Privacy Policy
This privacy notice tells you what to expect us to do with your personal information.
Registered data controller for Reflect CBT is Jennifer Lindsay
Phone number: 07831552842 Email: jennifer.lindsay@reflectcbt.com
I adhere to current data legislation, UK General Data Protection Regulation, the Data Protection Act 2018 when collecting and managing your data.
The type of data collected
Client registration form:
Personal identification details: Name, address, date of birth, email address, phone number
Emergency contact details: name, address, phone number
GP Practice: name, address, phone number
Client Notes:
Brief notes will be made in session or afterwards including assessment information, psychometric test results, issues discussed in session, themes of sessions and tools used. These notes may include information of a sensitive nature.
Appointments attended
Dates and times of appointments
Financial
Payment details (including card or bank information for transfers and direct debits)
Where do we collect the data from?
The data at Reflect CBT is provided by you via
- Request about therapy through email, website or by phone
- Completion of the client registration form and making payments
- Attending therapy
How we use your data?
At the enquiry stage your data is used in offer to see if therapy at Reflect CBT might be a good option for you, so can contact you and arrange an appointment.
We require emergency contact and GP information for if you were to take unwell during a session or had concerns about your safety to self others.
Session notes are used to provide the best service for you by creating a record of areas to target, tools and techniques used and progress made.
How we store your personal data
Paper and electronic data is stored securely in accordance with GDPR
Anonymised paper notes and forms are stored in a pincode protected locked file
Electronic data is stored in password encrypted files and backed upon Microsoft Onedrive cloud which is an encrypted system
A split note system is used so that notes which may contain sensitive information are kept separately from any personal identifying information. A reference code is allocated to the notes so they can be stored in an anonymised form.
For security reasons I do not retain text messages for more than 1 month. If there is relevant information contained in a text message I will make a note in your session notes. Likewise, any email correspondence will be deleted after 1 month if it is not important. If necessary I will copy it in an anonymised form into session notes. Once counselling has ended your records will be kept for 7 years from the end of our contact with each other and are then securely destroyed. If you want me to delete your information sooner than this, please tell me.
If you contact me but decide not to go ahead with counselling with me I will delete your details after 1 week.
All client registration forms, signed contracts and notes will be destroyed 7 years after the last session.
How your data is shared
I may share limited personal identification data for purposes of accounting and tax. I may also share information including name and appointment time for room booking purposes.
I have a supervisor who is a BABCP accredited counsellor and held to the ethical standards outlined by BABCP. I may discuss clients with them without disclosing any personal details and with a focus on getting the best outcome for the client.
I have a Clinical Will and executor in place. If I was unexpectedly unable to continue our sessions or contact you I have another counsellor appointed who on instruction by the executor would be given directions to access my notes and client list and make contact.
Session notes are confidential and will not be shared with anyone unless in exceptional situations where there is concern for the health and safety of you or another individual. In these circumstances I am morally and legally obliged to share information with third party. This would ideally be with your consent but there may be emergency situations where the information would be shared without your consent. Any Information which is shared in these circumstances is done so proportionally. For full clarity this would include disclosure of knowledge of acts of terrorism, people trafficking, driving under the influence of drugs or alcohol, distribution of illegal drugs and breaking other statutory UK laws. I may be legally required to provide information to a relevant authority due to a court order.
For online clients I use Doxy.me telemedicine platform or Google. It does not record any audio or video calls. It uses full volume encryption and AES 256-bit standard encryption and is considered GDPR compliant
I also use Google Meet online video conferencing system. It does not automatically record audio or video. It uses. Calls end-to-end encrypted and it is considered to comply with GDPR.
When using Third party software such as Microsoft, email systems, booking systems and online teleconferencing platforms I choose reputable companies with privacy policies in place and to the best of my knowledge are complying with GDPR.
Lawful basis for holding data
The GDPR states that I must have a lawful basis for processing your personal data.
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests - we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Special category personal information GDPR also ensures I look after sensitive data. The lawful basis for me processing any special categories of personal information is that it is for provision of health treatment (in this case counselling) and necessary for a contract with a health professional (in this case, a contract between me and you).
Your rights under GDPR
Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.
If you make a request, I must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact me using the contact details at the top of this privacy notice.
For further information on GDPR visit ICO website Information Commissioner's Office
Visitors to my website
When someone visits my website, I use a third party service, IONOS SiteAnalytics to collect standard internet log information and details of visitor behaviour patterns. Tracking and logging are enabled by default. I do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. I do not make, and do not allow IONOS SiteAnalytics to make, any attempt to find out the identities of those visiting my website. I use legitimate interests as my lawful basis for holding and using your personal information in this way when you visit my website. I use IONOS SiteAnalytics so that I can continually improve my service to you, You can read about IONOS SiteAnalytics here. Data Collection for SiteAnalytics - IONOS Help. You can view IONIS PrivacyPolicy here Privacy policy - IONOS T&C I use WordPress as the content management system for our website - see privacy policy for WordPress Privacy – WordPress.org. Like most websites we use cookies to help the site work more efficiently - find out about our use of cookies. Cookies | IONOS Group SE. No user-specific data is collected by me or any third party. If you fill in a form on my website, that data will be temporarily stored on the web host before being sent to me
Complaints
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
This policy is regularly reviewed and minor updates maybe made. The latest version will be available on this website