Last updated: 21st May 2018
The General Data Protection Regulation (GDPR) is the new data protection policy that applies to all businesses that handle personal data concerning residents in the EU. It applies to all personal data that is collected, stored and shared. I have written this document for information purposes regarding the personal data that I process.
What data I collect
- Email address
- Phone number
- Medical conditions
- Prescribed medications
- Session summary
- GDPR consent
How data is stored
- Paper: I do not store any personal data on paper. If I have ever written anything down (usually during an assessment) it is shredded within 24 hours after being scanned and held on my computer in a password protected file.
- Email: your email address and emails we have exchanged are stored in my email account. My email provider is Protonmail, all emails are stored securely using encryption and two-step verification is enabled.
- SMS: any text messages we have exchanged are exchanged using my SMS provider (onoff). Your name is initialised in this app. (ie my name would be written as LR)
- Website: I do not store any personal data on my website.
- Mac: My Mac is password protected and encrypted. Session summary notes are password protected and stored here. They are kept separate from other personal data and are anonymised.
- Acuity Scheduling: I process all appointments using this service. The personal data stored here is your name, email address, phone number. Appointment history (dates of appointments).
- Stripe: All payments are processed using this service. The personal data that is stored is your name, email address, tokenised payment information. My account is password protected and two-step verification is enabled.
- Zoom: All online counselling sessions are processed using this service. Personal data stored is the event name passed through from Acuity Scheduling and is for upcoming sessions only.
How data is shared
I meet with my supervisor twice a month, my supervisor does not have access to any personal data that I hold. In order to protect your privacy my supervisor will not know you personally or professionally. During our sessions together we discuss my client work and I refer to my clients by first names only. This process is to ensure ethical and responsible practice rather than seeking instruction. This is an ethical requirement outlined by the BACP.
If your health is at risk (provided I have your consent) I may need to speak to your GP or an emergency healthcare provider (e.g. Mental Health Crisis Team).
If I become aware of your intent to harm another person or organisation (e.g. terrorism), then I may be required by law to inform the authorities without seeking your consent. In this type of situation, the law may require me to share personal data without your knowledge.
In the event of my death the Executor of my Therapeutic Will will call to inform you. This will only happen if you are a current client of mine. This personal data is your contact details.
After one month of us finishing our work together I erase personal data that I hold including any correspondence via email or SMS.
I will hold onto my session summary notes for a period of up to seven years from our last appointment. This is so I have reference to our work together and used in situations such as you returning to counselling in the future. After the time has passed the information is erased.
- To be informed what personal data I store (i.e. this document)
- To see what personal data I store about you (free of charge for the initial request)
- To rectify any inaccuracies
- To withdraw consent to me using personal data
- To request personal data be erased (although I can decline if the information is required for ethical and competent practice)
A sign-able version of this privacy notice is used when beginning therapy with all new clients. That version forms the legal basis of consent. This privacy notice forms part of the contract when beginning therapy.