Privacy and GDPR Policy
Healthcare professionals like Chartered Health Psychologists have a professional and legal responsibility to respect and protect the confidentiality of people who use their services at all times, even when they are not current clients. There are principles for how this should be done, and these principles are set down by law.
The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018, and is supported by the Data Protection Act (DPA) 2018.
Although it was drafted and passed by the European Union (EU), it imposes obligations onto organizations and individuals anywhere, so long as they target or collect data related to people in the EU. This means that if a company handles the personal information of people in the EU, then it must comply with the GDPR, no matter where they are in the world.
The GDPR was a first step toward giving EU citizens and residents more control over how their data are used by organizations and individuals. A privacy and GDPR notice provides an important way to help clients make informed decisions about the data collected about them and how it is stored and used.
This notice will outline how Dr Elizabeth Hale and the associated service Jigsaw Health Psychology complies with the laws mentioned above.
Data Control:
Dr Elizabeth Hale is the Data Controller and Data Processor for Jigsaw Health Psychology.
This means Dr Hale has overall control of the purpose and means of the processing of personal data – i.e. deciding what data to process and why.
The contact details are: liz.jigsawhealth@gmail.com
The practice address is:
Unit 3,
36 High Street,
Pershore,
Worcestershire WR10 1DP.
What personal data we collect and process:
In order to provide you with psychological therapy, we will need to collect and process certain information:
Identifiable information such as: Name and address; email; contact number(s); next of kin/emergency contact number; video conference ID (if online consultations) and GP contact details.
Sensitive identifiable information such as: Signed Client – Psychologist Terms and Conditions agreement; therapy records (therapist notes, letters, reports, assessment tools, client worksheets and outcome measures).
If you complete a web-based enquiry form, we will also collect any information you provide to us as well as your internet (IP) address. This is automatically provided by the website software used to offer the form. The website host used by Jigsaw Health Psychology has verified itself as GDPR compliant.
If you are referred by your Medical Insurance Provider, then we will also collect and process personal data provided by that organisation. This includes basic contact information; reasons for referral information; medical insurance policy number and authorisation for psychological therapy. They may share photos, videos or other images that are relevant.
The lawful basis for processing personal data:
The GDPR states that those who collect information from others need to have a ‘legitimate interest’ in doing so.
Jigsaw Health Psychology has a legitimate interest in collecting and processing the personal and sensitive personal data either provided by you, or your medical insurance provider, to provide you with psychological therapy.
We take your privacy seriously, so we will only use your personal information to assess and provide the services that you have requested from us. Without this information, we may be unable to provide a therapeutic service to you.
Jigsaw Health Psychology has a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
How your personal information is used:
We use the information we collect to provide our service to you.
We use your information to send invoices and process payment for psychological services.
We may ask you for information about how you found our service; this will help us with our marketing research.
We will never sell your information to others.
We will never pass on your information to others without your consent (* but see Who we might share personal information with).
We would always recommend you inform your GP that you are receiving psychological services from us. If you give your express consent, we will write to your GP to inform them of this.
We will never share your personal information with third parties for marketing purposes.
We will only notify you of our own future services and events that might be of interest to you if you give us express consent to hold your contact details only for those purposes. You have the right to opt-out at any time, and request that your personal contact information is deleted to prevent future pro-active contact from ourselves.
Who we might share personal information with:
We hold information about each of our clients and the therapy they receive in confidence. This means that we will not normally share your personal information with anyone else. *However, there are exceptions to this when there may be need for liaison with other parties:
If you are referred by your medical insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation for the purposes of billing. We may also share information with that organisation to provide treatment updates.
In cases where treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared with legal services as required and with your written express consent.
In exceptional circumstances, we might need to share personal information with relevant authorities without your consent:
When there is need-to-know information for another health provider, such as your GP.
When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
When the information concerns risk of harm to the client, or risk of harm to another adult or a child. We will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or to someone else.
How long we store personal information:
We will only store your personal information for as long as it is required.
Basic contact information held on the psychologist’s mobile phone is deleted six months after the end of therapy.
Personal data held either in paper form and/or electronically is stored for a period of seven years after the end of therapy. After this time the electronic data is deleted and paper copy is destroyed by shredding at the end of the financial year. We follow the professional guidelines laid down for professional record keeping by The Health and Care Professions Council (HCPC, 2018) and The British Psychological Society (BPS, ).
In the event of my incapacity to continue practising as a Health Psychologist or my death, your psychological records will be destroyed by shredding by my nominated clinical executor.
How we ensure the security of personal information:
Paper records containing your personal information will be stored in a locked filing cabinet.
Electronic records are held on a password protected computer. Malware and antivirus protection is installed. Data files are also password protected.
Email correspondence will be from a secure account and encrypted ensuring compliance with the General Data Protection Regulations.
We will never use open or unsecure Wi-Fi networks to send any personal data.
Letters sent to professionals such as GP’s, by surface mail, will be clearly marked Confidential.
The psychologist’s mobile phone is password protected.
Your right to access the personal information we hold:
You have the right to access the information we hold about you (also known as subject access).
You can make a subject access request verbally or in writing – however we would appreciate a written request.
We will respond to a subject access request within one month.
We may request further evidence from you to confirm your identity.
A copy of your personal information will be sent to you in a permanent form (hard copy).
If a third party makes a request for information on your behalf (such as a Solicitor or Power of Attorney) we will need evidence of the third parties’ entitlement to act on your behalf. This might be a written authority to make the request.
You have a right to have your personal information corrected if it is inaccurate.
We can refuse a subject access request if it is manifestly unfounded or excessive. In this case we will inform you within one month of the receipt of the request. We will let you know the reasons why we are not taking action. We will also advise you of your right to make a complaint to the Information Commissioners Office (ICO) or other Supervisory Authority, and your right to seek to enforce this right via judicial remedy.
In some circumstances we may charge an administrative fee for supplying the information requested to you.
Jigsaw Health Psychology reserves the right to refuse a request to delete or alter a client’s personal information where this relates to therapy records.
In the event of a data breach:
The Information Commissioners Office (ICO) identifies a personal data breach to mean “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. If we become aware that this has happened, we will take the following action:
Establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a high risk, then we will notify the ICO.
We will report a notifiable breach to the ICO within 72 hours of discovering it. This will happen even if we do not have the full information yet.
The Information Commissioners Office will want to know how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in the future. The initial report need contain no more than a summary of the position.
If there is likely to be a high risk to the rights and freedoms of an individual(s) we will contact them to inform them as soon as possible. This is so that they (You) can take steps to protect yourself from a breach where necessary. If we are unable to contact you we will document our efforts to do so.
If we need to contact you, we will give you a description of the likely consequences of the personal data breach and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
In accordance with the requirements of the GDPR, we will record all breaches, regardless of whether or not they need to be reported to the ICO.
Article 33(5) of the GDPR requires us to document the facts relating to the breach, its effects and the remedial action taken. This is part of our overall obligation to comply with the accountability principle, and allows the ICO to verify our compliance with its notification duties under the GDPR.
As with any security incident, we will investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps. As part of our breach management process we will undertake a risk assessment and document this.
We may need to notify third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Dr Elizabeth Hale C.Psychol; AFBPsS
Chartered Health Psychologist
For Reference:
[1] Health & Care Professions Council (2018). Confidentiality – Guidance for Registrants. London: HCPC. See www.hcpc-uk.org.
[2] The Information Commissioners Office (ICO). Guide to the General Data Protection Regulation (GDPR). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ Accessed 21/09/20.
[3] The British Psychological Society (2011). Guidelines for Clinical Psychology Services – Clinical Work and Case Management. Leicester: BPS.
[4] The British Psychological Society (2019). Electronic Records Guidance. Leicester: BPS.
[5] The British Psychological Society (2017). Practice Guidelines (3rd. Ed.). Leicester: BPS.
[6] The British Psychological Society (2018). Code of Ethics and Conduct. Leicester: BPS.