General Data Protection Regulations 29/04/2020 – Privacy Statement
In compliance with the above legislation, I Katherine Sydenham-Young acknowledge that I am a data controller as I collect data, and in some circumstances, e.g. when supplying information required by Agencies commissioning my services, a Data Processor.
- I collect and retain client information supplied to me, in the following formats: electronically and written notes. This includes email addresses, telephone numbers, names and signatures on contracts, names and address, next of kin / emergency contact name and phone number, details of any medication taken, history of mental health or previous therapy and GP name and surgery.
- I collect and retain written and pictorial notes from our sessions, which you can access and have a copy, but which do not contain names, information about third parties, or any other specific identifying material.
- Where relevant or requested, I retain receipt books showing your first name, amount paid and date. When payment is by bank transfer, bank statements are retained, showing your name, date and amount transferred.
- I retain a diary showing appointments with clients, identified by first name only.
- I retain a code list, which identifies clients by initials only to reference number on their notes.
Data Collection and Processing Purposes.
The purpose of retaining items in (1) above is for us to communicate regarding appointment arrangements, for me to send you relevant documents, e.g. psycho-educative information, and in emergency, and with your consent, contact your next of kin or appropriate medical help. My lawful basis for retaining this information is to fulfill my contractual obligations to you and for legitimate interests.
The Purpose of retaining items in (2) above is to assist me to offer therapy e.g. By monitoring outcomes of psychological growth, by recording changes in thoughts and emotions and tracking progress towards personal goals. My lawful basis for retaining this information is to fulfil my contractual obligations to you, to comply with my legal requirements and for legitimate interests. Please refer to our contract for details of when it may be necessary for me to break confidentiality without consent.
Notes which are sent electronically by me as a Data Processor, to an Agency commissioning my service, such as employer assisted programmes or Victim Support (Homicide Department) are either sent via a secure portal with log-in/password access only, or are individually password protected. Please refer to these Agencies own GDPR statements regarding their controlling/processing of this material. My lawful basis for sharing these notes with Agencies, are to fulfill my contract with you, and also them, and for legitimate interests.
The purpose of retaining items in (3) above is to keep records required by HMRC for accounting and tax reasons, so my lawful basis is to comply with my legal obligations.
The purpose of retaining items in (4) above is to be able to manage my caseload and also provide information to HMRC for accounting and tax reasons, so my lawful basis for processing these is to fulfill my contractual and legal obligations.
The purpose of retaining my code list in (5) above is to be able to preserve client anonymity so my lawful basis for this is to fulfill my contractual obligations and legitimate interests.
Rights of the individual
You have the following rights: to be informed, to restrict processing, to data portability, to erasure, and the right of rectification, of access and to object. These are not absolute rights.
Information supplied in (1) above will be retained for 6 months after sessions have ended and stored separately from client notes, in a locked fire-proof cabinet in my private study, or, if electronic, on password protected devices under my close personal control. After 6 months, paper records will be shredded and electronic information will be deleted.
Information supplied in (2) above will be retained for 7 years after sessions have ended, and stored separately from client names, addressed etc. in a locked fire-proof cabinet in my private study.
Information supplied in (3) above will be retained for 7 years after sessions have ended and stored securely and separately from all other information. After 7 years this information will be destroyed by shredding.
In the event you wish to contact them, e.g. for any concerns, their website address is www.ifc.org