Therapy client data GDPR: As from 25th May 2018, under the General Data Protection Regulations (GDPR) I, Andrew Watford, Psychotherapist, am required by law to inform you (as my current therapy client, or potential therapy client) about how I process and keep safe the data I hold that pertains to you. I am also required to gain your consent to my holding and processing your data in certain ways (they’re detailed below). As a qualified and experienced Psychotherapist, I take confidentiality and privacy very seriously and am bound by the code of ethics of BACP
Please read and sign to indicate your consent. You may print a paper copy, or copy and paste digitally. If you do not wish to give your consent, you have the option to discuss with me, and it may be possible to create a bespoke agreement between us.
If you agree to give your consent for me to hold and process your data as stated, please sign, date and return to me by hand, by post, or email to my business account.
I keep certain data so that I can work safely and professionally with you, in line with the guidelines of BACP.
The therapy client data GDPR I hold may include:
You have the right under GDPR to know what therapy client data I hold, why I hold it, and for how long I hold it. You also have the right to view it, and to ask for changes to be made. When sensitive data is to be destroyed, it is shredded. If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible.
To try and make things as clear as I can, I’ve divided this into nine sections. You’ll need to consider each section individually, and if you consent then sign and date where indicated at the bottom of the page.
I keep your name and address in paper form in a locked filing cabinet. These are kept separate from your session notes. I use a double index entry system to ensure your name is not directly linked to a client record.
This is required by my professional liability insurer and by my professional organisation (BACP).
My professional liability insurer advises that I keep this data for seven years. After that time it is destroyed.
Myself.
I keep your phone number in my mobile phone under an identifying code, not your name. My phone is locked with a passcode when I am not using it. Your email address is held in my Gmail account, which is encrypted across all my devices. Neither my computer nor my phone are shared with anyone else, unless it is required by a technician for maintenance. I also keep your phone number and email address in paper form in a locked filing cabinet. These are kept separate from your session notes.
This is needed in case I have to contact you (for example for rescheduling sessions or sending an invoice). My professional executor keeps this data so that you could be contacted in case I became suddenly incapacitated through a health crisis or other emergency, as required by my clinical will. I also keep your email address in case we agree to work therapeutically via email, either as a regular arrangement or just occasionally.
I will remove this data when we have finished our work, unless you tell me that you would like me to retain it in case we work together again in the future.
Myself.
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you. In addition, you and I may agree together on some other reason that I might contact this person, based on your best welfare.
When we finish working together, I will delete this data, unless you and I decide to make other arrangements.
Only myself.
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
In many cases I would never need to use this information. However, you and I may agree together on some reason that I might contact your GP, based on your best welfare, for example discussing diagnosis, treatment plan or safety procedures. If I were to become concerned for your safety I may decide to contact your GP or emergency services.
When we finish working together, I will delete this data.
Only myself.
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
It may be relevant to share certain medical information when:
(a) Your mental health history, diagnoses etc may inform my treatment plan to make it more appropriate for you
(b) There is any risk that health conditions (e.g. seizures, diabetes, etc) may impact a session
(c) Your medications may affect our work
(d) You have any allergies that I should be aware of in order to keep you safe
When we finish working together, I will delete this data.
Only myself.
Notes may include dates and times of attendance, and brief notes on important themes from the session. I do not keep detailed session notes. I keep a ‘clear desk’ policy, which means that session notes and other information are not left unattended.
I keep brief session notes in paper form in a locked filing cabinet. Your name or other identifying details are not kept with your session notes; only a code is used.
Brief notes may remind me of important points I want to be sure to remember to discuss in our next session, and/or in supervision.
After the work has been discussed in supervision, I may destroy any notes (or parts of notes) that my supervisor and I do not consider necessary to keep for longer. My current policy is to destroy session records seven years after our work finishes. If you would like me to retain them for a longer period, please discuss this with me.
Only myself.
I make a note of payments you have made, on a password-protected financial spreadsheet for my business. I may also outline invoices and record payments in my paper diary, but under a code rather than your name.
As a small business owner, I am required by law to retain certain financial information, primarily for tax purposes.
I keep financial information for 7 years as advised by HMRC.
Payment by cheque will be processed by my bank, but your account name will not be visible on my bank statements. Banking transactions may be viewed by employees of the bank, my accountant, my financial advisor, and tax officers (HMRC). When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.
I may delete emails after I have noted the contents (for example, emails around scheduling). Any emails that I consider it necessary to keep are retained in my ProtonMail email account, which is encrypted.
I advise that you and I use an encrypted email system called ProtonMail. This ensures end-to-end encryption. ProtonMail is easy to install and use, and it has a free version.
If you would like to communicate via text, for example regarding rescheduling appointments, you will need to do this via an app called Signal. This can be downloaded to your mobile phone, it’s free and is straightforward to use.
Please note that normal emails and texts, and related applications such as WhatsApp and Messenger, are not recommended due to confidentiality and privacy issues.
I may keep emails if I consider it clinically necessary.
I will delete emails when our work ends, unless they form session notes (in which case, see above).
Only myself.
In most cases, I do not create an invoice for clients who are paying weekly, but you may request that I invoice you if you wish. I create invoices on my laptop using Pages, and then export as pdf. Invoices are kept as password protected documents on my computer, and are sent via ProtonMail.
I use the invoice to create the next one (in the case of ongoing work) so that I can revise and update it with new information.
I keep the invoice for a short time whilst I monitor payments (usually this is one month). Once payment has been made, and any further invoice has been created, I delete the invoice.
Only myself.
If you have any other questions regarding how your therapy client data GDPR is processed and handled, please contact me.
This document regarding therapy client data GDPR is subject to regular review and will be updated as I see fit.
All rights reserved ©Feel Better Therapy. The contents of this page may not be copied or reproduced for publication without permission of the author. If you have your own website, you may not copy and use this text without obtaining consent from Andy at Feel Better Therapy.