- Why I need to collect personal data about you
I collect information about you in order to provide you with psychological assessment and treatment and because it supports the provision of a safe and professional service. It is therefore in my legitimate interest as a Clinical Psychologists to collect your personal data, to enable me to get in contact with you and hold information such as your name, address, date or birth and registered GP. I also collect sensitive ‘special category’ data (such as details about psychological difficulty). The lawful reason for doing so is that it is necessary for the provision of safe and professional treatment (psychological therapy), and therefore has a contractual basis – you have asked me to provide psychological assessment and treatment and in order to do so I need to understand about the nature of your psychological difficulties. You do not have to agree to share information with me, however, in many cases I may not be able to offer you a service if you do not.
- What personal information I collect and when
When you get in touch, you will be asked for some basic personal information such as your name, date of birth, address, and contact details (often email address and telephone number) as well as information about the difficulties you are seeking support for.
If you are being referred by a third party such as your GP, Psychiatrist or your medical insurer, they might provide us with information like this on your behalf.
When you start to receive a therapeutic service from us the information you share during sessions will be recorded in session notes.
All of this information will be kept together in your personal records – see section 3 below for information on how this data is stored.
The information I collect about you will be used to offer you the best possible service and to comply with legal requirements. It will not be shared with third parties unless there is a legal requirement to do so or it is in your best interest (see section 6 for more information about this).
- How I use your personal information
I use the information you provide to:
- Respond to your enquiries
- Communicate with you about appointments
- Offer you high quality therapeutic interventions and treatment packages
- Comply with the law
- To create invoices
- To keep accurate payment / accounting records
I use the information collected in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Dr Cyra Neave is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.
- How I store the information I collect about you
Your personal information is stored as detailed below.
4.1. On our personal computers
We use personal computers which are password protected and the hard drives are encrypted. Passwords are changed regularly and it is our policy that passwords are not shared. Your information is stored on cloud storage and not on the hard drive of the computer in accordance with GDPR regulations.
4.2 As a paper copy
During our initial assessment, we ask you to complete a paper registration form and to sign a copy of our terms and conditions. We take hand written notes during both assessment and treatment sessions, which we store in your personal file. These notes are used to create assessment and discharge reports when requested.
We store your personal file in a locked filing cabinet.
- Accuracy and retention of personal information
Dr Cyra Neave makes every effort to keep your personal information accurate, complete, and up to date. If any of your information changes please let us know so that we can update our records.
The data Protection Act (1988) states that personal data processed for an purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. This means that we will not keep personal data for longer than is necessary or required by law. The recommended period for retention of child mental health personal data is until the child’s 25th birthday. When we destroy records we shred paper records and delete any files.
- Sharing of information
Information you share remains confidential, except for the following situations:
- If you feel it would be helpful, with your consent, I will send reports or treatment summaries to other health care professionals involved in your care. All reports that are sent electronically are sent as attachments that are encrypted and password protected.
- Medical health insurance companies need to know information such as the dates of our sessions in order for me to invoice them. They may also request a summary of the difficulties or progress made in order to decide whether they will fund treatment. I will discuss with you the information which will be included in such reports. You can request that I do not share information in this way, but that may mean your insurance company may refuse to fund the treatment.
We are legally and ethically obliged to share information in the following situations:
- If there are concerns about your child’s safety or the safety of someone else I may need to share information with the relevant agencies such as your GP or social care. I will always aim to discuss this with you first unless in an emergency situation such as the child being in immediate danger.
- If asked by a solicitor for copies of any of your documentation, I will discuss with you what is helpful to share but may be legally obliged to share some information.
- Use of e-mail and messaging services
As part of providing our service to you it may be helpful to communicate via e-mail or messages, for example if you need to arrange or change an appointment. To ensure e-mail correspondence is as safe as possible, please reply to an e mail I have sent you (from email@example.com).
When communicating via mobile phone, I prefer to use an end-to-end encrypted messaging service (such as Whatsapp). If you are not able to use such a service we may use SMS (text messages); however, this does increase the risk of someone intercepting the message. If you prefer not to communicate via e-mail or text, please let me know.
- Access to your personal information
You are entitled to access the information stored about you at any time. If you would like access please make the request in writing to the Data Protection Officer Dr Cyra Neave and I will endeavour to respond within 30 days.
I may require additional verification of your identity in order to process this request. I will also consider whether providing the personal information requested may violate your vital interests and have the right to, where absolutely necessary, withhold such personal information to the extent permitted by law.
- Your additional rights
You may also have the right to:
- To rectify any inaccurate or incomplete personal information
- To restrict the processing of your personal data under certain circumstances
- To object to the processing we carry out if the processing is carried out on a legal basis other than that outlined in this policy
- To request your personal information be erased under certain circumstances or when our processing no longer has a lawful basis (we would discuss whether this right can over-ride the requirement to retain data).
- 1 Questions about privacy and contacting the data controller
If you have any questions or concerns about this Privacy Notice or how I process your information or you would like to make a complaint about a possible data breach please contact Dr Cyra Neave on:
Telephone: 07393 912 747
Email address: firstname.lastname@example.org
I take data security extremely seriously and all such communications are examined and replies issued where appropriate as soon as possible. In the majority of cases, I would expect to be able to respond to any questions or comments about how we collect and use your personal data sufficiently to satisfy any concerns you may have. However, if you remain dissatisfied after speaking to us, you may make a complaint to the Information Commissioner’s Office (ICO). You can contact the ICO online, (www.ico.org.uk); or by telephone (0303 123 1113). You can also write to them at: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Version 1, May 2018