The Data Protection Act 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. This document explains how ‘Dr Katharine Sephton’ and ‘Renew Psychology’ will use any personal data they collect about you, as a past, present, or future client, or when using the website, in line with the The General Data Protection Regulation.

Who we are

I am Dr Katharine Sephton, a Registered Clinical Psychologist and owner of Renew Psychology.

I am registered with the Information Commissioner’s Office (ICO), registration number A8478694.

My practice is also regulated and informed by the professional and ethical guidelines of The Health and Care Professionals Council (HCPC; registration number PYL31319) and The British Psychological Society (BPS; registration number 465290). You can find out more about my professional and legal responsibilities on their respective websites.

https://ico.org.uk/

www.hcpc-uk.org.uk

www.bps.org.uk

Data Control

Dr Katharine Sephton is the data controller for ‘Dr Katharine Sephton’ and ‘Renew Psychology’.

Your rights

We are committed to protecting your rights to privacy. They include:

● Right to be informed about what we do with your personal data

● Right to have a copy of all the personal information we process about you

● Right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete

● Right to be forgotten and your personal data destroyed

● Right to restrict the processing of your personal data

● Right to object to the processing we carry out based on our legitimate interest

Our legal reasons for processing your data

It is necessary, for the purpose of providing psychological services, as a healthcare professional, for us to process your personal data. The lawful basis for processing this information is that it is in our legitimate interest to do so. In addition, the processing of your information may also be required due to legal obligation, for example in the case of a litigation claim.

The data that we collect about you will also include special category data (for example concerning your sexual orientation, health or genetics) which it is necessary for us to process for the purpose of providing you with health or social care or treatment.

In rare occurrences it may also be necessary for us to process your personal and special category data under Vital Interests. In these circumstances we would be processing your data in order to protect the life of you or another person, and where you are physically or legally unable to provide consent. All attempts will be made to first process your data under another legal basis.

What type of personal data is collected and processed

Upon starting therapy, basic personal information will be collected for contact and identification reasons. During our therapy meetings, an assessment of your psychological health will be completed, and notes will be taken during sessions. These will include personal and sensitive details about your life. On occasions, I may audio record therapy sessions for the purpose of clinical supervision. This data will not form part of your client record and will be discussed with you in advance.

All contacts that you have with the service (including by telephone, video call, email and letter) and documentation associated with your contact (including letters and reports) will be recorded in writing. This data is used solely for the delivery of a therapy service to you and to meet my professional and legal obligations. Depending on your chosen method of payment, bank account details and/or insurance details may also be collected. Personal data pursuant to my legitimate interests in running the business such as invoices and receipts, accounts, VAT and tax returns, will also be processed.

Website access

When you complete an online contact form, we will collect information about you and your internet protocol (IP) address. This is automatically supplied by the website software used to offer the form. All web services that we use are GDPR compliant.

Our website uses cookies. Cookies to help us to identify and track visitors and their website access preferences. Website visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using this website. I will only collect the information needed so that we can provide you with the services you require, I do not sell or broker your data.

When someone visits this website, the website provider collects standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow our website provider to make any attempt to find out the identities of those visiting our website.

Video conferencing

Your therapy will be provided via the Clinix platform. Clinix use Twilio (& Sendgrid, part of the same group)– to provide video and email services. Their privacy notice is here: https://www.twilio.com/legal/privacy. This platform is GDPR compliant and end to end encrypted. Your session link will be unique to your session.

What we do with your personal information

We will only use your personal information to provide the services you have requested from us. In addition your data may be used for the purpose of statistics (for example, in reviewing the number of referrals we have received). If you do not provide the personal information requested, then we may be unable to provide a therapy service to you.

Who we might share personal information with

We hold information about you and the service that you receive in confidence. However, in some circumstances we may need to share information and liaise with other parties, as outlined below:

● If you are referred by your case manager, solicitor, or another third party (such as a family member) is funding your therapy, we will share appointment schedules with that individual or organisation for the purposes of billing. Some of these third parties may also require details about any diagnosis, treatment plan, progress updates and a treatment summary. We will discuss the scope of this with you, and will obtain your consent prior to any information being shared. It is completely up to you what information we release, but please note if you do not release the information required most companies won’t fund your treatment.

● We are occasionally asked by clients, their solicitors, the police and the courts for access to the client records. These are not suitable as evidence in legal proceedings, and I reserve the right to resist legal requests to produce the records in court. I do this in order to protect the duty of confidentiality of my clients and to preserve my reputation as the provider of confidential therapy services.

● Occasionally I am asked by my clients or by external agencies such as Social Services or the NHS to write reports on the progress made in therapy. My duty of confidentiality means that I am not in a position to do this without your explicit written consent. I will discuss with you the scope of this information sharing.

● I will only agree to participate in information sharing with your written informed consent and when it is my professional opinion that it is in a client’s best interest.

In exceptional circumstances, we may need to share personal information with relevant authorities:

● When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.

● When the information concerns the risk of serious harm to you as the client, or risk of harm to another adult or a child. We will discuss such a proposed disclosure with you unless we have reason to believe that to do so could increase the level of risk to you or to someone else. Such information shared will be limited only to that necessary to safeguard the person at risk, and shared only with those services required to manage that risk.

Sharing of information for the purpose of supervision

In order for us to provide you with a quality service, and in line with our professional responsibilities, we will discuss your case with other mental health professionals for the purpose of supervision and professional advice. This will include clinical supervisors (normally another Clinical Psychologist) but may also include other health professionals. This will be done with your best interests in mind. Your identity will be kept confidential, and no names will be used. Anyone that we discuss your case with will be bound by the same data protection guidelines.

What we will NOT do with your personal information

We will not share your personal information with third-parties for marketing purposes. We will not share information about you or your involvement with our service with any individual outside of our service except when your prior consent has been obtained. This includes any request to confirm or deny your contact with our service.

How your personal information is stored

Paper records will be stored in a file in a locked cabinet until added to the electronic client record. All clients will have an electronic client record stored on our secure storage system. Documents or letters, session notes, paper forms, and any other additional information you provide, will be entered or scanned onto your secure electronic client record and any original document securely destroyed. Any email correspondence, or correspondence via the contact form on our website will also be stored. Your contact details will be stored on my mobile phone in a secure folder.

Where applicable, any video or audio recordings created for the purpose of your therapy will be transferred to our secure electronic data storage system after your session and deleted following their use in therapy. They will not form part of your client record.

How we ensure the security of personal information

We take your privacy very seriously. All Data is held in the United Kingdom. We do not store personal data outside the EEA. All data storage services used are fully EU and UK GDPR compliant and details are available on request. Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode/biometric security, mobile security and antivirus software.

Where possible, discussion of personal information will be minimised in phone and email communication. Written communication will usually occur electronically. Sensitive personal data will be sent to clients in an email attachment that is password protected. Our email provider is GDPR compliant and uses TLS (transport layer security) which encrypts our emails on our server and when in transit to you, as long as your email provider also supports TLS. We advise our clients to ensure that their email provider supports TLS encryption and is GDPR compliant. You are also encouraged to password protect any documents that you send to us containing sensitive information or personal data. We can provide you with further information about this on request. We will never use open or unsecure Wi-Fi networks to send any personal data.

How long is information stored for- data retention

Your information is kept for the time necessary to provide the service requested. After this time, your data will be stored for a period of 7 years following the end of your involvement with the service (the data retention period), to comply with legal obligations that are placed upon me by my insurers. In the case of a child under 13 then records will be kept 7 years after they reach the age of 18. Your data will be deleted at the end of the end of the calendar year in which the data retention period ended.

Your right to access the personal information we hold about you

● You have a right to access the information we hold about you.

● You can make this request verbally, or in writing.

● This request can be made by a third party but we will require sufficient evidence to be satisfied that the third party making the request is entitled to act on your behalf.

● We will respond to your request within one calendar month of receiving your request

● Further evidence from you to check your identity might be requested.

● A copy of your personal information will usually be sent to you in electronic, password protected form.

● There may be a fee for the administrative costs of complying with this request.

● You have a right to get your personal information corrected if it is inaccurate.

● We reserve the right to refuse a request to delete a client’s personal information where this is therapy records. Therapy records are retained for a period of 7 years in accordance with our insurance obligations, the guidelines and requirements for record keeping by The British Psychological Society, and The Health and Care Professions Council.

Right to complain

If you have any feedback about the service you receive from me, or you are not satisfied with your experience, please contact me. It is possible that I can resolve your complaint and I welcome feedback and if you make a complaint, I will always take it seriously as it allows me to improve the service that I can offer to others.

If you think that we have not complied with data protection laws, you have a right to lodge a complaint with the Information Commissioner’s Office (ICO).

If you have a complaint or concern about my professional practice, you can also contact The British Psychological Society, and The Health and Care Professions Council.

Acknowledgement

Please ensure you have thoroughly read this policy and contact us if you have any questions about its contents. You will be asked to confirm agreement with this policy prior to your first appointment. Attendance at your appointment, or payment for your session, constitutes your acceptance of this policy.