GDPR Statement and Privacy Policy

The May 2018 law on General Data Protection Regulation, or GDPR, ensures that organisations look after your personal data responsibly. To reflect these changes and new obligations, I am now publishing my privacy policy online as well as asking my clients to sign a paper copy. This tells you how I keep and use clients’ personal data and summarises your rights under the law.

Privacy statement
I will never use your personal data to contact you for any other purpose than for the practical requirements of your therapy, unless you have asked me to do otherwise. I do not ‘hold’ or use mailing lists and I will never use clients’ data to market myself or any of my services. I will never share clients’ data to other parties for marketing purposes, or similar.
As a ‘data controller’, the General Data Protection Regulation (GDPR) is concerned with the personal information about you that I collect, store, and share, as below:

What I collect (from you)
I collect the information you give me on your registration form, i.e:
Name
Address
Telephone number/s (plus permission to text or not)
Email address
Gender (or preferred identity)
Age
Relationship status
Progeny
Occupation
Brief therapy history
GP’s name/address
Relevant medical conditions
Prescribed medication/s
A note of your current difficulties and therapy objectives

What I store where
Smartphone:
I will store your contact information under an alpha numeric code rather than your name. This allows me to contact you in emergencies, but your identity code is meaningless to outsiders. Your emails, telephone contact history and texts may be stored here should we exchange messages in this way. My smartphone is password protected with fingerprint ID.

Computer:
The registration form that you completed and sent to me before starting therapy is stored in a bespoke client area on my PC, which is password protected. Your email address and correspondence will be stored in my “rachel@therapyonthames.co.uk” email account.

Website:
None of your personal information is stored on my website, other than to momentarily collect and send it to my Email account if you use the ‘Contact Me’ facility.

Paper:
Our signed & dated Therapy Agreement
Your self-completed Registration Form
The Assessment or first session notes (that I handwrite with your permission during our meeting)
Brief handwritten Session Notes
Our signed GDPR Agreement (i.e. a printed copy of this document)

What I may share
All your personal information and everything you say is treated in the strictest confidence. I will never share your data or personal information with anyone else or with any other body apart from the following therapy-standard exceptions:
Clinical Supervision
Like all registered psychotherapists in the UK, I am required to have monthly clinical supervision to support best practice, during which time some client material is discussed, on an anonymous and confidential basis.
By Order of Law
If I am ordered by a court of law to share any of the information I hold about you, I will share only the minimum detail required and only after discussion with you wherever possible.
Suicidal Intent
If I believe there is a significant risk of you causing serious harm to yourself or another person, or of taking your own life, I may share your contact information and brief mental health details with your doctor or relevant emergency service. I will attempt to discuss this with you first whenever possible.
Terrorism and Money Laundering
If I have become aware of your intent to commit an act of terrorism, or money laundering, the law may require that I inform an authority without seeking your permission or your knowledge.

Erasing your information
I will securely hold your written and electronic information for up to seven years after we cease working together, in case you return to therapy at a later date, (which is a common occurrence). After this time has passed, I will shred all written information and delete all electronic records.

Your rights
Under the 2018 law you have the following rights:
To be informed what information I hold (this document fulfils that requirement).
To see the information I hold about you, following a written request, (and I have the right to have up to 30 days to fulfil this request).
To rectify any inaccurate or incomplete personal information.
To withdraw consent to me using your personal information (although it is likely I would then consider that we would be unable to continue to work together).
To request your personal information be erased (although I have the right to decline whilst the information is needed for me to practice lawfully & competently).