In compliance with the General Data Protection Regulation (GDPR), which took effect on May 25, 2018, our centre adheres to standardized data protection laws applicable across the EU. This policy outlines how we manage and safeguard personal data.
Data Handling and Control
As a provider of private psychological services, we collect and process personal data from individuals who contact us for inquiries or receive therapy. This includes essential information necessary to deliver our services, such as personal details, bank information, and email correspondence. Therapy session notes are kept securely by the assigned therapist and are not shared within the organization.
Types of Personal Data We Process
We may collect and process the following data:
General Personal Information: Contact details (name, address, phone number, email), financial information (bank details), GP contact, and video conferencing IDs (for online sessions).
Sensitive Data: Therapy-related documents, including session notes, reports, letters, and outcome measures.
Legal Basis for Processing Data
As registered professionals, we are required to maintain client records to comply with regulatory standards. The processing of personal data is necessary to provide psychological services, and we only use this data for service-related purposes. We operate under the legitimate interest principle, as recognized by the Information Commissioner’s Office (ICO) and in accordance with guidelines set by the Health and Care Professions Council (HCPC) and the British Psychological Society (BPS).
Data Retention Policy
We retain personal data only for as long as necessary:
Basic contact details stored on mobile devices for therapy purposes are deleted within six months after therapy concludes.
Sensitive therapy records are securely stored for seven years following the end of therapy and are permanently deleted at the end of each calendar year after this period.
Data Sharing and Confidentiality
Client data and therapy details are held in strict confidence. However, in specific situations, we may need to share information:
Health Insurance Providers: If therapy is funded through insurance, we may share appointment details for billing purposes and provide treatment updates as required.
Legal Cases: When therapy is arranged through a solicitor, necessary clinical information will be shared with legal services upon the client’s written consent.
Exceptional Circumstances: Personal information may be disclosed without consent if:
Another healthcare provider (e.g., a GP) requires critical health-related information.
Disclosure is legally mandated (e.g., a court order or in cases of miscarriage of justice).
There is a risk of harm to the client, a child, or another adult, in which case we may notify relevant authorities. If possible, we will discuss this with the client beforehand unless doing so could increase the risk.
Training/Quality Purposes: We may share certain details of the sessions in supervision (fully anonymised, with no names and no personally identifiable information). Supervision is conducted with qualified clinicians to ensure the quality of therapy and maintain professional standards. We might request to voice and/or video record the entirety or some parts of a session for quality purposes, as instructed by professional bodies. However, recording will never be done without prior explicit verbal and written consent from the client(s) and/or their parents/carers if they are under 18. If you choose to give consent for voice/video recording, you will be given a form called “Consent for Session Recordings” and your explicit informed verbal and written consent will be sought.
Training/Scientific Purposes: We may ask permission to write and disseminate an anonymous case report based on client’s treatment as instructed by professional bodies or for scientific purposes. This will be only done with prior explicit verbal and written consent from the client(s) and/or their parents/carers if they are under 18. If you choose to give consent for anonymous case report to be written and disseminated, you will be given a form called “Consent for Case Reports” and your explicit informed verbal and written consent will be sought.
What We Do NOT Do with Your Data
We do not share personal data with third parties for marketing or promotional purposes.
How We Protect Your Data
We take strict security measures to protect personal information, including:
Minimizing Data in Communication: We limit the use of personal details in phone and email exchanges. Emails are encrypted using SSL security to prevent unauthorized access.
Secure Storage: All personal information is stored on password-protected computers, with additional password protection on electronic documents. Malware and antivirus software are installed on all devices. Mobile devices are secured with passcodes and fingerprint or face authentication.
Avoiding Public Networks: We do not use open or unsecured Wi-Fi when handling personal data.
Use of Artificial Intelligence
We may choose to use GDPR compliant Artificial Intelligence (AI) platforms, such as Heidi Health to help writing notes and assessments. Clients will be verbally informed about this in their first session, and can choose to opt out if they wish.
Your Rights Regarding Your Personal Data
As a client, you have the right to:
Access Your Data: You may request a copy of the information we hold about you, which we aim to provide within 30 days. We may require verification of identity and may charge an administrative fee.
Correct Inaccuracies: If your personal information is incorrect, you have the right to request corrections.
Lodge a Complaint: If you believe we have not complied with data protection laws, you may file a complaint with the Information Commissioner’s Office (ICO).
Retention of Therapy Records: Therapy records are maintained for seven years for adults and up to age 25 for children (i.e., 18 years plus 7 years), in line with the BPS (2000) and HCPC (2017) guidelines, after which they are safely destroyed. The Private and Voluntary Health Care (England) Regulations 2001 provide a legal framework for private providers to manage their records. Requests to delete therapy records may be declined if they conflict with these regulations.
Before starting therapy, clients receive these terms and conditions via email. If you have any questions about how we handle your data, please do not hesitate to ask.
By engaging in psychological services with our centre, you acknowledge and agree to this privacy policy.