This document outlines Sara Davies’s (Gestalt Therapist in Advanced Clinical Training) procedures for collecting, storing and processing personal data.
Contact details for further information
What information I ask for and why
If you contact me to request therapy services, I will offer you an initial appointment, which is an opportunity for us to meet and discuss any questions or concerns before deciding whether to proceed with therapy. If we decide to proceed, I will ask you for some personal information (via a Client Intake form). Some information is essential and I will not be able to proceed without it, while other information is helpful but not essential:
Your email address and/or phone number
Your date of birth and age
Emergency contact details
What I will use your information for
To contact you to arrange appointments and discuss any changes to appointments
To support you effectively in the case of an emergency
What information I will record about our therapy sessions
After each therapy session, I write case notes. These notes include the date and time of the session, a brief outline of the content of the session and my interventions. They do not include any names or other identifiable information.
I will record how much you pay for the session.
How I will securely store your information
I will store your phone number in my mobile phone for the period that you are engaging in therapy. I will only use a first name, and the phone is secured with a passcode. I will delete your number when you finish your course of therapy.
I will store your email address in my email account with the encrypted email server Protonmail. I access my emails via my mobile phone and laptop, both of which are secured with passcodes and antivirus software. I will delete your email address and any email correspondence when you finish your course of therapy.
I will store your contact details, client intake form, case notes, and a record of your payments for sessions on a secure hosting platform called bacpac. Bacpac is encrypted software which fully complies with the Data Protection Act and is GDPR compliant. If you have any questions about bacpac software, I will attempt to answer them or you can contact the provider directly at email@example.com
If you provide me with any paper documents, I will scan these and upload them onto the secure server at bacpac and then shred the original. If you email me any documents, I will save them onto the secure server at bacpac and delete the original.
I will keep your file and case notes for six years on the secure platform bacpac, in line with the Statute of Limitations for the rare situation of case notes being subpoenaed for a court case.
I will keep a record of your payments for therapy sessions for five years, in line with the advice of the Financial Conduct Authority.
I will delete all other information I hold relating to you immediately after our last therapy session, or sooner if you request that I do so.
In line with my professional (GPTI and UKCP) Codes of Ethics, I meet with another qualified therapist for clinical supervision. The focus of these sessions is the development of my practice and, when I discuss our work together, I will only share your first name and no identifiable information.
I sometimes use a digital recorder to record a therapy session, so that I can reflect on my practice with my supervisor. You are under no obligation to consent to this, and I will not do this without your written consent. If you consent to me recording your session, I will transfer the file to my laptop and protect it with a password, and delete it from the digital recorder. You can withdraw your consent or ask me to delete the file at any time.
Sharing your information with other organisations
I will not share your personal information with anyone except in an emergency, or if you ask me to do so. In the case of a medical emergency, I may contact your GP or the ambulance service. If I believe that you or someone else are at immediate risk of serious harm, I may contact the police.
I will always attempt to discuss the sharing of information with you first and gain your consent but, in some situations, the law may require me to contact an authority without your consent.
If you have provided me with an emergency contact, we will agree together under which circumstances I would contact them. I do not require you to provide an emergency contact.
If I am unable to practise (for example due to serious illness or death), my therapeutic executor (a fellow therapist) has a passcode that enables them to access your name and contact details via bacpac so that they can inform you of the circumstances. However, they are not able to access your notes or any other personal information.
My website saradaviestherapy.net uses a Secure Sockets Layer (SSL) which encrypts the connection between the browser and web server and securely transmits information, ensuring that the transferred data cannot be read or modified by third parties.
You have rights and control over how your data is used, and the relevant laws are the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA):
You have the right to be informed of what information I hold, and how it is stored and processed;
You have the right to see the information I hold about you, free of charge;
You have the right to rectify any inaccurate or incomplete personal information;
You have the right to withdraw your consent to my using your personal information;
You have the right to request that your personal information be erased.
I can decline requests to erase information that I need to retain in order to practise lawfully and competently.
How to request a copy of your information, deletion of information, or amendment of information
You can ask me during a session or contact me via the contact details at the top of this document.
I will comply with your request as soon as I am able to and within one month.
How to complain
You can complain if you think I have broken the GDPR or DPA 2018 laws.
You can speak to me in a session or contact me via the contact details at the top of this document to discuss any concerns in the first instance and I will attempt to resolve the issue.
Complaints about data protection are handled by the UK government’s Information Commissioners’ Office. Information about raising a concern can be found here: https://ico.org.uk/for-the-public/raising-concerns/
Sara Davies is a data controller for the purposes of the DPA 2018 and GDPR.
The lawful basis for Sara Davies to process data (as set out in Article 6 of the GDPR) is the basis of Consent (i.e. the individual has given clear consent for you to process their personal data for a specific purpose).