Effective September 2020
I am Niki Costas Tanto, BACP Accredited and UKCP Registered Psychotherapist, and I provide psychotherapy and counselling services under the auspices of Roohaz Limited, trading as Roohaz Counselling & Psychotherapy.
I aim to be as clear as possible about how and why I use information about you so that you can be confident that your privacy is protected.
This policy describes the information that I collect when you use my services. This information includes personal information as defined in the EU General Data Protection Regulation (GDPR) 2018.
- Why do I need to collect your personal data?
1.1 I need to collect information about you so that I can know who you are and can communicate with you.
1.2 To provide my services to you.
1.2 Process your payment for my services to you.
1.3 Verify your identity so that I know I am dealing with the right person.
1.4 Contact you in case there is a problem with our arrangements, for example, re-arranging an appointment.
- What personal information do I collect and when do I collect it?
2.1 Your name, postal address, telephone number, email address, date of birth and GP’s details.
2.2 I collect this information directly from you at the start of your treatment.
2.3 I may also collect information about you from third parties, for example if you have been referred to me by a referral agency or insurance company.
2.4 I write brief clinical notes referring to your treatment.
- How do I use the information that I collect?
3.1 To communicate with you so that I can inform you about your appointments with me, I use your name and your contact details such as your telephone number, email address or postal address.
3.2 If you have requested an invoice I use your name and email address.
3.3 To process your payment, I use your name and your payment card details (only partial payment card details are kept, as when you pay by card this is taken immediately using a mobile card-reader). There is also an option to pay using PayPal via my website which retains personal data within my secure PayPal account.
3.4 I use clinical notes to keep a record of your attendance and progress in treatment.
3.5 My Professional Will
Your name, telephone number and email address are shared with my clinical supervisor in the event that you will need to be contacted by them on my behalf. Once you finish treatment, my clinical supervisor will destroy all personal data they hold on you.
- Where do I keep the information?
4.1 As a paper copy
- At the start of your treatment I complete a ‘personal data sheet’ with name, postal address, telephone number, email address, date of birth and GP’s details. This paper copy is kept in a locked metal filing cabinet in my home office.
4.2 Electronic format
- I keep records on my computer which is password protected and encrypted.
- Electronic format includes an excel spreadsheet with your name, telephone number and email address.
- It also includes your clinical notes.
- How long do I keep the information?
I will keep your personal data and clinical notes for 7 years from completion of treatment, after which point they are securely deleted. Any paper documents will be confidentially shredded.
- Who do I send information to?
6.1 I would never send any aspect of your personal data to any third party without your explicit written consent and/or unless required to do so by a court of law.
6.2 I may write to your GP if I consider that you are at risk of harming yourself or another and I would normally discuss this with you before doing so. In extreme circumstances of imminent risk, I would contact your GP directly as my duty of care to you.
6.3 If you have been referred to me by an EAP (employee assistance programme), all information about you is communicated through their own encrypted extranet system, for which I have my own log in and password.
- How can you see all the information I have about you?
You can make a subject access request (SAR) by contacting the Data Protection Officer. I may require additional verification that you are who you say you are to process this request. I may withhold such personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.
- What if your information is incorrect or you wish to be removed from my system?
Please contact the Data Protection Officer. I may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide me with the correct data and after I have corrected the data in my system I will send you a copy of the updated information.
- How can you have your information removed?
If you want to have your data removed I have to determine if I need to keep the data, for example, in case HMRC wish to inspect my records. If I decide that I should delete the data, I will do so without undue delay.
- What if there is a data breach?
My Data Security Procedure includes a clear process for handling a personal data breach, should one occur. Where appropriate, I will promptly notify you of any unauthorised access to your personal information.
- Will I send emails and text messages to you?
As part of providing my services to you I will communicate with you via email or SMS text message in order to send you details of appointments and consulting room locations. Any clinical information, form letters or reports will be emailed to you in a password protected format.
12.1 Description of cookies on my website:
These cookies give me critical information about various pages on my website and how users interact with them. I use this information to improve the performance of my website and the information presented to users.
A set of cookies designed to deliver the smooth running of my website and to identify areas of improvement in the browsing experience.
12.2 How to reject and delete cookies
To find out more about cookies, visit www.allaboutcookies.org.
If you wish to raise a complaint on how I have handled your personal information, you can contact me directly and I will investigate the matter. If you are not satisfied with my response or believe I am processing your personal information not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO), www.ico.org.uk.
- Data Protection Officer
Disclosures in the public interest may sometimes be necessary. Public interest is the general welfare and rights of the public that must be recognised, protected and advanced. Disclosures in the public interest, based on the common law, are made where this is essential to prevent a serious and imminent threat to public health, national security, the life of the individual or a third party, or to prevent or detect serious crime.
I may need to share your name and contact details with the NHS if either of us or another client contract coronavirus to support the NHS Test and Trace Service and for reasons of public interest in the area of public health.
Last updated September 2020.