What is the General Data Protection Regulations (GDPR) 2018 and how does it affect me?
The GDPR replaces the Data Protection Act 1998 to make sure your personal, sensitive and confidential data is kept private, held securely and is being processed in the way that you have agreed to. It is there to protect your rights as a consumer of a service or product that might involve your identifiable data, e.g. your name and address or whether you have a specific condition. It also covers any session notes, text messages or emails we exchange.
What information will you collect about me and why?
In order to provide you with counselling and psychotherapy I will need to gain your name and contact details, which will be collected either upon our first contact or during our first session, with your explicit consent to use in the way you agree. This is to make sure I can contact you to arrange appointments or inform you if I need to cancel an appointment.
If you decide to go ahead with counselling, I will also keep brief notes of each of our sessions together to remind me of our previous discussions in order to prepare for our future sessions. I am also required by my insurer to keep session records in the event of a claim. During the first session, I will ask you some questions to gain more information about you to help me to provide a high quality service to you, but you are free to answer as much or as little as you feel comfortable to. This will include: GP details, relevant medical information, brief information on family and relationship history, any traumatic events/major losses/suicidal thoughts, why you are using the service and any previous counselling experience. Please note, your GP will not be contacted without your explicit consent.
How long will you hold my information for?
My insurer states I must hold your data for 5 years after your final session. However, if you are aged 16 or under at the end of treatment I must hold your data until your 25th birthday and if you are aged 17 when treatment ends, I must keep your data until your 26th birthday.
What if I don’t want my records to be held for that long?
Under the GDPR you can make a request in writing to me for all your records to be deleted. Once your request has been received, I will respond to your request within one calendar month. In some cases, my insurer may state that I have a legal basis to retain your records and therefore will not be able to delete them. If your records are able to be deleted, all your paper records would be shredded and any electronic data such as emails or text messages would be permanently deleted from the devices they are stored on. I will have to keep your request to delete your data, but no other data about you will be kept. In some circumstances my insurance company’s legal team may want to verify information I send out.
What lengths are made to ensure my information is held securely?
Hardcopy documents are stored in a locked cabinet behind a locked door.
Text messages are secured with a pin code.
Emails are password protected. Email attachments sent to you containing any of your personal information will be password protected and the password would be sent to you via text message.
Electronic documents (if they contain personal or sensitive information) will be password protected and stored on a password protected tablet.
Please note, I can provide you with a full list of my policies and procedures either in paper form or by email if required.