You may be aware of new laws relating to General Data Protection Regulation (GDPR) that are in effect from 25 May 2018. The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries. This document sets out how I aim to comply with these laws. I am committed to protecting and respecting your privacy and I will endeavour to modify my practice to comply with the regulations to the best of my knowledge.
I, Dr Claire Cope, am the data controller for any information gathered about you from enquiries and during the confidential work carried out. I am registered with the information commissioner’s office (ICO).
What personal data do I process
From initial contact:
This will include personal data that will enable me to contact you such as your name, address, email and phone number.
If you have contacted me via my website, the details you provide are sent to my email address and I will be transfer these to WriteUpp. This is a specially designed cloud based service for therapists to safely store therapy notes and personal details. This package is GDPR compliant and the company are ICO registered. The original email will then be deleted.
If you are referred by a third party or through health insurance, then I will collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment.
During assessment and subsequent therapy sessions.
I will ask for your Date of Birth, GP name and Address.
I will take handwritten notes during our sessions to help me formulate and plan your therapy. These notes will form the basis for typed therapy record which will stored on WriteUpp. This will securely store session notes, letters and reports and/or outcome measures. This may contain some sensitive information.
What do I do with your personal information
I take your privacy seriously. The information I collect is solely used to provide a therapy service to you and to process payments for those services.
If you do not provide the personal information requested, then I may be unable to provide a therapy service to you.
The lawful basis for processing personal data
I have a legitimate interest in using the personal data and sensitive personal data I collect as it is necessary for me to provide psychological therapy to clients.
I may also ask for information on how you found my service for the purpose of my own marketing research. No information you provide is passed on without your consent. I will never sell your information to others.
Who might I share personal information with
I hold information about each of my clients and the therapy they receive in confidence. This means that I will not normally share your personal information with anyone else.
However, there are exceptions to this when there may be need for liaison with other parties:
If you are referred by a third party or health insurance provider, then I may I may be asked to provide treatment updates with that organisation or to share appointment schedules for the purposes of billing.
As part of my professional guidelines I undertake regular supervision of my cases. I will therefore share some of your information with my supervisor in order that you receive high quality care. I use first names only and do not share identifying details with my supervisor
In exceptional circumstances, there may be times when I need to share information with you GP, or other healthcare provider. I will discuss with you if I believe it is in your best interest to share information.
Circumstances arise either: in accordance with my duty of care if there are significant concerns for your safety or that of another person:
I am bound to provide information requested under a legal obligation.
How long do I store personal information
How I protect the security of personal information
What I will NOT do with your personal information
I will not share your personal information with third-parties for marketing purposes.
Notes and reports are only accessible by myself and all my devices are thumbprint and/ or password protected.
Handwritten notes taken during sessions are for my record only. These are kept in a lockable filing cabinet.
In order that I can contact you via text I will store your first name and the initial of your surname on my phone.
No other information will be stored about you in this format. This information is only accessible by me and requires touch ID. I will delete your details from my phone within 6 months of completing our work together.
Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients in an email attachment that is password protected. I would encourage your correspondence to me to also use this method. I will never use open or unsecure Wi-Fi networks to send any personal data.
In the event of online communication using video sessions or other forms of online therapy, I will discuss the available options to best suit your needs. End to end encrypted methods will be recommended and the need to use a secure network will be emphasised.
Clinical records and Personal information is securely stored on a specialist server designed for private clinical practices, (WriteUpp). The purpose of this form of record keeping permits me access to the details of your case that is secured by password. It also enables easy access to a legible summary of sessions. This would be the record that you could request your right to access.
I will only store your personal information for as long as it is required. Basic contact information held on my mobile phone is deleted within 6 months of the end of therapy. Similarly, details gained from initial enquiries with no further contact will be deleted within 6 months.
When 7 years have lapsed I will delete or shred and dispose of your notes at the end of each calendar year.
In accordance with the guidelines and requirements of record keeping by
The British Psychological Society (BPS; 2000)  and
The Health and Care Professions Council (HCPC; 2017), I am required to keep your records and personal data for 7 years after the end of therapy.
Therefore when therapy has been undertaken, I am not able to comply with a request to delete a client’s personal record and information during this time.
If you have any concerns then please contact me or the ICO on https//ico/org.uk/
Your right to access the personal information I hold about you
You have a right to access the information I hold about you. I will usually share this with you within 30 days of receiving a request. A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy. You have a right to get your personal information corrected if it is inaccurate.
The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.
Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.