I am committed to the protection of the privacy of all who come into contact with me in my role as therapist, supervisor and facilitator. Your personal data is really important to me and I understand how important it is to you. My aim is to be as clear and open as possible about what I do with your personal data and why I do it.
Definitions
· “Processing” means anything that I do with your personal data – obtaining it, holding it, using it, or passing it on. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
· “You” means you as an individual. You are known as the datasubject within the context of the GDPR and UK data protection law.
· “I” means the Natasha Sephton. I am the data controller as defined within the context of the General Data Protection Regulation (GDPR) and UK data protection law. This means I decide how your personal data is processed and for what purposes and are legally responsible for making sure your information is processed correctly and lawfully.
· “Third party” means anyone else I might share your information with
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.
A lot of the data I process is likely to constitute sensitive personal data: mental/physical health information, family history, client timelines.
How do I process your personal data?
I comply with my obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
I use your personal data for the following purposes:
· To deliver therapy, supervision, mentoring/consultation services
· To facilitate workshops, talks and training
· To contact you regarding scheduling of sessions
· To keep thorough assessment and session notes
· To maintain financial records, invoices and payments made
Further processing
If I wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then I will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, I will seek your prior consent to the new processing.
What is my lawful basis for using your information?
The lawful basis for processing your data comes under 2 categories of Article 6 of the GDPR:
1. Processing is necessary for the performance of a contract. This means under our terms of agreement, I require certain personal information from you in order to being working together.
2. Processing is necessary for compliance with a legal obligation. I am required by law to inform the appropriate authorities if you make a disclosure concerning acts of terrorism, or where you or another is at risk of serious harm or abuse. Where possible, I will also seek consent.
3. Processing is necessary to protect the vital interests of you or another person. If you are physically or legally incapable of giving consent, but I need to protect your vital interests, in an emergency, I may use your personal information. For example, if you had been taken seriously unwell whilst in session, I may pass on your emergency contact or medical information to emergency services.
4. Processing on the basis of Consent. Where possible, I gain consent to share your information with a third party. However, even if you do not consent, in some situations (as listed below), I may still share your information.
Sharing your personal data
Your personal data will be treated as strictly confidential. I will not disclose information about the content or process of your therapy to others without your permission, with the following exceptions:
Supervision In order to maintain the quality of therapy I offer, I am supervised for all my work, in which I take aspects of my client’s process and experience. This is taken anonymously whereby I use only your first name. At times it is required that I transmit some client information electronically with my Lifespan Integration supervisor in USA. I do this using encryption and use only your first name.
Workshop co-facilitation
There will be times when I will bring an assistant/co- facilitator to support me in running a workshop. In these cases, I will be sharing certain aspects of your information including your name, profession, and qualifications. Any electronic transmission of this information will be done using password protected encryption.
Safeguarding and protection
If for any reason I develop concerns that you, or someone you know, are at serious risk of harm or abuse, or that you intend to harm yourself, I reserve the right to take appropriate action based upon my professional judgement. If possible, this will be with your full knowledge and consent. If this is not possible I will act without your permission to protect and safeguard your well-being and that of others.
Acts of terrorism In the case of disclosure concerning acts of terrorism under the terrorism act, confidentiality will be broken and such disclosures will be passed onto the relevant authority without delay as is my lawful duty.
How secure is your information?
I take security very seriously and will do everything within my power to keep your information safe. All printed documents are stored securely, in a locked filing cabinet, and any electronic files are kept encrypted.
How long do I keep your personal data?
I endeavour to maintain only data that is relevant, accurate and up to date. All registration forms and electronic files will be shredded at the end of our therapy agreement. I am required by the Health and Care Professions Council (HCPC), to keep case notes for a period of seven years from the date therapy concluded (or from when the client turns 18), at which point they will be confidentially disposed of (shredded), unless a request has been made to keep the case notes for longer than this period. Any request must be made in writing before the end of the seven-year period.
Your rights and your personal data
You have the following rights with respect to your personal data:
1. The right to access information I hold on you
· At any point you can contact me to request the information I hold on you as well as why I have that information, who has access to the information and where I obtained the information from. Once I have received your request we will respond within one month.
2. The right to correct and update the information I hold on you
· If the data I hold on you is out of date, incomplete or incorrect, you can inform me and your data will be updated.
3. The right to have your information erased
· If you feel that I should no longer be using your data or that we are illegally using your data, you can request that I erase the data I hold.
· When I receive your request I will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because I need to keep it for legal or contractual purpose(s)).
4. The right to object to processing of your data
· You have the right to request that I stop processing your data. Upon receiving the request I will contact you and let you know if I am able to comply or if I have legitimate grounds to continue to process your data.
5. The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
· You can withdraw your consent easily by telephone, email, or by post (see Contact Details).
6. The right to lodge a complaint with the Information Commissioner’s Office.
· If you feel I have used your information incorrectly or without lawful basis, or you dispute my lawful basis, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
Please contact me if you wish to exercise any of these rights.
Contact Details
I can provide you with access to your personal data at any time. I ask that requests are made in writing.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.