Privacy, Confidentiality, and Data Protection

Data Protection and Privacy Policy

 

I am registered as a Data Controller with the Information Commissioner’s Office (ICO). Below I describe what information I collect from you and how I manage it in line with guidance and legislation set out by the General Data Protection Regulation (GDPR), Data Protection Act (1998) and the British Psychological Society Clinical Psychology and Case notes Guidance on Good Practice (DCP, 2000).

​

Confidentiality

​

Information disclosed to me during your sessions will not be shared with anyone, subject to the following exceptions:

 

• Where you have requested/given explicit consent to disclose information or data e.g. sending psychological reports to you, or to another health professional/provider or insurance company.

• Where I am legally obliged to disclose information. These situations include:

• Where I believe you or a third party is at serious risk

• Where I have concerns regarding child protection issues or safeguarding issues for vulnerable adults.

• Under the Terrorism ACT (2000), which requires that I disclose any belief or suspicion of acts of terrorism.

• Under the Drug Trafficking Act (1986), which requires that I disclose to police information of any individual making money through drug trafficking.

• Under the Road Traffic Act (2000), which requires citizens to provide information to the police that might identify a driver in a traffic offence. In addition, if I become aware that a client may be driving whilst unsafe (e.g. drug or alcohol abuse, medical condition) the law requires me to pass this information on to the DVLA.

• If I receive a court order.

​

When legally permissible and practicable your consent to disclose the information will be sought and I will encourage you to pass on the information to the relevant person/agency. However, if there is no indication that this has happened, or is likely to happen, or if the risk is believed to be sufficiently serious, I may pass on the information directly irrespective of client consent.

If a situation presents where I would like to share your data in any way not described above, I will contact you to only proceed with your explicit and written consent.

​

Data collection and storage

​

With your consent, I gather, use and store the following information about you solely in order to support me in providing an effective therapeutic service.

 

The information I collect generally includes:

• Your name, date of birth, and contact details including your address, telephone number and email address.

• Information required to deliver a clinical service to you under the terms of an agreed clinical contract. This includes GP name and contact details, your background history and information relevant to your attendance to see me.

• I may also collect information about you from third parties; for example, if I need to gather information from another health professional (such as your GP) to complete a clinical assessment. I would only do this with your consent.

 

I use the data collected from you in the following ways:

• To communicate with you so that I can inform you about your appointments with me or send you supplementary materials related to our work together.

• To keep written notes and record attendance to provide an effective service to you in line with guidance from my regulatory body (the Health and Care Professions Council) and professional organisation (British Psychological Society).

​

I keep records in electronic and paper-based (file) formats:

​

• Electronic-based recording: I use the practice management system PowerDiary, which has been specifically designed for use by health clinics and practitioners. PowerDiary uses a range of security and privacy measures that ensures compliance with legislative and regulatory requirements of GDPR, it has also been endorsed and approved by the British Psychological Society. More details can be found on https://www.powerdiary.com/uk/security/

• I use this system to store your personal details described above, store session notes, sending invoices and receipts, and text message notifications regarding appointments.

​

• Paper-based recording: Written records of any relevant information, including signed contract, and initial information sheet that you provide an assessment, as well as any handwritten notes from sessions will be stored in a physical paper file. This physical file is stored in a lockable GDPR-compliant metal file case in a secure location.

​

• Mobile phone storage: I may keep your mobile, other contact telephone number, and email address stored in the memory of my mobile phone. This would only be used in the event of having to contact you at short notice, as all other correspondence will be conducted via email. Only your initials will be stored. My mobile phone is both fingerprint and 6-digit pin protected.

​

• Email: I use Gmail as my email domain. Gmail is a secure and encrypted email service and is fully GDPR compliant.

​

How long do I keep your personal data?

• In accordance with guidance from my professional body, the British Psychological Society, I retain your file/notes for 7 years. After this time, I will shred your file/notes and delete any electronic copies relating to you.

• I also keep records of invoices, payments, and receipts for accounting purposes. I am required to retain this information for 6 years in line with HMRC requirements. After six years I will delete and/or shred this information.

​

Your rights

​

​How can I see all the information you have about me?

• You can make a subject access request (SAR) by contacting me edarroch@mindsetmattersuk.com. I may require additional verification that you are who you say you are to process this request. I will aim to provide you with this information within one month of your written request. I may withhold such personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.

 

What if my information is incorrect?

• If you think that the data I hold is incorrect please contact me. I may require additional verification that you are whom you say you are to process this request. If you wish to have your information corrected, you must provide me with the correct data and after I have corrected the data in my records I will send you a copy of the updated information in the same format as the subject access request.

 

Right to erasure​

• GDPR guidance states that people have the right to 'be forgotten' i.e., for information held about them to be erased. Within my practice as a counseling psychologist, and in line with guidance from the HCPC, I have a lawful basis to retain your information for 7 years therefore this right does not apply to health records and I would be unable to erase any part of your health records. As stated above after 7 years your information will be shredded/deleted.

 

How can I make a complaint?

• If you wish to raise a complaint about how I have handled your data, you can contact me to have the matter investigated edarroch@mindsetmattersuk.com
  If you are not satisfied with my response or believe I am not processing your data in accordance with the law you can complain to the Information Commissioner’s Office: https://ico.org.uk

​

Use of Video Call/Remote working

 

PowerDiary provides a Telehealth feature which I use for remote video appointments. This uses end-to-end encryption with peer-to-peer connections. The call does not pass through any third-party servers. It is secure and compliant with all health standards. More information: https://support.powerdiary.com/article/240-power-diary-telehealth-security-privacy-and-compliance

 

How it works: Simple to use, no need to download or login to anything. I will send you your own personal link before each appointment and all you will have to do is click on the link. Telehealth works from almost all laptops, phones, and tablets with a camera and microphone.

 

If there are any issues at all with using this feature, we can alternatively use the video platform Zoom. Zoom is also GDPR compliant and the data transmitted during calls are encrypted and secure. Zoom’s GDPR statement can be viewed here https://zoom.us/gdpr

 

If you have any concerns regarding the use of PowerDiary or Zoom and would prefer to use another video platform please contact me to discuss info@mindsetmattersuk.com

​