Therapy Client Data GDPR Policy

Therapy client data GDPR: for new and current therapy clients (updated 2nd January 2020).

Therapy client data GDPR: As from 25th May 2018, under the General Data Protection Regulations (GDPR) I (Nadiya Hussain, Counsellor and Psychotherapist) am required by law to inform you (as my current therapy client, or potential therapy client) about how I process and keep safe the data I hold that pertains to you. 

I am also required to gain your explicit consent to my holding and processing your data in certain ways (which are detailed below). 

As an Integrative Counsellor and Psychotherapist, I take confidentiality and privacy seriously and am bound by a code of ethics.

If you are my current therapy client, or are about to become my therapy client, here’s what you need to do:

 

Please read and sign your “Counselling Contract” to indicate your consent for me to hold and process your data as stated below.

 

If you do not wish to give your consent, you have the option to discuss with me, and it may be possible to create a bespoke agreement between us.

You have the right to withdraw your consent at any time. We would need to discuss what this might mean in practice, with the primary aim being to keep you safe. However, there may be certain situations that require certain information to be retained, and I may need to seek legal advice in this case.

What therapy client data GDPR is held about you?

I keep certain data so that I can work safely and professionally with you, in line with the guidelines of the BACP.

The therapy client data GDPR I hold may include:

  1. Your name, address, phone number and email address

  2. An emergency contact’s name and phone number

  3. Your GP name and contact details

  4. Relevant medical information

  5. Session notes

  6. Payment information

  7. My emails to you, and yours to me

  8. Invoices

 

You have the right to know what therapy client data GDPR I hold, why I hold it, and for how long I hold it.

 

You also have the right to view it, and to ask for changes to be made.

When sensitive data is to be destroyed, it is shredded.

If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible.

How, why, and for how long is your data held?

To try and make things as clear as I can, I’ve divided this into ten sections. You’ll need to consider each section individually, and if you consent to all of these, you can sign the counselling contract with me. If there are some that you do not consent to, I will amend your counselling contract to reflect this, just let me know.

1. Your name, phone number, email address and address

 

How I keep this data

I keep your name, phone number, email address and address are stored in my secure docusign account and in a secure One-Drive Account 

 

I keep your phone number in my mobile phone under an identifying code, not your name. My phone is locked with a passcode when I am not using it. Your email address is held in my outlook account, which is password protected. Neither my computer nor my phone are shared with anyone else, unless it is required by a technician for maintenance.

 

Clinical will statement: In the event of my death or sudden illness that means I am unable to contact you; I have appointed a Therapeutic Executor who will take care of contacting you on my behalf. They will only access your contact details in an emergency and discuss with you appropriate onward arrangements.

Why I keep this data

This is required by my professional liability insurer and by my professional organisations (BACP). This is also needed in case I have to contact you (for example for rescheduling sessions or sending an invoice).

 

How long I keep this data

I will keep this data for 5 years. After that time it is destroyed.

 

In the event of my death or sudden illness, my Therapeutic Executor will destroy the data. 

 

Who sees the data

Myself.  

My Therapeutic Executor will see your name and contact details in the event of my death or sudden illness. In the event of my sudden death or serious incapacity, the Professional Executor Service (www.professionalexecutors.co.uk; professionalexecutorsuk@gmail.com), will contact you, my client, and support you based on my express wishes and instructions. The Professional Executor Service does not offer coaching, counselling or psychotherapy. 

2. Emergency contact’s name and phone number

 

How I keep this data

I keep this data in my secure Docusign account and in a secure One-Drive Account.   

 

Why I keep this data

 It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you. You and I may agree together on some other reason that I might contact this person, based on your best welfare.

 

How long I keep this data

This data will be deleted after 5 years.

In the event of my death or sudden illness, my Therapeutic Executor will destroy the data. 

Who sees the data?

Myself.

Therapeutic Executor (only in the event of my death or sudden illness) 

3. Your GP name and contact details

 

How I keep this data

I keep this data in my secure docusign account and on a secure One-Drive Account.

 

Why I keep this data

You and I may agree together on some reason that I might contact your GP, based on your best welfare, for example discussing diagnosis, treatment plan or safety procedures.

 

How long I keep this data

This data will be deleted after 5 years.

In the event of my death or sudden illness, my Therapeutic Executor will destroy the data. 

 

Who sees the data

Myself.

Therapeutic Executor (only in the event of my death or sudden illness) 

4. Relevant medical information

 

How I keep this data

I keep this data in my secure Docusign account and in a secure One-Drive Account 

 

Why I keep this data

It may be relevant to share certain medical information when:

(a) Your mental health history, diagnoses etc may inform my treatment plan to make it more appropriate for you or in case of referral to someone who can better support you

(b) There is any risk that health conditions such as seizures, diabetes, etc may impact a session

(c) Your medications may affect our work

(d) You have any allergies that I should be aware of in order to keep you safe

 

How long I keep this data

After 5 years, I delete the data

In the event of my death or sudden illness, my Therapeutic Executor will destroy the data. 

 

Who sees the data

Only myself.

Therapeutic Executor (only in the event of my death or sudden illness) 

5. Session notes

 

Notes may include dates and times of attendance, and brief notes on important themes from the session. I do not keep detailed session notes. I keep a ‘clear desk’ policy, which means that session notes and other information are not left unattended.

 

How I keep this data

I keep brief session notes that are password protected in a secure One-Drive Account 

 

Why I keep this data

Brief notes may remind me of important points I want to be sure to remember to discuss in our next session, and/or in supervision.

 

How long I keep this data

I will keep this for 5 years, then it will be deleted.

In the event of my death or sudden illness, my Therapeutic Executor will destroy the data. 

 

Who sees the data

Only myself.

Therapeutic Executor (only in the event of my death or sudden illness) 

6. Payment information

 

How I keep this data

A record of your payments are kept on password-protected financial software called Quickbooks. This software will also contain invoices and record payments under your name.

 

Why I keep this data

As a small business owner, I am required by law to retain certain financial information, primarily for tax purposes.

 

How long I keep this data

I keep financial information for 7 years as advised by HMRC.

 

Who sees the data

Payment by bank transfer will be processed by my bank, and your account name may be visible on my bank statements and appear in my Quickbooks account.

 

Banking transactions may be viewed by employees of the bank, my accountant, my financial advisor, and tax officers (HMRC).

 

When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.

 

7. Your emails and texts

 

How I keep this data

I may delete emails after I have noted the contents (for example, emails around scheduling). Any emails that I consider it necessary to keep are retained in my email account. 

 

If you would like to communicate via text, please be aware that most text services are not secure so I do not advise that you send me any sensitive data via text.

 

Please note that normal texts, and using related applications for texting such as WhatsApp and Messenger, are not recommended due to confidentiality and privacy issues. I may use these for scheduling purposes, but never to send or receive sensitive information.

 

Why I keep this data

I may keep emails if I consider it clinically necessary.

 

How long I keep this data

I will delete emails when our work ends.

 

Who sees the data

Only myself.

 8. Invoices

 

How I keep this data

I create invoices on Quickbooks, and then send them to you directly via Quickbooks.

 

Why I keep this data

I keep invoices for HMRC Tax purposes.

 

How long I keep this data

I will delete invoices after a year.

 

Who sees the data

Only myself.

Please sign and date your “Counselling Contract” if you agree to your information being used in this way.  

 

If you have any other questions regarding how your therapy client data GDPR is processed and handled, please do not hesitate to discuss with me.

This document regarding therapy client data GDPR is subject to regular review and will be updated as I see fit.

 

Nadiya Hussain, Counsellor and Psychotherapist