Dr Alice Martell Ltd aims to be clear about how and why information about you is used so that you can be confident that your privacy is protected.
This policy describes the information that Dr Alice Martell Ltd collects when you use the service. This information includes personal information as defined in the General Data Protection Regulation (GDPR 2018).
The policy describes how your information is managed and protected when you use this service.
Dr Alice Martell Ltd uses the information collected in accordance with all the laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Dr Alice Martell, Clinical Psychologist is the data controller. If another party has access to your data, we will tell you if they are acting as a data controller, or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.
If your questions are not fully answered by this policy, please contact me directly at firstname.lastname@example.org If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commisioner’s Office (ICO) https://ico.org.uk
What Personal Data is held ?
You will be asked to complete a registration and consent form when your child starts therapy which includes details of: –
- Child’s name and date of birth
- Parents’ names and address(es)
- Whether or not each parent has parental responsibility
- Your telephone and email contacts
- Your child’s GP’s name and address
- Your child’s school name, address and a named contact
- Where relevant, you may be asked for contact details of other professionals involved (this might include paediatricians, social workers etc)
To inform a high quality and effective assessment, formulation and intervention process, you may be asked to provide copies of reports from school, or other professionals (for example, Educational Psychologists, Paediatricians). These reports may contain relevant information in relation to school grades, IQ scores, diagnoses in relation to education or health (for example, dyslexia, aspergers syndrome, or a medical condition) and as such may contain ‘special category’ personal data. I may also receive reports containing similar special category personal data directly from health, and educational professionals.
You and your child will be asked to complete questionnaires in relation to health related quality of life, emotional wellbeing and behaviour as a way of establishing a baseline and monitoring progress which can be considered ‘special category’ personal data.
On the website cookies are used to make the site easier to use and to track the traffic patterns of visitors. We are operating an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy with this, then you should adjust your web browser settings to disallow cookies.
In relation to processing payment, your name will show up on invoices and bank statements.
Why do I need to collect your personal data and how do I use it?
This information is required so that: –
- I know who you are, and can communicate with you in a personal and efficient way in relation to appointments, session summaries and updates in relation to liaising with other professionals. The legal basis for this is a legitimate interest.
- I can deliver a psychology service to your child and family. The legal basis for this is the contract with you.
- I can process your payment. The legal basis for this is the contract with you. Where payment is provided by your insurance provider, invoices will be sent to them according to their payment processing procedures.
- I can verify your child’s identity when liaising with key professionals. Liaising with key professionals is a key part of the assessment, formulation and intervention process. It is also required as part of risk management procedures as per my code of conduct. The legal basis for this is a legitimate interest.
- I can gather key information from professionals in education, health and other settings in order to complete a thorough assessment, and liaise as part of the intervention when required. The legal basis for this is a legitimate interest.
- I can identify areas of difficulty and monitor change. The legal basis for this is legitimate interest.
- To provide you with a useful and relevant website. The legal basis for this is legitimate interest.
Where is your information kept?
- The registration and consent form, contract, and questionnaires completed as part of initial assessment and ongoing monitoring are all held on file.
- Handwritten notes are taken during sessions, and telephone liaison and are also kept on file.
- Emails are printed and stored on file, and text messages are also written down and stored on file.
- Paper copies of reports from other professionals are also held on file.
- Paper copies of assessment, update reports or referrals to other services are printed and held on file
Files are held in a locked filing cabinet.
- Any information provided electronically is saved on computer. This might include reports from other professionals, or emails received or sent, or minutes distributed following a professional’s meeting
- Typed ‘formulations’ and assessment, monitoring or closing reports are saved on computer.
- Questionnaire summaries are stored on computer
- Some typed session summaries which will have been shared with your child are stored on computer
- Typed referral forms to other agencies (e.g. CAMHS, Children’s services) are stored on computer
- Invoices are stored on the computer
The computer is password protected, and documents saved are also encrypted and password protected. Documents are backed up and saved on a USB device which remains locked in the filing cabinet.
Emails are accessed either via computer, or mobile phone, both of which are password protected.
Microsoft one drive may be used to store data at the point of discharge. The server for Microsoft one drive is stored in the UK.
Who is your information sent to?
Your consent is sought before any verbal of written communication takes place that might involve sharing your personal data with other professionals.
Reports and distribution lists are reviewed and agreed with you before sending out. This may include your GP, school, paediatric health professionals, or children’s services. Your healthcare insurance provider may request a copy of the report. Reports are usually distributed via the postal system.
Reports are sent to you, and anyone we are required by law to inform.
Circumstances where we are not required to seek your consent include: –
- If there is a concern you are putting yourself, or another person at risk of serious harm
- If there is a concern that your child is at risk of serious harm
- If we have been instructed to do so by a court
- If the information is essential for the investigation of a serious crime
Documents sent to you, or other professionals electronically will be sent as attachments that are encrypted and password protected. The password will be send by an alternative means – i.e. by text.
Invoices will be sent to insurance providers via their identified system.
How long is the information kept for ?
GDPR requires that personal data is ‘kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the information was processed’.
Open case notes will be reviewed on an annual basis and any information received from family or other professionals that is no longer relevant to the work being conducted will be shredded or deleted as appropriate.
When a decision has been reached that no further sessions will be offered access to notes containing personal data may be needed in the future either at the point of re-referral to service, or in relation to supporting an investigation following a serious incident, allegation or complaint being made.
As such, only information identified as being ‘potentially necessary’ in these circumstances will be held in pseudonomised format. This means they will be allocated a code and any personal data will be removed. The document linking the code with the identity of your child will be kept on the computer, in an encrypted format. All other documentation will be shredded or deleted as appropriate in the January following a year after discharge.
- Re-referral to service.
Families are encouraged to look after their own copies of formulation and intervention plan, session summaries when given, copies of reports, therapy blueprint & setback management plans and other documentation so should they need to access the service again, or access another service, they have access to any information they think might be relevant.
Information identified as being ‘potentially helpful’ in relation to re-referral may include formulation and intervention plan, psychology reports/GP letters and therapy blueprint and setback management plan. These documents will be held in pseudonomised format for seven years .
- Supporting an investigation following a serious incident, allegation or complaint being made.
Information identified as being ‘potentially helpful’ may include terms and conditions, consent forms, any paper notes where risk is identified and advice given in relation to this (this could include in relation to harm to self or others, or safeguarding issues) and any record of communication with other agencies in relation to sharing concerns in relation to risk. These notes will be kept until the age of 25, or held for 7 years after discharge (if patient is over the age of 18) in line with BPS practice guidelines and NHS health records guidance.
Enquiries: – In line with guidance from digital NHS UK, data gathered during the process of communicating in relation to enquiries not taken on will be retained for two years and will be deleted at this time.
Invoices and Bank Statements: – In line with guidance from HMRC, invoices will be kept for 6 years + the current accounting year.
How can I see all the information about me?
You can make a subject access request (SAR) by contacting the Data Protection Officer. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.
What if my information is incorrect or I wish to be removed from your system.
Please contact me on email@example.com. You may be required to provide verification that you are who you say you are to process this request.
If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format as the subject access request in section 7.
If you want to have your data removed we have to determine if we need to keep the data, for example, in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.
If a data breach occurs, this will be recorded.
If a data breach occurs where a data subject could be identified the ICO will be informed
If a date breach occurs which identifies a data subject and could damage or infringe their rights the ICO and data subject will be informed.