Keval Psychotherapy & Consulting : GDPR Policy

I am registered as a Data Controller for Keval Psychotherapy Practice, with the Information Commissioners Office ( ICO). In line with GDPR regulations, I maintain an internal record of all processing activity which includes a) Recording the purpose of the processing; c) Keeping a description of the technological or organisational measures to ensure a level of security. Any lawful processing of personal data is set out in a privacy notice. This is a statement that discloses some or all of the ways a data controller, uses, discloses, and manages a client/patient’s data. I try to ensure that the information provided to individuals is concise, transparent, intelligible, easily accessible and will use clear and plain language.

Personal data

Personal data identifying  each client/patient is collected by me, Narendra Keval to enable me to provide an initial assessment consultation which may result in arrangements for further treatment to be put in place. The basis on which I collect and keep client data is that of “Legitimate Interest”. This means that the data is necessary for me to fulfil the contract that we have together (ie. to provide an assessment/therapy) and that is the data that you would reasonably expect me to hold and use.

What personal data is collected?
The data I hold includes any information a referral agency/ professional colleague or an external organisation has voluntarily sent me by email or by post. This information includes :

  • Basic information such as name, address, email address, phone number, date of birth and details of GP.

  • Basic information on presenting difficulties and my recommendations for further help .

  • Basic information on the main issues raised in your consultation/therapy session.

  • Information sent from any third party, eg GP or health professional.

Is data secure?

  • Any emails sent between us are held on a secure computer. 

  • Any emails with confidential documents are encrypted with a password or documents are sent by registered post 

  • Any notes are handwritten/and or typed onto a document which is encrypted and are either kept in a locked filing cabinet or a secure folder on the computer. A coding system enables me to know whose notes are whose, but in the very unlikely event that a stranger were to access these notes they would not be able to identify who they refer to.

Is personal data shared or sold?
Data is not shared with anyone, except the referrer where all parties have agreed to this disclosure or a client/patient’s GP for any reasons covered by the Requirements for Disclosure which are detailed and discussed in an initial meeting. This is also laid out in my Terms and Conditions of which a copy is given to the client/patient.

Personal Data will never be sold to a third party.

How long is data kept?
Your data is kept for 7 years, after which time any paper records are shredded.

What are a client/patient’s data rights?
Clients/patients have the following rights with regards to the personal data held:

  • The right of access. I will provide all data I hold on a client/patient within 30 days of  request. The copies of the personal data will be provided free of charge unless the request is manifestly unfounded or excessive.

  • The right to rectification. If any data I hold is incorrect, this will be corrected as soon as possible but in line with regulations, will not exceed one month unless it needs to be extended to two months if the request is complex.

  • Clients/Patients have a right to be forgotten: 1) Where the personal data is no longer necessary to achieve the purpose it was collected or otherwise processed. 2) The individual withdraws consent on which the processing was based upon and where there is no other lawful basis for processing. 3) The individual objects to the processing and there are no overriding legitimate grounds for the processing. 4) The personal data has been unlawfully processed. 5) The personal data has to be erased for compliance with a legal obligation

  • The right to data portability. Individuals can request for their personal data to be handed back or sent to another data controller. This will be provided in a structured, commonly used and machine readable form. Data portability also applies where notes are sent to another colleague / agency /organisation, for example.

     Personal Data Breach

  • Any Personal data breaches are recorded, regardless of whether they are required to be notified to the ICO.

  • This includes the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data. Data breaches will be reported to the ICO within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, I will inform those individuals without undue delay.

  • Computer software protection is utilised to detect possibilities of any data breaches  so that they can be investigated in a timely way which can facilitate decision making about whether or not there is a need to notify the ICO and the affected individuals

 

Consent

  • Consent aims to offer client’s/patients real choice and control. I ensure that the individual is fully aware of the specific purpose of our meeting, whether an initial consultation or further treatment. This is done in a clear and concise way so that individuals are clear about what they are giving consent to.

  • Consent requests are kept separate from other terms and conditions.

  • Individuals have the right to withdraw their consent if they have a change of mind. This information is also provided in the consent form.