1. Why we collect data on you
We collect information about you to provide you with psychological assessment and treatment and because it supports the provision of a safe and professional service. It is therefore in our legitimate interests as Registered Psychologists and CBT Therapists to collect your personal data. We also collect sensitive ‘special category’ data (such as details about psychological difficulty). The lawful reason for doing so is that it is necessary for the provision of safe and professional (mental) health treatment (psychological therapy). You do not have to agree to share information with us, however, in many cases we may not be able to offer you a service if you do not.
2. Collection and Use of Personal Data
You may be asked to share personal information any time you are in contact with Surrey CBT & Psychology. The information we collect about you will be used to offer you the best possible service and to comply with legal requirements. It will not be shared with 3rd parties unless there is a legal requirement to do so or it is in your best interest but this will always be discussed and agreed with you in advance.
3. What Personal Data We Collect
When you get in touch, you may be asked for some basic personal information such as your name, email address and telephone number as well as some more sensitive information about the difficulties you are seeking support for.
If you are being referred by a third party such as your GP, Psychiatrist or your medical insurer, they might provide us with information like this on your behalf.
When you start to receive a therapeutic service from us the information you share during sessions will be recorded in session notes.
All of this information will be kept together in your personal records.
4. How We Store your Personal Information
All your personal information is stored in a variety of paper and digital files. Your telephone number may also be stored on SMS if you have communicated using this method. A number of administrative and technical measures are kept in place to ensure the safety and security of your personal information. For example:
• Locked filing cabinets with keys stored offsite when not in use
• Encrypted Cloud Storage
• Regularly deleting emails
• All smartphones and computers used are password protected
5. Protection of your Personal Information
Surrey CBT & Psychology takes the security of your personal information very seriously.
No one apart from your treating therapist has access to your personal records at any time.
When information about you is sent to a third party it is sent in a password protected document or via encrypted email.
Any information stored digitally is stored in an encrypted format.
6. How We Use your Personal Information
We use the information you provide us to:
• Respond to your enquiries
• Communicate with you about appointments
• Offer you high quality therapeutic interventions and treatment packages
• Comply with the law
• To create invoices
• To keep accurate payment / accounting records
7. Disclosure to Third Parties
Surrey CBT & Psychology will only disclose your personal information to 3rd parties when:
• There is a legal requirement to do so
• You have given consent for the information to be shared, for example, reports or treatment summaries to other health care professionals involved in your care or to medical health insurance companies
• There are concerns about someone’s safety or wellbeing
• When we are required as part of our professional practice to have supervision for the assessment and treatment we provide to maintain standards. We discuss our work with qualified supervisors (registered psychologists or CBT Therapists equally bound to keep information confidential).
• We need to arrange for the funding and/or payment of services received, for example, with medical health insurance companies or secure health code invoicing system.
8. Accuracy and Retention of Personal Information
Surrey CBT & Psychology makes every effort to keep your personal information accurate, complete, and up to date. If any of your information changes please let us know so that we can update our records.
We are legally required to hold certain information about you for a set period of time. Electronic and paper documents are kept securely for 7 years after treatment ends or for 7 years from the date you turn 18 if you were seen as a child. This is in line with professional and HMRC guidelines. All personal information will be deleted or securely destroyed at the appropriate time and we will not keep your personal information for longer than is required or permitted by law.
9. Access to Personal Information
You are entitled to access the information stored about you at any time. If you would like access please make the request in writing to the address given below and Surrey CBT & Psychology will endeavour to respond within 30 days.
10. Additional Rights
You may also have the right to:
• To be informed of what information I collect and hold about you and how it is processed
• To rectify any inaccurate or incomplete personal information
• To restrict the processing of your personal data under certain circumstances
• To object to the processing we carry out if the processing is carried out on a legal basis other than that outlined in this policy
• To request your personal information be erased under certain circumstances or when our
processing no longer has a lawful basis (we would discuss whether this right can over-ride the requirement to retain data).
If you believe you have any of these additional rights or you wish to exercise them, please let us know.
11. What happens if there is a breach of data security
Should there be any breaches with regard to your personal data this will be reported to the ICO within 72 hours together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again. The individuals affected will also be informed if this occurs.
12. Children and Young People’s Personal Information
Surrey CBT & Psychology understands the importance of taking extra care to protect the privacy and safety of children and young people.
The information we may collect about children and young people includes things like:
Basic Information: Name, Address, Date of Birth, School
Characteristics: Sexuality, Gender Identity
Sensitive Information: Emotional and Behavioural Difficulties, Academic Ability.
We use the information to provide high quality therapeutic interventions. Although there is no obligation for children and young people to share this information with us, in many cases this will prevent Surrey CBT & Psychology from being able to offer them the best possible service.
We store this information in the same way as we store other information detailed in this Privacy Notice.
We only share this information with 3rd parties when we are required to by law (for example to protect the welfare of a child, young person or vulnerable adult) or when it is in the best interest of the child or young person. However, we always discuss this with children, young people and their parents/carers beforehand and where possible obtain consent.
13. Questions about Privacy and Details of Data Controller
If you have any questions or concerns about this Privacy Notice or how we process your information or if you would like to make a complaint about a possible data breach please contact:
Dr Louise Oliver, Surrey CBT & Psychology, Castle House, Park Road, Banstead, SM7 3BT
Please include the subject “DATA ISSUE” in the subject line.
We take data security extremely seriously and all such communications are examined and replies issued where appropriate as soon as possible. If you are unsatisfied with the reply you receive, you may refer your complaint to the Information Commissioner’s Office (ico.org.uk).
We may occasionally make changes to this statement and when we do we will post the update on the Surrey CBT & Psychology website.