a psychiatrist or psychologist, you or they may wish for me to have information about you, but this is highly unlikely to ever be without your prior knowledge and consent, because, from 25 May 2018, all organisations and businesses will be required to ensure their privacy policies are fully compliant with GDPR directives. Nevertheless, you can make sure you know your privacy rights with each party involved in your care by asking them directly about their privacy policies.
In rare and exceptional situations a family member, partner or friend may contact me, but that could only happen if you decided to share my details with them. All actions from that point would need to have you at the centre, with your full consent and you guiding appropriate therapeutic decisions at every step of the way.
I will never knowingly receive information about you that you have not given permission to be shared.
What type of information do I collect about you?
I will collect the following personal information from you if we decide to work together, because, as a registered healthcare practitioner, I would be reasonably expected to have this in case of an emergency:
Your name, contact details and date of birth
Who should be contacted in case of an emergency (GP and next of kin)
If health insurance is funding your sessions I also need your name, date of birth, address, plus your membership and authorization codes to pass security checks with your health insurance company.
Given the nature of healthcare related data, some of the information you may share with me is likely to be classified as sensitive. I'm legally required to take strong measures to protect your confidentiality with any of the following sensitive information that would be important for me to know in order to help you:
Your mental and physical health
Use of alcohol, prescribed and non prescribed drug use
Any criminal offences or alleged offences
If you choose to share any information with me about your relationship or sexual history or orientation, your family, lifestyle, employment, religion or cultural background, this is also respected as 'sensitive information'.
What do I use your information for?
I may at times need ask you about some of the above sensitive information with the specific purposes of ensuring that:
the service I provide to you is properly responsive to your specific circumstances and needs.
I make safe and effective clinical and therapeutic decisions
I respond to you in the most considerate way
we communicate openly with one another to make wise and appropriate decisions together in a teamwork approach
With regards personal and sensitive information, I don't need to have a written record of everything you share with me! In fact, I keep my own note taking in session to a strict minimum, in order to stay fully present, attentive and connected to you, as these are far more important aspects of transformative teamwork than writing notes!
I keep my note taking outside of sessions to a minimum too, and, instead encourage my clients to keep their own notes of useful ideas, insights and reflections. As they relate to you and your progress, it's much more relevant and helpful that notes are written by you and stay in your possession!
There are of course some things that I must, legally, have a written record of, if it is in direct relation to your safety or the safety others, such as emergency contact information, or information related to suicide risk, child protection, domestic abuse, or other violent crime, or should I ever need to account for my clinical decisions and/or respond to complaints.
Transparency of record keeping
Transparency is core to the way I work. Therefore it is highly unlikely that I will ever have a stored record with your personally identifying or sensitive information that you will not have already seen.
So, to be super-clear, stored records comprise of:
the emails, reports, questionnaires, forms or letters you have decided to send or ccd to me
emails, reports, questionnaires, forms or letters I have sent or ccd to you to the email address of your choice
any information you have forwarded to me from a healthcare provider or insurance company
any information that I have recieved from a healthcare provider (I will always show you if you have not already been ccd)
any information I send to an insurance company or healthcare provider (I will make sure you have a chance to read and rectify as appropriate before I send)
and, if a legal or risk issue has been identified: risk assessment and risk management plan, and my clinical supervisor's recommendations, which I will also share with you, unless it would increase a safety risk to do so.
As part of a genuinely team-oriented approach, if I think it would be helpful to write session notes on our process ("process notes"), I will write them straight into an email to you, from my iPad, during or after a session, rather than writing them by hand and then keeping them to myself. Unless of course, you would prefer me not to do this. I'll ask you as we go.
The one exception to this is if we are in the middle of a therapy process in session, where it would be disruptive for me to pull out my laptop, but might be very helpful for me to make a few quick memory jogs so I keep on point whilst we're going along. I do NOT keep more than first names with my jottings/quick scribblings of ideas (on unlikely the off chance anyone could decipher my quick hand-writing!).
Process notes are not considered the same as formal records, so I don't keep them stored with any other records. I shred all written process notes soon as our teamwork comes to a completion.
Measures I take to store your data securely
These are the measures I take to protect your data before it can be deleted or destroyed:
Storing paper information securely
I keep handwritten or printed information about you or our teamwork to an absolute minimum in order to protect your data.
I do not print or keep duplicate information wherever this can be prevented. For example, if you or your insurance company have sent me digital information via email, I do not then print it.
All handwritten or printed information that has any personally identifying information on it about my clients is kept in a securely locked filing cabinet.
Keeping electronic information securely stored
My devices are all password protected, with strong passwords that are all different from each other, and which I change at suitable intervals. I do not share my devices or passwords with anyone else.
I do not store any personally identifying information of my clients on a mobile phone, except for your first name or initials.
If you get in touch with me via Skype or Facetime, the contact details you use are stored, but I do not store any therapy related information on these platforms.
I do not record phone or Skype, Facetime or Zoom sessions. If you wish to record a session to help you remember, you're welcome to do so, as long as you acknowledge this data is then your responsibility.
If I need to electronically send a report, I send this separate to your personally identifying information or I password protect the document.
I clear my downloads related to client information on all devices when I am not actively making use of those downloads.
I do not keep your personal or sensitive information stored on any external hard drive or memory stick. While our teamwork is active, I keep electronic information stored in the following two places only:
1. On my password protected Apple laptop
All Apple and Google services are GDPR compliant with regards level of security and privacy protection.
Once our teamwork has come to an end, for the legally required seven year period, all electronic records will be archived using Google Vaults - Google for Business's secure (GDPR compliant) cloud based electronic data archive service.
Who I may need to share your information with
There may be occasions when I need to share personal or sensitive information about you with third parties, specifically, your insurance company or other health professionals involved in your care (see below). When I do so, I comply with all aspects of the Data Protection Act 1998 (DPA).
Your insurance company
If you are claiming the cost of your sessions through your insurance company, your insurance company may request details of your treatment and progress from me in order to authorise further funding for your treatment. I will share the minimum amount of information necessary with your insurance company for you to get sufficient and appropriate further funding of treatment.
Specialist healthcare providers
If there is a specialist healthcare provider, such as a consultant physician or psychiatrist, NHS mental health service, dietician or nutritionist, psychologist or other therapist involved in your care, and your treatment with them could be negatively impacted if they did not know you were working with me, I consider this very carefully.
I will always ask you for your consent before sharing any personal or sensitive information when liaising with other health professionals who may be involved in your care. I will always ask you for your consent before making appropriate referrals to other healthcare providers.
I will also check with you what information you do and do not wish for me to share. I only share sensitive information that would be of direct importance to your healthcare ie directly relevant to you getting the most appropriate treatment for your needs. I would ensure you have a copy of any email or report I send.
General Practitioners (your GP)
It is not typically necessary for me to contact a client's General Practitioner, unless you and I have concerns about the medication or treatment that a general practitioner may be prescribing you, or if your GP is the gateway to enable you to access other healthcare that you need.
If I share any information with your GP it will be in written form, in explicit consultation and collaboration with you, with the purpose of you getting better quality health care. I would ensure you have the opportunity to edit before it is sent and that you have a copy of the final draft.
Legal exceptions to obtaining your consent
There are three situations where I would be required to share your information with third parties, without your consent:
If I am required to disclose data about you, under a Court Order for me to do so.
If I am concerned about the welfare of a child, i.e., where there are child protection issues relating to potential physical, mental, sexual abuse or serious neglect
Risk to self or others Where there is an imminent risk of serious harm to yourself or harm or exploitation of others.
If you're seeking help and you are perpetrating a serious crime against someone, or you are actively suicidal, I am unable to protect your right to privacy, as I must legally take appropriate action to protect the safety of children and vulnerable adults, if I believe they, or you, are at risk of harm. In those instances, I will always follow local and national safeguarding policies and the British Association of Behavioural and Cognitive Psychotherapies (BABCP) Standards of Conduct, Performance and Ethics.
If you're worried about your safety or the safety of someone else, it is very important that you get access to the right kind of help asap. In crisis or high risk situations, it's likely to be most suitable for you to prioritise getting linked up with a therapeutic team who specialise in crisis or high risk situations. I will therefore do my best to get you linked up with the most relevant sources of help, as a sensible alternative to working with a sole practitioner like myself.
How long do I store your data?
My retention period is seven years, as this is the contractual requirement of Balens Ltd, my professional indemnity insurance company. I am bound to this requirement by contract law. It is in both our interests that I store your data for this period of time, as, according to the Limitation Act 1980, you, as my client, have six years within which to bring against me a complaint of breach of contract, breach of trust or a claim in relation to negligence.
I securely delete and/or shred all information that I collect from you after seven years.
Your Individual Rights
You have a number of rights when it comes to your personal data. Please do visit www.ico.org.uk so you can get fully informed about all of your data rights. I have listed four particularly important rights here:
Your right of access
You have a right to make a written request for the details of personal information that I hold about you. You can simply email me and I will be very happy to share the records that I have for you.
Your right to rectification
If you believe that any information I am holding on you is incorrect, incomplete or needs updating, please email me with details and I will promptly make the right changes. I will always show you any report or letter I write to a third party before I send it, and invite you to rectify it as you see fit.
Your right to portability
Any information that gets generated in our teamwork, such as questionnaires, reports or letters, you are most welcome to share with other people, as would be helpful to you. I will do my best to only keep information in a form that is easily portable for your convenience.
Your right to lodge a formal complaint
If you believe that your rights under the GDPR regulation have been infringed, or that the processing of personal data relating to you does not comply with lawful regulation, visit the Information Commissioners Office www.ico.org.uk to find out how such matters can be dealt with on your behalf. Their helpline is 0303 123 1113.
Responding to family members and concerned others:
Occasionally I get enquiries from people's family members or partners making initial enquiries that share sensitive information about their loved ones because they want to help. In these circumstances, if I have not had explicit written consent about information sharing from a potential client themselves, my policy is to not respond to such enquiries in order to ensure that I safeguard, rather than accidentally breach privacy rights, or compromise trust with a future client.
If this applies to you, and you are concerned about a loved one, I recommend that you are transparent in sharing your care and concern for them, and encourage them to contact me directly, or else their GP wherever possible. You are of course welcome to forward them a link to my website and to share my public contact details with them.
Contact me if you have any questions
If you have any questions or concerns about how your data is processed or shared, please do not hesitate to contact me by emailing firstname.lastname@example.org or on 07507 376 875.