From 25th May 2018, there are new laws around data protection. These changes come under the name of General Data Protection Regulation (GDRP) legislation and replace previous data protection legislation (i.e. the Data Protection Act 1998).  Such changes are designed to give control back to individuals, like you, over the use, storage and sharing of personal information.

​

Given these changes in law, it is important that you are aware of my own practices in relation to the information that I collect about you / your family member. To support this, it is necessary that you read this information and, if in agreement with the policy, prior to any input you sign the Information Privacy Agreement.

​

1.     What Information is collected?

 

1.1.         In order to do effective therapy, it is necessary to collect relevant background details about you, your history and different aspects of your life or in the case of your child being referred, your child and their life. This is considered to be Sensitive Personal Information (SPI) that may consist of data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or a person's sex life or sexual orientation. Under the GDPR, I am able to collect such information as:

 

a.     You have given your explicit consent for me to have information about you / your child  

b.     I am unable to provide  mental health care, treatment and/or management for you/ your child without knowledge of your / your child’s / your family’s relevant personal information

 

1.2.         To ensure that I can undertake my work, I also collect details about other personal information (such as telephone numbers, addresses, insurance/s membership etc.) This information is not shared with any other party, except to manage any perceived high risk situations (as outlined with my practice terms and conditions).

 

1.3.         I retain information about your appointment times on my password protected work mobile phone (used only by myself). Any texts sent to you regarding appointments etc. will be done so from my practice phone which is not accessible to anyone other than myself.

 

2.     How is information stored?

 

Physical Information: i.e. Session Notes / Hard Copies of Information

 

2.1.         During your / your child’s session –you will see me make session notes about important information that you are sharing. Such information, wherever possible/appropriate, will be recorded in an anonymised way, for example, by making note of initials, rather than full names. Whilst we are working together these notes are stored in a lockable filing cabinet at my home address unless being transported to/from your sessions (in a bag that remains with me or stored securely at all times).

 

2.2.         In addition to the above, I also keep a brief ‘Session Summary’ record. This provides evidence of a session’s broad focus / aims, any risk issues and any advice given. These will be stored in the same way as the session notes.

 

2.3.         Any hard copies of reports that you have supplied to me whilst working together will be returned to you or destroyed appropriately on completing our work together. Whilst in my possession they will be stored in the same manner stated for other records.

Electronic Information

​

2.4.         Any Electronic information (e.g. psychology reports, letters) is anonymised and where this is not possible / appropriate, stored as a password protected document.

 

2.5.         Any emails forwarded to or from yourself will be sent via secure email and / or anonymised if appropriate (i.e. not contain any identifying information). In situations where this is not possible / appropriate, your correspondence will be attached to an email, as a password protected document. Any passwords to aid the sharing of electronic data are to be sent separate from the original email (e.g. by text, separate email) without reference to the original document.

 

2.6.         It is requested that any documents containing personal information about you / your child / family member are forwarded to me through a secure, agreed system (e.g. secure email /password protected) or provided, as a hard copy, in person.

 

2.7.         Any documents (e.g. reports, letters) sent electronically will be deleted following them being printed out and stored with hard copies of your records. Email ‘deleted’ files will be cleared regularly.

 

2.8.         Any confidential information (e.g. reports / letters) from myself will be hand delivered, sent by recorded delivery or secure email to the agreed recipient.

 

2.9.         My practice mobile phone is password protected and not accessible to any other party. Therefore, your contact numbers will also not be accessible to a third party. This phone is used for work purposes only.

 

3.     How is information used?

 

3.1.         Session notes are used as a reminder (to myself) from session to session of what discussions have taken place, what actions have been agreed and any advice provided. As stated above, these notes are destroyed when an intervention is complete.

 

3.2.         The brief ‘Session Summary’ record, separate to the session notes, provides longer term evidence of a session’s broad focus / aims, any risk issues and any advice given. These are stored securely (i.e. in a locked filing cabinet) for a period of 5 years following the completion of our work together. Although it is rarely required, this provides me with evidence of the work completed, if needed. There is an exception for children, whose records I kept until they are 21 years old (or a minimum of 5 years, whichever is later) in case they wish to view them as an adult.

 

3.3.         I use your phone number to initiate contact with you as and when appropriate in regards to your sessions.

 

3.4.         Your information will not be passed on to any other party unless explicitly discussed and agreed with you beforehand. The only exception to this is in extreme cases where such action is necessary to ensure the safety of yourself and/or others.

 

4.     How information is kept accurate and up to date?

 

4.1.         Under the new GDPR laws, anyone handling other people’s personal information are required to ensure that information is relevant, accurate and kept up to date. This is to prevent information that may be misleading about people, being passed across services, teams etc. This is less relevant in my practice as I do not share your information with any other party (except with your agreement or in those exceptions highlighted). I do, however, rely upon yourself, to tell me when information about you / your child have changed. If this is the case, the details of any changes will be included in your session notes. As stated above, other than a brief summary of your sessions, general session notes are destroyed after we conclude working together.

 

5.     Rights to view information

​

You have a right to view the information kept on you at any time. If you wish to do this, please feel to free to ask me for copies; which I will be happy to supply, until the times I dispose of it (see 6.2).

​

6.     Requesting changes/deletion of information

 

6.1.         Under data protection law, you have the rights to request amendments be made to inaccurate information that is held about you. You also have a right to request inaccurate or irrelevant information to be deleted from your records. If you are unhappy about any of your records, please speak to me about it and we will work out a suitable way in which to ensure that your records are kept accurate and relevant.

 

6.2.         As stated in my terms and conditions (‘Expectations’ sheet) following completion of our work information all session notes (excluding a (brief) session summary outlining broad focus and any advice given), will be safely destroyed by shredding or burning to retain confidentiality. Any written reports will be kept, electronically, password protected for a five year period along with the brief session summary. After this time all records will be safely destroyed.

 

7.     Sharing of information

 

7.1.         My practice policy on the sharing of information is as stated in your Terms and Conditions (i.e. ‘Expectations’ sheet). This is a document that I ask you to sign when you first come to see me and states the following about the sharing of information:

 

a.       All details about you will remain confidential, but may be discussed in a supervisory context. This process is a professional requirement of practising clinical psychologists, bound by the same confidentiality standards as clinical practice.

 

b.       I will ask you to complete a Next of Kin (contact) sheet to provide me with contact details for use in an emergency. I will not, however, initiate any other contact with anyone on this sheet unless previously agreed with yourself. The only exception to the above is if I feel that a disclosure of specific information to relevant professional agencies (e.g. police, ambulance) is required to prevent risk to yourself or others. 

 

c.        I will not forward any copies of reports / intervention summaries etc. to any other party unless discussed and agreed with yourself (except in cases of extreme perceived risk).

 

7.2.         The exception to the above is if an insurance company funding your sessions requires additional information / feedback about a particular aspect of your intervention to make a decision regarding subsequent input. If this is required, I will inform you of this need and gain your verbal consent to provide relevant information; if you are not consenting to such action it may prevent additional funding being gained by your insurance provider.

 

7.3.         Data protection issues will be a regular item on my clinical supervision agenda. This means that I may discuss specific data protection issues within my clinical supervision to consider appropriate action.

 

8.     Data Breaches

 

8.1.         Although I take the matter of data management / protection very seriously, if there is a situation in which there is a breach of your privacy, I will notify you as soon as possible. I am also responsible for notifying the Information Commissioner’s Office (ICO) of any data breaches.

 

9.     Reporting Dissatisfaction

 

9.1.         If you are unsure or unsatisfied about any aspect of how your data is being managed within my practice, please speak with me so that we can endeavour to resolve the situation in a way that meets expectations of both parties.

 

9.2.         I am registered with the Information Commissioners Office (ICO) which is a governing body for the management and protection of personal information. If you are unsatisfied with any aspect of how your data is being managed within my practice, or you have any queries about data protection, you can contact the ICO (www.ico.org.uk).