This document outlines Sara Davies’s procedures for collecting, storing and processing personal data.
These procedures conform with GDPR legislation and with the Codes of Ethics and Professional Practice of the professional bodies that I belong to, namely the UK Council for Psychotherapy (UKCP), the Gestalt Psychotherapy Training Institute (GPTI) and the Welsh Psychotherapy Institute (WPI).
Contact details for further information: email@example.com or 07395 435327
What information I ask for and why
If you contact me to request therapy services, I will offer you an initial appointment, which is an opportunity for us to meet and discuss any questions or concerns before deciding whether to proceed with therapy. If we decide to proceed, I will ask you for some personal information (via an Intake form). Some information is essential and I will not be able to proceed without it, while other information is helpful but not essential:
• Your name
• Your address
• Your phone number and email address
• GP name & phone number
• Any significant medical problems that you have
• Any other current engagement with health/care professionals
• Emergency contact details
What I will use your information for
To contact you to arrange appointments and discuss any changes to appointments
To support you effectively in the case of an emergency
What information I will record about our therapy sessions
After each therapy session, I write case notes. These notes include the date and time of the session, a brief outline of the content of the session and my interventions. They do not include any names or other identifiable information.
I will record how much you pay for the session.
How I will securely store your information
I will store your phone number in my work mobile phone for the period that you are engaging in therapy. I will only use a first name, and the phone is secured with a passcode. I will delete your number when you finish your course of therapy.
I use a dedicated mobile phone handset and sim for my therapy practice. No social network platforms (e.g. facebook/meta, twitter) or other apps that store or use personal contact details are installed on this handset. I do not give apps permission to access Contacts, except to make phone calls and send texts.
I will store your email address in the email account that I use for my therapy practice, which is with the encrypted email server Protonmail. I access my emails via my work mobile phone and laptop, both of which are secured with passcodes and antivirus software. I will delete your email address and any email correspondence when you finish your course of therapy.
I will store your contact details, intake form, case notes, and a record of your payments for sessions on a secure hosting platform called Bacpac. Bacpac is encrypted software which fully complies with the Data Protection Act and is GDPR compliant. If you have any questions about Bacpac software, I will attempt to answer them or you can contact the provider directly at firstname.lastname@example.org
If you provide me with any paper documents, I will scan these and upload them onto the secure server at Bacpac and then shred the original. If you email me any documents, I will save them onto the secure server at Bacpac and delete the original.
I will keep your file and case notes for six years on the secure platform Bacpac, in line with the Statute of Limitations for the rare situation of case notes being subpoenaed for a court case.
I will keep a record of your payments for therapy sessions for five years, in line with the advice of the Financial Conduct Authority.
I will delete all other information I hold relating to you immediately after our last therapy session, or sooner if you request that I do so.
In line with my professional (UKCP, GPTI and WPI) Codes of Ethics and Professional Practice, I meet with another qualified therapist for supervision. The focus of these sessions is the development of my practice and, when I discuss our work together, I will only share your first name and no identifiable information.
I sometimes use a digital recorder to record a therapy session, so that I can reflect on my practice with my supervisor. You are under no obligation to consent to this, and I will not record sessions without your written consent.
If you consent to me recording your session, I will transfer the file to my laptop and protect it with a password, and delete it from the digital recorder. You can withdraw your consent or ask me to delete the file at any time, and I will comply with your request.
Sharing your information with other organisations and people
I will not share your personal information with anyone except in an emergency, or if you ask me to do so.
In the case of a medical emergency, I may contact your GP or the ambulance service. If I believe that you or someone else are at immediate risk of serious harm, I may contact the police.
I will always attempt to discuss the sharing of information with you first and gain your consent but, in some situations, the law may require me to contact an authority without your consent.
If you have provided me with an emergency contact, we will agree together under which circumstances I would contact them. I do not require you to provide an emergency contact.
If I am unable to practise (for example due to serious illness or death), my therapeutic executor (a fellow therapist) has a passcode that enables them to access your name and contact details via Bacpac so that they can inform you of the circumstances. However, they are not able to access your notes or any other personal information.
My website saradaviestherapy.net uses a Secure Sockets Layer (SSL) which encrypts the connection between the browser and web server and securely transmits information, ensuring that the transferred data cannot be read or modified by third parties.
I do not use any social media apps on my work mobile, with the aim of ensuring that no apps are able to contact you without my awareness.
I use a specific email account for my therapy practice, and do not use this email address to sign in personally to social media platforms.
In order to ensure appropriate therapeutic boundaries, I do not ‘friend’ clients or former clients on social media platforms.
When using social media, I aim to be mindful of my ethical and professional commitment to anti-oppressive practice in terms of what I post, link, tag, ‘like’.
Online and phone counselling and therapy
I make every effort to ensure full confidentiality. Based on the information provided by the video conferencing, phone, email and data storage services that I use for counselling and therapy, I am satisfied that these services are secure and confidential. Nevertheless, I do not control these platforms and services and there may be a risk when using third-party applications.
You have rights and control over how your data is used, and the relevant laws are the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA):
• You have the right to be informed of what information I hold, and how it is stored and processed;
• You have the right to see the information I hold about you, free of charge;
• You have the right to rectify any inaccurate or incomplete personal information;
• You have the right to withdraw your consent to my using your personal information;
• You have the right to request that your personal information be erased.
I can decline requests to erase information that I need to retain in order to practise lawfully and competently.
How to request a copy of your information, deletion of information, or amendment of information
You can ask me during a session or contact me via the contact details at the top of this document.
I will comply with your request as soon as I am able to and in any case within one month.
How to complain
You can complain if you think I have broken the GDPR or DPA 2018 laws. You can speak to me in a session or contact me via the contact details at the top of this document to discuss any concerns in the first instance and I will attempt to resolve the issue.
Complaints about data protection are handled by the UK government’s Information Commissioners’ Office. Information about raising a concern can be found here: https://ico.org.uk/for-the-public/raising-concerns/
Sara Davies is a data controller for the purposes of the DPA 2018 and GDPR.
The lawful basis for Sara Davies to process data (as set out in Article 6 of the GDPR) is the basis of Consent (i.e. the individual has given clear consent for you to process their personal data for a specific purpose).