Privacy Notice
My name is Suzy Carter and I am registered as a data controller with the Information Commissioner’s Office (ICO).
My record keeping is compliant with EU GDPR (General Data Protection Regulation), 2018 and I am committed to ensuring that the records I keep are secure, accurate and appropriate.
In order to provide the most appropriate therapy and to comply with the requirements of my professional registrations with the BACP (British Association for Counselling and Psychotherapy) and my insurers, I need to record and retain your medical history as well as your personal details and contact information.
I will only use this information in relation to my work, with you, as a healthcare practitioner.
Your consent provides the legal basis for me to carry this out. You may revoke your consent at any time and request that your details are erased from my records; however, professional requirements mean that I am still obliged to retain your information for certain periods of time (see below).
It is your choice how much information you share with me and, if you choose not to share certain information, it should not affect your ability to access therapy in general but it may compromise my ability to work with you (i) therapeutically and (ii) due to the requirements of my professional registration and insurance.
I make brief handwritten notes of our meetings, which are anonymised, in order to keep track of our work together and to satisfy professional registration and insurance requirements. I store these notes safely and securely in a locked metal filing cabinet. Personal details are stored separately. I will ensure that the information I record is accurate and up-to-date but it is your responsibility to inform me of any change to this information.
For CiC/EAP clients, I am required to share brief session notes with the referring organisation via their secure online portal. This portal is pass code protected and requires two-factor authentication to access.
If you have been referred to me by any other organisation, I will let them know the dates of our sessions and share your attendance record if requested but I will not discuss the content of our sessions, without your prior approval.
I do not share notes or personal details with anyone else or organisation or store notes electronically elsewhere. Notes can be supplied on paper or in a standard electronic format, if requested and if it is appropriate.
If I need to refer you to another professional, I will seek your permission before sharing any of your details, whenever possible.
If you contact me by email, your email address will be stored in a contacts list on my personal computer (pc); my pc has up-to-date anti-virus protection; my pc and email account are both password protected. Emails are permanently deleted periodically but you may wish to consider what you include in any message you send.
Enquiries submitted through the contact form on my website are sent directly to me by email and then deleted from my website provider's systems. Any enquiries via my website or directories are retained by the providers only until they have been successfully delivered. The email contact forms only capture the enquirer's name and email address along with the IP address of the computer used to make the request. No cookies are captured by my website provider (although my website does use cookies); some directories do use cookies - for more information on the use of cookies, please click the 'website cookies' link at the bottom of any page of my website; individual directory websites should be checked for information on their use of cookies.
If you contact me via my mobile phone, your telephone number will be stored in a coded contact list on my work-only mobile, which is pass code protected.
I use WhatsApp for messaging and remote working, because it uses end-to-end encryption. I also use Zoom for remote working and am reassured by the recent improvements in the privacy settings. Zoom sessions require the use of a unique link for entry and participants may only be admitted at my discretion, via a virtual waiting room. I do not use Zoom's facility to record the content of sessions. The laptop used for Zoom sessions is pass code protected and has up-to-date anti-virus protection.
It is your responsibility to ensure that any locations, devices or platforms that you use in your work with me offer you the level of confidentiality and security that you need.
I will hold your information for at least seven years, which is a requirement of my insurance company. The law regarding children’s records state that records are to be kept until the child is 25 years old or, if 17 years old at the start of therapy, until they are 26 years old. Records will be safely destroyed once the appropriate time has elapsed. It is your right to request that your information is destroyed at any time but I may not be able to comply, due to these professional constraints.
Our work will be confidential, unless I observe or you tell me something that I am legally obliged to report for reasons of public interest - for example, information about crimes such as acts of terrorism, money laundering or drug dealing; or a public health issue, such as if I or another client were to contract a notifiable disease, when working face-to-face. In this case, I might have to share your name and contact details with the appropriate authorities; or in the former case, hand over my notes if I am ordered by a court to do so. If possible, I would discuss the situation with you first.
I do use some social media platforms, for example a Facebook business page and Instagram but would never download information about you via these platforms, for any purpose.
Should a data breach occur, it is my responsibility to inform you and the ICO within 72 hours.
Should anything happen to me, I have a formal arrangement with an experienced professional, who will contact you and take responsibility for my records, in accordance with this notice.
A copy of this policy appears on my website: www.pentredtherapy.co.uk
GDPR gives you certain rights in relation to the recording and storage of your personal information. Full details of these may be found at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
