GDPR and your privacy (reviewed 29 May 2018)
You will no doubt be aware of recently introduced GDPR legislation (General Data Protection Regulation) which is designed to help you understand how your personal details are used by organisations of all sizes from sole traders like me to multi-national corporations. It is also intended to help you control who keeps your details and what your details are used for.
This page summarises how I use any data you provide me with.
In short, what you tell me stays with me and goes no further. I don’t share information about you with anyone else.
- I, Simon Simpson (also trading as CBT Surrey), provide psychological services, including psychological assessments and therapy.
- I understand that you have provided me with personal and sensitive information and that this information is important to you. I am committed to protecting and respecting your privacy.
- I only collect and retain your personal information in order to allow me to perform my services as a psychotherapist.
- I am required to keep your contact details and a record of your treatment for at least 7 years after the end of your treatment. My professional indemnity insurer recommends that I follow NHS guidelines which state that mental health records be kept for 20 years after discharge or 8 years after the death of a patient.
- I will not use your personal information for marketing purposes or send you marketing materials without your consent. Marketing in this instance refers to notifications of new services that I might occasionally make available, such as therapy audio downloads.
- I will never sell your personal information to a marketing company nor to any other individual or company.
- There may be occasions when you wish me to pass on information about your treatment to people such as your GP, psychiatrist, another therapist or to your solicitor or an organisation funding your treatment (e.g. a private medical insurer). Sometimes these people may contact me seeking information about you, however I will only communicate with them if you give me your permission.
- If you have given me consent to release information to a third party (for example, your GP or solicitor, as mentioned above), you may withdraw this consent at any time by informing me in writing to: Simon Simpson, 18 Lower Green Road, Esher, Surrey KT10 8HD, or email at: firstname.lastname@example.org
- On very rare occasions such as if I believe there is a real and immediate risk of you doing yourself harm and you are not in a fit state to give me explicit consent I might need to contact your GP, psychiatrist or the emergency services without your consent.
- I record the majority of my treatment sessions (only if I have been permission by my clients to do so). These recordings are stored temporarily on an external hard drive before being deleted either after I have reviewed them or at the end of your treatment, whichever comes first. The recordings are used to reflect on sessions so that I can improve my service to you and for the purposes of clinical supervision (see the next point, below). If you have given me consent to record the sessions you are entitled to withdraw this consent at any time and to ask for any previous recordings to be erased immediately.
- Supervision: all registered psychotherapists meet on a regular basis for supervision of their work by another member of the profession. The clinical supervisor adheres to the same strict rules of confidentiality and privacy as the therapist. During supervision anonymous excerpts from treatment sessions are discussed with the supervisor to ensure the therapist is working ethically. Use of audio recordings in supervision is recommended by my governing body, the British Association for Behavioural and Cognitive Psychotherapies (BABCP). As with any verbal discussion, all audio clips are anonymous.
- I protect your personal information with the following security features to prevent unauthorised access:
- Your session notes are kept in a locked filing cabinet accessible only by me Simon Simpson.
- After your treatment has ended any paper notes concerning your treatment are scanned (digitised) and retained on a password-protected external computer hard-drive kept under lock and key.
Your rights according to the General Data Protection Regulations (GDPR)
The right to Access
You can request a copy of the information I hold about you (contact details, session notes, referral letters).
I have to provide you with a copy of your records. This will be done electronically, by email.
The right to Rectification/correcting inaccuracies
You can request that any inaccuracies in my notes are corrected.
I have to correct any inaccuracies.
The right to Erasure/the right to be forgotten
You can request that your details be deleted.
I do not have to comply if this contradicts my legal obligations to keep your records for at least 7 years, or if it would prevent me from establishing, exercising or defending legal claims.
The right to Restrict processing
You can request that I do not use your details for any purpose.
I do not have to comply, but I need to give you a good reason why I think I do not need to comply, such as if it would prevent me from establishing, exercising or defending legal claims.
The right to Data portability
You can request your information be passed to you in electronic form so that you can transfer it to someone else or to another organization.
I have to send you (by email) your information in digital format. Your session notes will be image files, either PDFs or JPEGs or similar.
The right to Object
You can request that I stop sending you marketing messages.
I have to comply with your request.