Privacy Notice

General Data Protection Regulation (GDPR)

ABOUT ME

My name is Sarah McCartney. I work as a sole trader (trading as Symmetry Counselling) providing Psychotherapy to individuals both face-to-face and online. My practice is at 71 Plymbridge Road, Glenholt, Plymouth, PL6 7LB

I am registered with the UK Information Commissioner, registration number Z9924390. (https://ico.org.uk/ESDWebPages/Entry/Z9924390 )

THE PURPOSE OF THIS NOTICE

This Notice is designed to help you understand what kind of information I collect in connection with my services and how I will process and use this information in line with the GDPR. In the course of providing you with services I will collect and process information that is commonly known as personal data.

This Notice describes how I collect, use, share, retain and safeguard personal data.

This Notice sets out your individual rights; I explain these later in the Notice but in summary these rights include your right to know what data is held about you, how this data is processed and how you can place restrictions on the use of your data.

WHAT IS PERSONAL DATA?

Personal data is information relating to an identified or identifiable person. Examples include an individual’s name, age, address, date of birth, gender and contact details.

Personal data may contain information which is known as special categories of personal data. This may be information relating to and not limited to, an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, or data relating to sexual orientation.

Personal data may also contain data relating to criminal convictions and offences.

For the purposes of safeguarding and processing criminal conviction and offence data responsibly, this data is treated in the same manner as special categories of personal data, where I am legally required to comply with specific data processing requirements.

PERSONAL DATA I COLLECT

In order for me to provide psychotherapy for you, I will collect and process personal data about you.

I may also need to collect personal data relating to others in order to provide an effective service. In most circumstances, you will provide me with this information. I will not record any names or other specific identifiable information.

You may provide me with personal data when completing online contact forms, or when you contact me via the telephone, when emailing me directly or where I provide you with paper-based forms for completion or I complete a form in conjunction with you. I may record your communications with me when contacting me.

In normal circumstances, I will not share your personal data with others without your explicit consent. I will share personal data with authorised third parties where you have given explicit signed consent or where I have a legal obligation to do so. Some examples follow:

• Insurance companies (i.e. health insurance)

• Rehabilitation Companies who have referred you for therapy and require reports.

• Statutory Agencies where there is a legal duty to share data.

• Clinical Supervisors (no names or other directly identifiable data will be shared)

My website host is a UK based web hosting company. It will collect your personal data when you visit my website on my behalf, where we will collect your unique online electronic identifier; this is commonly known as an IP address.

It will also collect electronic personal data when you first visit my website where a small text file that is commonly known as a cookie is automatically placed on your computer. Cookies are used to identify visitors, to simplify accessibility, to monitor visitor behaviour when viewing website content and navigating the website, and when using features or downloading files. You can choose not to allow cookies when visiting my website.

Where I collect data directly from you, I am considered to be the data controller. Where I use third parties to process your data, these parties are known as processors of your personal data. A data ‘controller’ means the individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. A data ‘processor’ means the individual or organisation which processes personal data on behalf of the controller.

As a psychotherapist, I will handle the following categories of data:

• Personal data such as an individual’s name, address, date of birth, gender, contact details.

• Details of current physical and psychological health, social circumstances, employment, relationships, etc.

• Data relating to potential risk issues.

• Data relating to criminal convictions and offences.

If you object to the collection, sharing and use of your personal data I may be unable to provide you with a service. For the purposes of meeting the GDPR territorial scope requirements, the United Kingdom is identified as the named territory where the processing of personal data takes place.

If you require more information about how I collect and process personal data, please ask me.

WHY DO I NEED YOUR PERSONAL DATA?

I will use your personal data for the performance of my contract with you (in other words, I need to keep accurate records to provide you with psychotherapy or clinical supervision) and to share information with other agencies (ie. those who you have given me consent to talk to or those with whom I have a legal duty to share information). I also need to retain data to enable me to process any complaints.

Where I require consent, your rights and what you are consenting to will be clearly communicated to you in writing and your signature or expressed agreement in writing will be obtained. Where you provide consent, you can withdraw this at any time. This may mean that I will be unable to offer you any further service and clinical data collected up until that point will be retained.

DATA RETENTION

For all psychotherapy activities I will retain your personal data at the end of any contractual agreement for a period of 7 years. This data will be retained to allow defence against litigation should an incident give rise to a claim against me. I may need to retain your data for longer, for example if defending myself in a legal dispute or as required by law or where evidence exists that a future claim may occur. Should you make a complaint against me, I will retain the data for 10 years.

Where you or law enforcement agencies inform me about any active investigation or potential criminal prosecution, I will comply with legal requirements when retaining this data.

The retaining of data is necessary where required for contractual, legal or regulatory purposes or for legitimate business interests for statistical analysis and service development and marketing purposes.

Please ask me if you object to the use of, or you have any questions relating to the use of, or the retention of your personal data.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

Your data is encrypted and stored securely by third party Data Processors. All of these are within the boundaries of the UK and comply with GDPR.

YOUR RIGHTS

Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.

These rights are known as Individual Rights under the General Data Protection Regulations (2018). The following list details these rights. Click on each if you wish to know more where you will be taken to the Information Commissioner’s website.

• The right to be informed about the personal data being processed. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

• The right of access to your personal data. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

• The right to object to the processing of your personal data. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

• The right to restrict the processing of your personal data. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

• The right to rectification of your personal data. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

• The right to erasure of your personal data. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

• The right to data portability (to receive an electronic copy of your personal data). https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

• Rights relating to automated decision making including profiling. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/

• The right to object to your data being processed. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

Individuals can exercise their Individual Rights at any time. As mandated by law I will not charge a fee to process these requests, however if your request is considered to be repetitive, wholly unfounded and/or excessive, I am entitled to charge a reasonable administration fee.

In exercising your Individual Rights, you should understand that in some situations I may be unable to fully meet your request, for example if you make a request for me to delete all your personal data. A clear example of this is the erasure of clinical records as I am required under the terms of my professional indemnity insurance to retain clinical records for a period of 7 years after the completion of an episode of therapy.

You should understand that when exercising your rights, a substantial public or vital interest may take precedence over any request you make. In addition, where these interests apply, I am required by law to grant access to this data for law enforcement, legal and/or health related matters.

If you require further information on your Individual Rights or you wish to exercise your Individual Rights, please ask me.

PROTECTING YOUR DATA

I will take all appropriate technical and organisational steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data with authorised third parties. My full Confidentiality and Data Protection Policy is available on request.

COMPLAINTS

If you are dissatisfied with any aspect of the way in which I process your personal data please speak to me. You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website which is https://ico.org.uk/concerns/, by live chat or by calling their helpline on 0303 123 1113.