Client Privacy Notice (GDPR Agreement)
1. Data Controller, Data Protection Officer and Data Subject
Dr Jo Daniels is the data controller and data protection officer, regulated by the Information Commissioner under GDPR and the UK Data Protection Act.
You (the client receiving either therapy or supervision) are the data subject.
2. Personal data I collect and process
Dr Jo Daniels processes the following personal data from therapy clients and supervision clients:
Personal data: Name and address , phone number, email address, video conference ID (for tele-therapy), emergency contact’s name and phone number, GP name and contact details, details of your psychiatrist and other relevant medical specialists (as relevant), payment information (which I may pass directly to my payment processor).
Sensitive personal data: Therapy or supervision records (therapist / supervisor notes, letters, reports and/or outcome measures), relevant medical information, my emails to you, and your emails to me.
Third party referrals: If you are referred to me by another party (health insurance providers, referral service) I collect and process personal data provided by that organisation including: basic contact information, referral information, health insurance policy number and authorisation for psychological treatment.
3. How this information is collected
I collect this information directly from you and relevant third parties, from my first contact with you and any subsequent sessions.
4. The lawful basis for processing personal data
I have a legitimate interest in collecting and using the personal data and sensitive personal data I collect to provide healthcare and treatment. The data is used to provide psychological therapy to therapy clients or clinical supervision to supervision clients. No information you provide is passed on without your consent (apart from in exceptional circumstances where I must comply with my legal and regulatory obligations – see section 7).
I will never sell your information to others.
5. What I do with your personal information
I will only use your personal data to provide the services you have requested from me. I will also use your personal data to process payment for such services. If you don’t provide the personal information requested, I may be unable to provide a service to you.
6. How long do I store personal information
I only store your personal information for as long as it is required. Basic contact information held on a phone or teleconferencing service is deleted after our final session. Other personal data and sensitive personal data described above is stored for 7 years after our final session. After this time, all data is deleted at the end of each calendar year.
7. How I might share personal information
I hold information about each of my clients in confidence and will not normally share your personal information with anyone with the following exceptions:
- In exceptional circumstances, I might need to share personal information with relevant authorities:
- When the information concerns risk of harm to you, another adult or a child. I will discuss proposed disclosures with you unless I believe that to do so could increase the level of risk to you or someone else.
- When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
- I may share relevant clinical information with other health care providers such as you GP, on a need-to-know basis and only after discussion with you.
- If treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared with legal services as required and with your written consent.
- If you are referred by an Employee Assistance Programme or claiming through a health insurance provider, I will share appointment schedules with that organisation for billing purposes. Employee Assistance Programme may also require me to share relevant clinical information to assist other healthcare providers involved in your treatment.
- In line with best practice I receive regular clinical supervision from other mental healthcare professionals. If your case is discussed in clinical supervision, this will be done with your best interests in mind, your identity will always be kept confidential and the content of what we discuss will be treated as confidential.
- For payment of fees I prefer to use mobile payment systems which are GDPR compliant or bank transfers.
8. What I will not do with your personal information
I will not share your personal information with third-parties for marketing purposes.
9. How I ensure the security of personal information
Personal information is minimised in phone and email communication. Any sensitive personal data sent by email will be sent as a password-protected attachment. I use a GDPR-compliant encrypted email service to encrypt and protect email traffic. Emails will be encrypted in transit, provided your email provider supports Transport Layer Security (TLS). If your email provider does not support TLS, you should be aware that any emails sent or received by me may not be protected in transit.
I will monitor all emails sent to me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
I prefer to use the video conferencing program Zoom which supports end-to-end encryption and is GDPR compliant. My electronic devices are secure and I conduct sessions in a private room out of the sight and earshot of others to prevent data from being intercepted by a third party.
It is your responsibility to ensure that the electronic device you use for teletherapy is secure and that you are in a private room out of the sight and earshot of others during our sessions.
If we use Instant Messaging or record any aspect of a session within a teleconferencing programme, I will delete records of this from my electronic device. It is your responsibility to delete records held on your electronic device to ensure the privacy of our conversation.
You may wish to ensure that your electronic device is cleared of a record of our meeting if you want to keep your teletherapy private from others.
You and I agree not to record any conversation we have without gaining the explicit consent of the other.
10. Where is personal data held
Personal data is stored on password-protected office computers protected by malware and antivirus protection and password-protected encrypted flash drives. Mobile devices are protected with a passcode and / or fingerprint recognition.
Personal data collected in paper format are stored in a locked filing cabinet.
11. Your right to access the personal information we hold about you
You have a right to access a copy of personal data I hold about you. I will usually share this with you within 30 days of receiving a request. There may be an administration fee for supplying the information to you and I may request further evidence from you to check your identity.
A copy of your personal information will usually be sent to you in a permanent form as a printed copy.
You have a right to get your personal information corrected if it is inaccurate.
You have the right to require me to restrict processing of certain personal data and in certain circumstances (e.g. if the accuracy of the data is contested).
You have the right to require me to delete personal data. However, I reserve the right to refuse a request to delete a client’s personal information where this constitutes therapy records. I follow best practice guidelines of the British Psychological Society (BPS; 2000)  and The Health and Care Professions Council (HCPC; 2017)  regarding the retention of personal data contained in (amongst other sources) patient notes and clinical records. I retain personal data for a period of 7 years following the cessation by data subjects of engagement with me. When it is no longer necessary to retain personal data I will delete it.
I hope that we can resolve any query or concern raised about our use of personal information. GDPR gives you the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner and you can contact them at https://ico.org.uk/concerns or : 0303 123 1113.
 The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.
 Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.
By signing a therapy or supervision contract or indicating your consent by email or by attending an initial session with me, you are confirming that you fully consent to Dr Jo Daniels holding, controlling, processing and storing your personal data as stated above.
Dr Jo Daniels
HCPC Registered Clinical Psychologist
BABCP accredited Cognitive Behaviour Psychotherapist