Invest in Your Mental Health

We always aim to respect your privacy, keep your personal information safe and secure, and aim not to infringe upon your human rights and freedoms. However, legislation on data protection has come into force from Friday 25th May 2018 called the GDPR.

So what is the GDPR?

The GDPR (General Data Protection Regulation), exists to give you greater transparency and control over how your personal information (data) is held.

Why do you have my personal data and how is it used?

During your psychotherapy/counselling assessment we usually collect some personal data from you. This is to get a sense of how you’ve been feeling, what has been happening for you and what you’d like to get out of the process. This information also helps us to find out relevant information about you, how best to support you and to ensure your safety and wellbeing by conducting a risk assessment. We additionally seek this information to adhere to ethical framework of the UKCP (United Kingdom Council for Psychotherapy) as well as the requirements of professional liability insurance bodies.

The information requested from those coming for psychotherapy usually includes the following:

  • Name
  • Address
  • Date of birth
  • G.P details
  • What is bringing you to therapy and therapy goals
  • Any relevant physical or mental health symptoms
  • Risk assessment information such as suicidal thoughts and self-harm thoughts or intent.

Therapists work slightly differently and your therapist is responsible for clarifying and further information use they have.

Do you use any site visitation tracking?

I have a website www.therapyunlimited.co.uk and this website uses Google Analytics. This so we can evaluate who is visiting this website and to establish better ways of being visible to those seeking psychotherapy, counselling and supervision. This tracking notices information such as devices, operating systems, geographical locations and internet browsers. Google Analytics does record your computer IP address which could identify you, however I am not permitted access to this. Google also makes use of cookies however, you can disable cookies on your internet browser to prevent tracking. Please visit google privacy policy if you’d like more information.

I’ve noticed you use contact forms on your site and your out of office email…what happens to the information?

This information comes directly to administration email, seen only by the director and/or administrator only.

What devices do you use and how do you store my data?

This written assessment information is held by your therapist in their locked filing cabinet, only accessible by the therapist. We also hold a paper diary for session appointments, which holds no personal data that would identify you.

Therapy Unlimited additionally keep minimal electronic records on our electronic notebook. Your therapist is usually required to keep a record of your session attendance and any brief pertinent ‘treatment intervention’ notes as requested by their professional liability insurer. This may be together with receipts and invoices. We back up files on the cloud via Microsoft and Google regularly.  

Therapists usually have access to client emails and texts via their smart phone.

Client records for up to 6 years after which time they are automatically destroyed (paper items by shredding and electronic items through my recycling bin on my lap top which is then emptied by me only). Any financial information such as receipts or invoices are retained for 5 years.

Therapy Unlimited uses up-to-date anti-virus software and firewalls to protect data.

What devices do you use and how do you store my data?

This written assessment information is held by your therapist in their locked filing cabinet, only accessible by the therapist. We also hold a paper diary for session appointments, which holds no personal data that would identify you.

Therapy Unlimited additionally keep minimal electronic records on our electronic notebook. Your therapist is usually required to keep a record of your session attendance and any brief pertinent ‘treatment intervention’ notes as requested by their professional liability insurer. This may be together with receipts and invoices. We back up files on the cloud via Microsoft and Google regularly.  

Therapists usually have access to client emails and texts via their smart phone.

Client records for up to 6 years after which time they are automatically destroyed (paper items by shredding and electronic items through my recycling bin on my lap top which is then emptied by me only). Any financial information such as receipts or invoices are retained for 5 years.

Therapy Unlimited uses up-to-date anti-virus software and firewalls to protect data.

How can I access my information?

You can make a request for your data at any time. This is called a subject access request. Should you wish to make a subject access request, please specify that you are requesting your personal data or making a subject access request. This can be done either in writing to admin@therapyunlimited.co.uk to be passed onto your therapist, or you can do so verbally and directly with your therapist, if you’d prefer.

I will respond first by confirming that I have received your subject access request, that I am processing your request and I will get this to you within one calendar month. This is free of charge. If the request is complex, or I have received a number of requests from you I will let you know within one calendar month that an extension is necessary and will extend by no more than a further two calendar months. I may request identification of the person making the request in proportion to the request being made.

If receiving Therapy with Belinda Wilson, the following applies:

I will give the information in electronic format unless you request otherwise. For formats that are not electronic a ‘reasonable fee’ may be charged for administrative purposes. A reasonable fee may also be charged for extra copies of data.

In some instances, I may refuse to comply with a subject access request. This is only where the request is ‘manifestly unfounded or excessive’. If this is the case I may request a ‘reasonable’ fee or refuse the request. If a reasonable fee is charged, the request will not be responded to until the reasonable fee is paid.

Should your request need to be refused, I will explain why within one calendar month of the receipt of your request, and you will be able to make a complaint to the ICO should you wish to, by going to the ICO (Information Commissioners Office) which is an independent authority that aims to uphold information rights at https://ico.org.uk/ You may also complain through other supervisory authorities or via judicial means.

Should you find data to be factually incorrect, you are able to request that this be amended e.g. wrong date on an invoice sent, etc.

Should your data content potentially breach a third party’s confidentiality, this will be removed prior to being sent.

Your information is not used for any purpose other than is specified here and is not passed on to anyone else, unless you are making this request. If you wish me to disclose any information about you would need to sign a consent form, specifying what information you’d like disclosed, prior to me passing this on to a third party. However, in line with existing confidentiality procedure, I reserve the right to breach confidentiality should I have any serious concerns about your well-being such as:

  • Suicidal thoughts with intent to harm yourself or suicide attempts
  • Self-harm thoughts with intent to do serious harm to yourself
  • Potential harm to another adult or child
  • Serious harm or potential harm to you from someone else
  • If I am subpoenaed by a court of law

I may be asked by police of solicitors to assist them in a case by releasing client notes. Should this be the case I will seek legal advice from my insurer and will also seek consent from you for any information being passed on.

You can make a request for your data at any time. This is called a subject access request. Should you wish to make a subject access request, please specify that you are requesting your personal data or making a subject access request. This can be done either in writing to admin@therapyunlimited.co.uk to be passed onto your therapist, or you can do so verbally and directly with your therapist, if you’d prefer.

I will respond first by confirming that I have received your subject access request, that I am processing your request and I will get this to you within one calendar month. This is free of charge. If the request is complex, or I have received a number of requests from you I will let you know within one calendar month that an extension is necessary and will extend by no more than a further two calendar months. I may request identification of the person making the request in proportion to the request being made.

If receiving Therapy with Belinda Wilson, the following applies:

I will give the information in electronic format unless you request otherwise. For formats that are not electronic a ‘reasonable fee’ may be charged for administrative purposes. A reasonable fee may also be charged for extra copies of data.

In some instances, I may refuse to comply with a subject access request. This is only where the request is ‘manifestly unfounded or excessive’. If this is the case I may request a ‘reasonable’ fee or refuse the request. If a reasonable fee is charged, the request will not be responded to until the reasonable fee is paid.

Should your request need to be refused, I will explain why within one calendar month of the receipt of your request, and you will be able to make a complaint to the ICO should you wish to, by going to the ICO (Information Commissioners Office) which is an independent authority that aims to uphold information rights at https://ico.org.uk/ You may also complain through other supervisory authorities or via judicial means.

Should you find data to be factually incorrect, you are able to request that this be amended e.g. wrong date on an invoice sent, etc.

Should your data content potentially breach a third party’s confidentiality, this will be removed prior to being sent.

Your information is not used for any purpose other than is specified here and is not passed on to anyone else, unless you are making this request. If you wish me to disclose any information about you would need to sign a consent form, specifying what information you’d like disclosed, prior to me passing this on to a third party. However, in line with existing confidentiality procedure, I reserve the right to breach confidentiality should I have any serious concerns about your well-being such as:

  • Suicidal thoughts with intent to harm yourself or suicide attempts
  • Self-harm thoughts with intent to do serious harm to yourself
  • Potential harm to another adult or child
  • Serious harm or potential harm to you from someone else
  • If I am subpoenaed by a court of law

How can I request that my data stops being used or be destroyed?

You can request for all information about you to be erased at any time. This is called ‘the right to be forgotten’. Should you make a request I will respond to confirm receipt of your request and then consider the grounds for your request and make a decision as to whether to comply or whether the law permits me to refuse.

You are permitted to object to your data being processed. However, where this caused conflict with professional insurance requirements, this may mean session work cannot continue.

So, what is a personal data ‘breach’?

A personal data breach is defined by the ICO as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data’.

The ICO goes on to explain that personal data breaches include:

  • ‘access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen; 
  • alteration of personal data without permission; and
  • loss of availability of personal data’.

‘A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed’.

Should an incident occur, I will promptly establish if a data breach has occurred and assess the severity of the incident. If there is not risk that your rights or freedoms have been placed at risk I am not required to report this to the ICO. However, I must report to the ICO if it’s likely that there will be a risk. In the instance where I do not report, I need to justify this decision and document it accordingly.

Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.

Should a data breach occur where there will be a risk, I will inform you either verbally or in written form within 72 hours (whichever is quickest).

What if I don’t understand this policy or have concerns about it?

It matters to me that you are comfortable with how your data is dealt with, so, please read this information carefully and do let me know if you have any questions of concerns at any time. I am happy to talk this through with you. There’s also lots of information available online at the ICO link shown above. You can also contact my registering body, the UKCP at https://psychotherapy.org.uk and click the tab at the bottom of the page for GDPR or call them on Tel: 020 7014 9955 for more information on the GDPR.

Will this policy change?

There may be some changes to this policy from time to time to ensure it’s in line with any legislative changes that might happen. I encourage you check this page periodically to keep up to date.

Last updated 5th May 2020.