The policy describes how I manage your information when you use my services, if you contact me or when I contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use my website (such as cookies) or with other online presence (such as Facebook or Twitter). In respect of cookies the policy includes information about the type of cookies that I use and how you may disable those cookies.
I use the information I collect in accordance with all laws concerning the protection of personal data, including the GDPR 2016 and the Data Protection Act 2018. As per these laws, I, Dr Kate Rose am the data controller; if another party has access to your data I will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why I need to provide them with the information.
1. Why do I need to collect your personal data?
I need to collect information about you so that I can:
• Know who you are so that I can communicate with you in a personal way. The legal basis for this is a legitimate interest.
• Deliver goods and services to you. The legal basis for this is the contract with you.
• Process your payment for the goods and services. The legal basis for this is the contract with you.
• Verify your identity so that I can be sure I am dealing with right person. The legal basis for this is a legitimate interest.
• Contact you if there is a problem. The legal basis for this is a legitimate interest.
• Optimise your experience on my website. The legal basis for this is a legitimate interest.
• Provide you with a useful and relevant website. The legal basis for this is legitimate interest.
2. What personal information do I collect and when do I collect it?
To provide you with goods and services, I need to collect the following information:
• Your name
• Your contact details including a postal address, telephone number(s) and electronic contact such as email address.
• Details of your GP and any referring agency such as your health insurance company.
• Details of your Next of Kin for use in an emergency.
• Your payment details or insurance details.
• Details about how you access my website such as the IP address, the browser you use, and which pages you access.
I collect this information directly from you.
I may also collect information about you from third parties; for example, if I need to gather information from another health professional (such as your GP) to provide a complete health assessment; or from the referring agency if you are being referred by another organisation.
3. How do I use the information that I collect?
I use the data I collect from you in the following ways:
• To communicate with you so that I can inform you about your appointments with me. In order to do this I will use your name and your contact details such as your telephone number, email address or postal address.
• To deliver the correct service to you I use your name, your contact details and the details about your case, including your GP details and Next of Kin details, so that I can contact them in case of a crisis; and details of any other agency involved in your case so that I can deliver a joined-up service.
• To create your invoice using a practice management software package I use your name and email address, and details of any insurance company or other agency that I am invoicing on your behalf, including any case reference numbers so that the agency can identify to whom the invoice relates.
• I do not currently accept card payments, but if I begin to do so in the future I will need to use your name and payment card details at the time of the transaction.
• To be able to deliver a psychology service to you, good practice guidelines from the HCPC (Health and Care Professions Council) dictate that I must keep your case records and personal data for 7 years and then I must delete it. This is so that if any legal case, or further therapy occurs in that time, your records can be made available to you, your legal advisors, or your treating clinicians as required.
4. Where do I keep the information?
I keep your information in the stores described below.
4.1 On company computers
I use a personal laptop that is located on my business premises and transported to other locations as needed. The computer is password protected and the hard drives are encrypted. Passwords are changed regularly and not shared with other parties.
4.2 Your customer record
I use a cloud-based practice management system called WriteUpp to store the majority of client records. WriteUpp is password protected and encrypted, and its servers are based in the UK. WriteUpp has been very active in ensuring its own GDPR compliance, as well as advising independent professionals on GDPR. I also use Tresorit secure cloud storage system to keep larger files that cannot be stored in WriteUpp and to keep business administration files.
4.3 Your reports
If you are seeing me as part of a legal claim process, I may be required to create a report that contains all the information that I gather and our findings and conclusions to support your case or direct your treatment. These are produced in Microsoft Word and usually saved to PDF and password protected before being sent by encrypted email or as a link from my Tresorit account to the agency that requested the report. In Civil Law cases these reports become the property of the Courts and will be used in the legal process. It is important to note that anything discussed in your assessment, or therapy, may be included in the report. In addition, your therapy notes may be requested by the Court, in which case anything discussed may be disclosed to the Courts and all parties in the case.
4.4 In our accounts processes
My practice management software contains all the accounting details for each client. I also use Microsoft Excel for some aspects of accounting, but all client information in these documents is anonymised.
4.5 As a paper copy
I may take hand written notes when I first meet you and during subsequent sessions, or alternatively write directly onto my company laptop. These notes are used to create your client record and any reports produced either for yourself, or for some other agency, such as your solicitor, case manager or insurance company. Once a client record, or report has been created, any paper notes will be typed into the patient record in WriteUpp, and then shredded. Paper notes will be stored in a locked filing cabinet at my office until such time as they are scanned and shredded. I am gradually moving away from the use of paper notes, but at the present time some paper notes are kept and processed as detailed above.
5. How long do I keep the information?
I keep a client’s electronic record, any reports and invoices for seven years as this is the required length to comply with the HMRC and HCPC requirements. After seven years I delete the client’s records in WriteUpp and Tresorit including any reports and invoices.
6. Who do we send the information to?
If you are coming for therapy and self-funding then I should, as a matter of good professional practice, inform your GP of my involvement in your care. However, this is not always essential, and I will confirm your consent for this at our first appointment.
I must also inform your GP, and other relevant authorities, if I have concerns about your safety, or the safety of anyone else, based on what you have told me.
If you are being referred as part of a claim process or via your Health Insurance, I will send a report to your solicitor, insurer or other referring agency acting on your behalf. All reports that are sent electronically are sent as attachments that are encrypted and password protected or as an encrypted link from my Tresorit account.
I do not currently use card payments or any card payment provider. However, I do encourage people to pay by bank transfer and your name may appear on my bank statements as a result.
We send the details about your access to our website to our web analytics provider.
7. How can I see all the information you have about me?
You can make a subject access request (SAR) by contacting the Data Protection Officer, Dr Kate Rose. I may require additional verification that you are who you say you are to process this request.
I may withhold such personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.
8. What if my information is incorrect or I wish to be removed from your system?
Please contact the Data Protection Officer, Dr Kate Rose. I may require additional verification that you are who you say you are to process this request.
If you wish to have your information corrected, you must provide me with the correct data and after I have corrected the data in my systems I will send you a copy of the updated information in the same format at the subject access request in section 7.
If you want to have your data removed I have to determine if I need to keep the data, for example in case HMRC wish to inspect my records. If I decide that I can delete the data, I will do so without undue delay. The regulations apply differently to health records and your right to erasure may be over-ridden by the requirements of health care professionals to keep records for 7 years after the last contact in the case of adults; until the age of 25 in the case of children; and indefinitely in the case of people whose mental capacity may be in question.
9. Will we send emails and text messages to you?
As part of providing a service to you I will send appointment information to you via email and text messaging. I keep the information in such communications to a minimum in case a message is intercepted. Where possible I use encrypted messaging, and password protect attached documents. I use a ProtonMail account for secure email communications which are encrypted from my end.
I do not send marketing information out to clients.
I have a Facebook page (Dr Kate Rose: Clinical Psychologist) but I do not contact my clients personally via this. If you choose to use my Facebook page as a form of communication, I will acknowledge your contact but will not engage in any discussion of your clinical issues on a social media platform.
10. How do you opt out of receiving emails and/or text messages from me?
If you phone to book an appointment, I will ask you to give me an email address where I can send the confirmation letter, with the details of the appointment, a copy of my Terms and Conditions, and a Client Information Form, which will ask you if you wish to opt in to receiving text or email reminders and confirmations of appointments. This is entirely up to you, most clients find it a helpful service, but if you do not wish to use it, please say so.
I do not send marketing texts or emails to clients.
If you have any questions about data protection or privacy please do not hesitate to ask Dr Kate Rose, Clinical Psychologist.
I collect information about you when you register with me or make a request for services. I also collect information when you voluntarily complete contact forms. I always try to minimise the amount of personal information that I require in order to provide a specific service or feature.
Requests by your web browser to my servers for web pages and other content on my website are recorded.
Information such as your geographical location, your Internet service provider and your IP address may be recorded. Information about the software you are using to browse my website, such as the type of computer or device and the screen resolution may also be recorded.
My ICO registration number is ZA506089.
I aim to be as clear as possible about how and why I use information about you so that you can be confident that your privacy is protected. However, please contact me at firstname.lastname@example.org if you have any questions or requests about the personal information I process. If you are unhappy with my responses you can also contact the Information Commissioner's Office (ICO) https://ico.org.uk.