You may be aware of new laws relating to General Data Protection Regulation (GDPR) that are in effect from 25 May 2018. The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries. This document sets out how Pronk Psychology complies with these laws.
This policy describes how personal and sensitive data is collected and stored according to GDPR 2018. Dr Johanna Pronk is the data controller for Pronk Psychology.
What personal data we process
Pronk Psychology collects and processes the following personal data from therapy clients:
- Personal data: basic contact information: name, address, email, contact number, next of kin and GP contact details.
- Sensitive personal data: therapy records (therapist notes, letters, reports and/or outcome measures).
If you are referred by your health insurance provider, then we will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment.
In addition to any requirements of the GDPR, this information may be further protected by the British Psychological Society code of ethics and the regulating body Health and Caring Professions Council.
The lawful basis for processing personal data
Pronk Psychology has a legitimate interest in using the personal data and sensitive personal data we collect to provide health treatment. This is information that both you and we might reasonably expect to be provided and maintained in order to provide the services you have requested
This information is necessary for us to provide psychological therapy to clients.
We may also ask for information on how you found our service for the purpose of our own marketing research. No information you provide is passed on without your consent. We will never sell your information to others.
What we do with your personal information
At Pronk Psychology we take your privacy seriously. We will only use your personal information to provide the services you have requested from us.
How long we store personal information
We will only store your personal information for as long as it is required. Basic contact information held on a therapist mobile phone is deleted within 6 months of the end of therapy.
Initial enquiries about psychological services where a service has not been delivered are deleted within 6 months.
Records relating to providing a psychological service including personal and sensitive data defined above are stored for a period of 7 years after the end of therapy. After this time, this data is deleted at the end of each calendar year.
How your personal information is used
We use the information we collect to:
- Provide our services to you.
- Process payment for such services.
Who we might share personal information with
We hold information about each of our clients and the therapy they receive in confidence. This means that we will not normally share your personal information with anyone else. However, there are exceptions to this when there may be need for liaison with other parties:
- If you are referred by your health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation for the purposes of billing. We may also share information with that organisation to provide treatment updates.
- In cases where treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared with legal services as required and with your written consent.
In exceptional circumstances, we might need to share personal information with relevant authorities:
- When there is need-to-know information for another health provider, such as your GP.
- When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
- When the information concerns risk of harm to the client, or risk of harm to another adult or a child. We will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or to someone else.
What we will NOT do with your personal information
We will not share your personal information with third-parties for marketing purposes.
How we ensure the security of personal information
Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients in an email attachment that is password protected. Email applications use private (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. Pronk Psychology will never use open or unsecure Wi-Fi networks to send any personal data.
Personal information is also stored on an office computer and on secure server owned by Pronk Psychology. These are password protected. Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode/thumbprint scanner, mobile security and antivirus software.
Paper records will be stored in a securely locked filing cabinet.
Your right to access the personal information we hold about you
A complete summary of your rights is available at the Information Commissioner’s Office website. https://ico.org.uk
You may request copies of data we hold on you and we must provide this information free-of-charge within 30 days. However, if your request is unreasonable or you have made repeated requests for the same information, we may refuse to comply unless and until a fee is paid or an agreement reached on the data to be provided. You always have the right to file a complaint with the Information Commissioner’s Office if you feel we have violated your rights under the GDPR. We will do our best to provide your information in a format that you can understand and use.
Pronk Psychology reserves the right to refuse a request to delete a client’s personal information where this is related to therapy records. Therapy records are retained for a period of 7 years in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000) and The Health and Care Professions Council (HCPC; 2017).