Therapy Client Data (GDPR): For New and Current Therapy Clients

As from 25th May 2018, under the General Data Protection Regulations (GDPR) I, Andrew John Palmer, am required by law to inform you (as my current therapy client, or potential therapy client) about how I process and keep safe the data I hold that pertains to you. I am also required to gain your explicit consent to my holding and processing your data in certain ways.

What client data is held about you?

I keep certain data so that I can work safely and professionally with you, in line with the guidelines of professional organisations that I belong to.

The therapy client data GDPR I hold may include:

  1. Your name and address
  2. Your phone number and email address
  3. An emergency contact’s name and phone number
  4. Your GP name and contact details
  5. Relevant medical information
  6. Session notes
  7. Session recordings
  8. Payment information
  9. My emails and text to you, and yours to me

You have the right to;

  • know what therapy client data GDPR I hold, why I hold it, and for how long I hold it.
  • view it, and to ask for changes to be made.
  • when sensitive data is to be destroyed.

If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible.

How, why, and for how long is your data held?

To try and make things as clear as I can, I’ve divided this into ten sections. You’ll need to consider each section individually, and if you consent then sign and date where indicated at the bottom of the page.

1. Your name and address

  • How do I keep this data?

I keep your name and address in paper form in a locked filing cabinet. These are kept separate from any session notes.

  • Why do I keep this data?

This is required by my professional liability insurer and by my professional organisations (BACP).

  • How long do I keep this data?

My professional liability insurer advises that I keep this data for seven years. After that time, it is destroyed.

  • Who sees the data?

Myself. My clinical supervisor will see your first name but not your surname or address.

 2. Your phone number and email address

  •  How do I keep this data?

I keep your phone number in my work mobile phone under an identifying code, not your name. My work phone is locked with a passcode when I am not using it. Your email address is held in my Gmail account, which is encrypted.

Neither my computer nor my phone are shared with anyone else, unless it is required by a technician for maintenance.

I also keep your phone number and email address in paper form in a locked filing cabinet. These are kept separate from any session notes.

  • Why do I keep this data?

This is needed in case I have to contact you (for example for rescheduling sessions or sending an invoice).

  • How long I keep this data

I will destroy/delete this data when we have finished our work, unless you tell me that you would like me to retain it in case we work together again in the future.

  • Who sees the data?

Myself.

 3. Emergency contact’s name and phone number

  •  How do I keep this data?

I keep this data in paper form in a locked filing cabinet along with your name and contact details.

  • Why do I keep this data?

It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you. You and I may agree together on some other reason that I might contact this person, based on your best welfare.

  • How long do I keep this data?

When we finish working together, I will delete this data, unless you and I decide to make other arrangements.

  • Who sees the data?

Only myself.

 4. Your GP name and contact details

  •  How do I keep this data?

I keep this data in paper form in a locked filing cabinet along with your name and contact details.

  • Why do I keep this data?

You and I may agree together on some reason that I might contact your GP, based on your best welfare, for example discussing diagnosis, treatment plan or safety procedures.

  • How long do I keep this data?

When we finish working together, I will delete this data.

  • Who sees the data?

Only myself.

 5. Relevant medical information

  •  How do I keep this data?

I keep this data in paper form in a locked filing cabinet along with your name and contact details.

  • Why do I keep this data?

It may be relevant to share certain medical information when:

(a) Your mental health history, diagnoses etc may inform my treatment plan to make it more appropriate for you

(b) There is any risk that health conditions such as seizures, diabetes, etc may impact a session

(c) Your medications may affect our work

(d) You have any allergies that I should be aware of in order to keep you safe

  • How long do I keep this data?

When we finish working together, I will delete/destroy this data.

  • Who sees the data?

Only myself.

 6. Session notes

Notes may include dates and times of attendance, and brief notes on important themes discussed during the session. I do not keep detailed session notes.

  • How do I keep this data?

I keep any session notes in paper form, which are kept in locked filing cabinet. Your name or other identifying details are not kept with your session notes; only a unique client identifying code is used.

  • Why do I keep this data?

Brief notes may remind me of important themes that were discussed and that maybe helpful for continuity of future sessions, and/or in supervision.

  • How long do I keep this data?

After the work has been discussed in supervision, I may destroy any notes (or parts of notes) that my supervisor and I do not consider necessary to keep for longer.

My current policy is to destroy session records three years after our work finishes. If you would like me to retain them for a longer period, please discuss this with me.

  • Who sees the data?

Only myself.

 7. Session recordings

Only if explicitly agreed by the client, I sometimes record sessions using the voice recording function on my work phone. All recordings of counselling sessions will be securely stored and identified using an anonymous code to protect your identity. I do not record any sessions using any video conferencing technology.

  • How do I keep this data?

Recordings taken using my mobile phone will be uploaded to a secure location and immediately deleted from the device.

  • Why do I keep this data?

Recordings will only be used by myself for the purpose of reviewing the content of the session.

  • How long do I keep this data?

All recordings will be stored for no longer than three months after the end of therapy, after which they will be permanently deleted from their secure location.

  • Who sees the data?

Only myself.

 8. Payment information

  •  How do I keep this data?

Using a client reference code only, I make a note of payments you have made, on a password-protected financial spreadsheet for my business. I also record payments on paper, using a unique client code rather than your name.

  • Why do I keep this data?

As a small business owner, I am required by law to retain certain financial information, primarily for tax purposes.

  • How long do I keep this data?

I keep financial information for 7 years as advised by HMRC.

  • Who sees the data?

Banking transactions may be viewed by employees of the bank, my accountant and tax officers (HMRC).

When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.

 9. Your emails and texts

  •  How do I keep this data?

I may delete emails and texts messages after I have noted the contents (for example, emails and text messages around scheduling). Any emails that I consider it necessary to keep are retained in my Gmail account. Any text messages that I consider necessary to keep are retained or on my dedicated work mobile which is password protected.

Please note that applications such as FaceTime, WhatsApp and Messenger, are not recommended due to confidentiality and privacy issues. I do not use these with clients.

  • Why do I keep this data?

I may keep emails and text messages if I consider it clinically necessary.

  • How long do I keep this data?

I will delete emails and text messages when our work ends, unless they form session notes (in which case, see above).

  • Who sees the data?

Only myself.

If you have any other questions regarding how your therapy client data GDPR is processed and handled, please do not hesitate to discuss with me. This document regarding therapy client data GDPR is subject to regular review and will be updated as I see fit.