General Data Protection Regulation
General Data Protection Regulation (GDPR) Statement
By Mic Austen, May 2018
ICO (Information Commissioner’s Office) – Registration Number: ZA397376>
The work I carry out as a therapist involves processing personal data in compliance with the General Data Protection Regulation (GDPR). The GDPR applies from 25 May 2018 when it replaces the Data Protection Act 1998.
What data do I keep and why do I need it?>
I collect the following information in order to help me provide psychological therapy to you, to receive clinical supervision and consultation, and to maintain my accounts.
Personal details may include: name, date of birth, relationships; parents, siblings, children, occupation, address, telephone numbers, email address, counselling/therapy history, medical conditions, prescribed medication, emotional & psychological issues, employment, education, and social life details.
Sensitive information: physical and mental health details, sexual life, racial or ethnic origin, religious or other beliefs, offences and alleged offences.
Name and age – this is basic information that helps me to get to know you.
Address, email address, phone number – I use this as a way of contacting you regarding your sessions. I will mainly use the method you first contacted me on or one we have agreed to but if I cannot reach you, I will try a different method as agreed. I may also have sessions with you if you request it using distance video or audio software such as VSEE or ZOOM. You need to be aware that this software has the facility to record sessions but we will not use those unless you agree to this eg you wish to replay your session back later to assist you. I will not use Skype or FaceTime for therapy sessions as they are not secure.
Next of kin/doctor’s details:
If I were to be worried that you were at risk of self harm or of harm to others, then I may need to contact your next of kin or doctor. If I can, I will tell you that I am going to do this and if possible we will discuss it and ring him/her together.
Will I share your data and if so, who with and for what purpose?:
I have regular supervision/consultation with other therapists, (psychologists, psychotherapists, counsellors) for my own professional development and the wellbeing of clients. In supervision I talk about my work but I only use your first name. I may discuss personal details in these consultations. They are also bound by the same rules of confidentiality, code of ethics, and rules of GDPR.
I will not sell on the data or or use it for unethical purposes. I may have to share it eg if my notes are subpoenaed by a court, if you or anyone you tell me about is at harm or risk of harm, I may have to pass this information eg to safeguard children or vulnerable adults. If I know you are acting illegally, eg to harm others, I am required to alert the authorities eg if you are planning a terrorist event or laundering money.
I keep brief notes of our session and they will be stored on paper in files. I do not store any session notes electronically.
In the case of my death, your name and contact details will be shared with my Therapeutic Executor. This is so you can be contacted if you are still in therapy with me.
How will I store your data?
This will depend on the data:
Session notes are written on paper and locked in a filing cabinet. Only your first name is on the session notes. No other personal identifier is on the notes.
Smart phone: your phone number and email address may be kept in my mobile phone with your first name and last initial. In distance technology software your name only and the contact email or phone number will be stored but not your address.
Address cards: your name, address, telephone number and email are kept on address cards and locked in a filing cabinet separately from the session notes.
Only I have access to your information and the phone and computer are double password protected. I do not keep any session notes on the computer. Emails can be accessed via my computer and mobile phone but both are password protected twice.
How long will I keep your data and how will I dispose of it?
I am required by my accrediting body (UKCP) to keep your session notes for 7 years in a secure locked setting. I will shred or burn your session notes after this 7 year period has expired. I will delete your phone number from my mobile phone contacts six months after our work finishes and shred the card with your name, address and contact details on also after six months after our work ends.
You Have the Following Rights:
To be informed of what information I hold (this document):
To see the information that I hold about you (free of charge for the initial request);
To rectify/correct any inaccurate or incomplete personal information;
To withdraw consent for me to hold your personal information. Note that I would not in such circumstances be able to continue the provision of therapy/supervision.
To request that your personal information be erased/deleted/shredded. Again, if I am unable to keep any personal information about you, I would not be able to provide therapy. As such, I can decline if the information is needed for me to practice lawfully & competently, or if there is an adverse reason (such as a complaint or legal reason.
Continuation of therapy with me will be understood as acceptance of these terms.
Dated as per above