Basis of holding and processing personal data
This is the full privacy statement that I use as part of my contract for psychotherapy with clients. Only a small proportion of it is applicable to personal data obtained through this website. It seems appropriate to make the general statement available here.
As part of the contract for psychotherapy or other services between us, I will have access to personal data about you, including sensitive personal data, almost always provided by you. I will be the data controller of these data. This is my address and my contact details:
10 Cheyne Walk
tel. +44 (0) 779 556 2277
email: email@example.com OR firstname.lastname@example.org
Justification for processing data; data protection
I am responsible for the protection of your personal data, and I take this responsibility very seriously.
I will only store and process the data I hold concerning you in support of the psychotherapy or other services I have agreed to provide, and I will to the best of my ability avoid keeping any data that are not serving that purpose. I will hold certain formal data about you such as the contract between us, our appointments and bank details, to make it possible to receive and make payments and keep my accounts.
The data I keep may also contain sensitive ("special category") personal data, due to the nature of psychotherapy work. In general holding such data is not permitted. I hold these as the nature of the psychotherapy services is providing a form of health care or treatment, an allowable exception under GDPR Art 9 - 2 (h).
I will not provide data I hold about you to any third parties for them to use; I will not sell them; I will not use them for marketing purposes; I have no email system for sending emails to any groups of people in my role as a psychotherapist.
As stated in the body of our contract, I will restrict the information I provide for legal reasons (essentially, that means in response to a court order) to the absolute minumum of what the law specifically forces me to do - the clearest example being something involving terrorism. If you are planning to harm other people, and I think you will act on that, I may think of taking action involving breaking confidentiality.
Sources of personal data
There are in practice rare situations in which you might ask me to obtain certain information about you from third parties, e.g. from a person referring you. In general I very much prefer, for therapeutic reasons, to only have information about you that comes from you. If it comes from others, it should always be at your request and with your knowledge. If you share information with me about your past, e.g. files or documents, paper or electronic, I will treat and preserve them confidentially, and will either keep them according to my general data retention policy, or return them to you after we have agreed to end our psychotherapy (or other similar process).
The law (Data Protection Act (2018) and General Data Protection Regulation (2016), referred to here as DPA/GDPR or at times as GDPR only) gives you a number of rights about the data I hold or process about you:
- You have the right to obtain all data I hold about you ("right to access"). Given our psychotherapeutic relationship, in certain rare circumstances I might advise you that I would believe it not to be in your interest to see these data. But if you insist on obtaining them against my advice, I would still make them available. Having obtained the data I hold, you have the right to correct or rectify them.
- You have the right to request me to erase the data I hold about you. Although it is customary for psychotherapists to hold data for the retention periods that I adhere to and describe below, for legal and insurance reasons, and as recommended by most psychotherapy organisations, I would on your clearly stated insistence still comply with your request to erase the data I hold about you. Often I would for a period of time retain a few formal data, such as your name, and the period we worked together, in order to satisfy legal obligations I am under to account for the proceeds of my work.
- You have the right to object to my processing of the data, and to restrict how I process them.
- If you make a formal written request for me to work with you without making any session notes, I will consider that, and I will either accept your request, or refuse it, in which case we would complete our work in at most a few completion sessions. In general I would expect you to agree to me holding and processing personal data under the terms of the contract between us.
- You have the right to complain about any aspect of the way in which I hold and process personal data about you to the Information Commissioner's Office (ICO) in the UK, where I am registered. Their website is ico.gov.uk . They do not provide an email address, but can be contacted via the form on this page
- I do not do any automated decision-making or profiling with data of clients or potential clients.
If you want to exercise any of the rights above, please contact me at one of my email addresses. If you ask me to access information about you, I may ask you for specific evidence to identify yourself, to protect you against your data falling into the wrong hands.
See my Cookies policy.
What data do I keep about you?
Following are the personal data I have or may have about you:
Contract agreed, including communication methods and privacy statement
Created by me:
Only if you give them to me:
Date of birth
Other data I will produce myself based on our contact and work together, or will have and process:
Diary entries of appointments made, in person or virtual
Payments made (in bank statements)
Recordings audio or video, of sessions or other contact, if specifically agreed to by you in our contract
Information (usually in the form of a letter, but sent in email form) prepared for and provided to third parties, if agreed by you, which would always be based on your request for me to do so, checking the wording before sent, and sending you a copy of the final version. Examples: GP, psychiatrist, for a court case, lawyers, in support of social or housing benefits, etc.
The minimum data that I want to have as a condition for working with you are a telephone number and an email address (very preferably one from a "zero-access" encrypted provider). If you want to minimise electronic or digital communication, and / or wish me to keep no information about you, please discuss this with me face to face, and we can try to reach a non-standard (for me) agreement and document this agreement in writing.
Please be aware that I have a rather minimal practice of making notes about sessions.
Who have access to your personal data?
Most of your personal data are pseudonymised. The key between code name and real name exists only in one table, held on my computer.
My preferred way of holding data is in encrypted form on my main computer, backed up to a locally kept backup disk drive, and to cloud storage with Tresorit, all in encrypted form which can only be decrypted by me, and not by Tresorit. My computer and backup drive use full-disk encryption.
I try to keep as few paper data as possible. If you entrust data to me, that might be one exception. Paper data I have are kept in a locked filing cabinet.
I maintain my computer and devices myself. In the unlikely event that I would be forced to use outside technical assistance, I might have to allow a third-party computer expert access to my equipment. In such a case I would verify that they comply with the DPA/GDPR, and limit their access to personal data as much as possible.
In the event of something happening to me by accident or health-wise, I have certain arrangements in place. In the cases for which this is meant, the people involved in these arrangements would have (limited) access to the data I have about you, and would subsequently arrange for the secure deletion of the data. They do not have current access to the personal data I hold about you.
As part of my contract we agree to use specific communication channels between us, which are all encrypted (See my Communications policy). The different providers we agree to use will have access to the data we exchange, but only in encrypted form which the providers are not able to decrypt. The main providers that I recommend are wire and Signal for messaging, audio and video contact, Threema for messaging, and ProtonMail and tutanota for email.
Your code name and phone number will be in the Contacts list on my iPhone. Your email will be kept in my Contacts list on ProtonMail, and in the Contacts of another email provider we may have agreed to use.
If you make payments to me by bank, my bank will see your name, payment details and amounts. In the general course of events others don't see these, but if I would use an accountant, they would also have access to those payment records. Similarly if I would be audited by HMRC.
All other information will be tagged by me under your code name and not your real name.
How long do I keep data, and how will they be destroyed?
I will keep most data while we are working, and for 4 to 4.5 years after we have ended; after that they will be securely deleted or destroyed. Messaging data I will keep for up to 9 months after our work has ended and then delete. By the nature of messaging data, I am not certain I will have all the history of them available.
Paper data I will destroy using a micro-cut shredder, or burn. Electronic data will be securely deleted, against the background that all data are kept on encrypted disk drives in the first place.