Respecting your right to privacy.
Therapy Client GDPR
As an accredited psychotherapist, I take confidentiality and privacy very seriously and am bound by a professional code of ethics. As from 25th May 2018, under the General Data Protection Regulations (GDPR), I am required by law to inform you about how I process and keep safe the data I hold that pertains to you. I am also required to acquire your explicit consent to my holding and processing your data in certain ways that are detailed in the privacy policy table.
There are some situations where confidentiality may have to be broken, e.g. where a person is at risk
to themselves or others, where an arrestable offence has been committed, or where a child or young person may be at risk of harm. If such a situation arises, information will relayed with consent, to those on a need to know basis only.
What therapy client data is held about you?
I keep certain data so that I can work safely and professionally with you, in line with the guidelines of the professional organisations that I belong to, including ICP and IPAA.
The therapy client data GDPR I hold may include:
1. Your name and address
2. Your contact telephone number
3. An emergency contact’s name and telephone number
4. Your GP name and contact details
5. Relevant medical information
6. Any information you give to me as part of the therapy such as copies of creative writing, artwork, letters etc
7. Session notes
8. Payment information
9. Any email correspondence between us regarding appointment arrangements (I do not engage in email communication other than this and no therapeutic work is carried out by email)
10. Invoices & receipts
You have the right to know what therapy client data I hold, why I hold it, and for how long I hold it (see Privacy Policy Table)
You also have the right to view it, and to ask for corrections to be made to it.
You do not have the right to erasure as:
the legal basis for data processing under contract law states records must be kept for 6 years
client notes are required to provide evidence in the event of a complaint.
All breaches must be reported to the Data Protection Commission within 72 hours, unless the data was anonymised or encrypted. Breaches that are likely to bring harm to the individual – such as identity theft or breach of confidentiality – must also be reported to the individual. If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible and also inform the data Commissioner.