General Data Protection Regulation (GDPR) Compliance
GDPR – Privacy Notice
Under the new GDPR guidelines, I have to inform you as my client about what, why, and how personal information is used, stored and disposed of. The following information aims to explain this:
Personal details: such as name, address, DOB, contact details, GP details.
Private clinical / therapeutic information: such as working agreement, assessment information, background information, other professional reports or documentation, therapeutic information and any email correspondence that’s relevant to your therapeutic process (this is usually correspondence that you or other professionals have sent to me) and will be filed in case records. Data may also include photographs and audio/video recordings.
Personal details: these are held so that I am able to contact you if necessary and locate you within my own personal filing system or contact your G.P or other or professionals if necessary. (with consent unless under exceptional circumstances, such as you are at risk to self or others).
Private clinical / therapeutic information: Is a record of intervention sessions, to record what work is completed or needs to be completed/discussed in future sessions. Audio/video recordings maybe used to assist with assessment, to monitor progress and to assist with parent reflective sessions.
Personal details are used for contacting you directly. I may keep your mobile number on my phone in case I need to contact you when I am away from the paper copy records stored at my office. Photographs/ videos are downloaded to a computer and stored securely and then removed from my phone/video camera. My phone and PC are Password protected.
I will not share your personal information with anyone unless I have your express consent to do so. If I do have permission to share information about you such as a report, it will be sent by secure email or post.
In special circumstances, information maybe shared without consent, if I feel that you are at risk to yourself or someone else or if I have been requested to share information by a court or legal process.
If you contact me directly in between sessions, I will acknowledge the email but in order to safeguard your personal information, I will aim to discuss the content with you at the next session. This can be reviewed on a case by case basis and the privacy contract re visited.
All client records are stored in a locked filing cabinet. Some client information, reports and documents are held on my computer while we are actively working together in intervention; then these records are transferred and stored on an encrypted or password protected hard drive.
I keep records for 7 years after intervention is complete and if this is a young person, I keep the records up to the age of 25. After that point, all notes will be securely disposed of.
PRIVACY NOTICE (Data Processing)
How I process personal data
I comply with my obligations under the General Data Protection Regulation (GDPR) by keeping personal data up to date; by storing (and destroying it) securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
I use your personal data for the following purposes
To deliver the services that clients have requested;
To contact my clients as necessary in accordance with the services they have requested;
To maintain my own records.
Individual client data will never be passed to anyone else without your consent as the client. However, confidentiality may be broken if my own safety or that of you the client, the client’s family members or other members of the public is at risk, or if I am required by law to do so.
In accordance with my need to maintain the possibility of access to client data as a result of returning clients or those who may wish to lodge a complaint in respect of professional services to either my professional body or my insurers (i.e. in all cases perhaps after a long period of time has elapsed), I retain client data for a minimum period of 7 years. For clients under the age of 18, data will be retained until their 25th birthday. The information will be shredded and deleted.
My Lawful Basis for processing client personal data
The client has given clear consent for me Jane Reeves to process their personal data for a specific purpose. Further, the processing is necessary for both my client’s and my own legitimate interests.
I am ICO registered as a data protection officer.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
The right to request a copy of your personal data which I hold about you;
The right to request that I correct any personal data if it is found to be inaccurate or out of date;
The right to request your personal data is erased where it is no longer necessary for me to retain such data;
The right to withdraw your consent to the processing at any time;
The right to request that I, (the data controller) provide you (data subject), with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [N.B. This only applies where the processing is by your consent or is necessary for the performance of a contract and if this is the case, the data will be sent by automated means].
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
The right to lodge a complaint with the Information Commissioners Office. (See below).
The client has the right to complain to the Independent Commissioner’s Office (ICO) if they think there is a problem with the way I am handling their data.