Last Updated March 2023
Amalthea Therapy is committed to keeping your personal information safe and complies with General Data Protection Regulation (GDPR). Please find below details about how I process and keep safe the data I hold that pertains to you.
What therapy client data GDPR is held about you?
I keep certain data so that I can work safely and professionally with you, in line with the guidelines of professional organisations that I belong to, including UKCP, BACP and ACTO.
The therapy client data I hold may include:
● Your name and address
● Your phone number and email address
● An emergency contact’s name and phone number
● Relevant medical information
● Artworks you may create (unless agreed otherwise)
● Session notes
● Payment information
● My emails to you, and yours to me
● Invoices
You have the right to know what therapy client data I hold, why I hold it, and for how long I hold it. You also have the right to view it, and to ask for changes to be made.
If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible.
How, why, and for how long is your data held?
To try and make things as clear as I can, I’ve divided this into ten sections. You’ll need to consider each section individually, and if you consent then tick the relevant boxes in the contact form.
If you do not wish to give your consent, you have the option to discuss with me, and it may be possible to create a bespoke agreement between us.
You have the right to withdraw your consent at any time. We would need to discuss what this might mean in practice, with the primary aim being to keep you safe. However, there may be certain situations that require certain information to be retained, and I may need to seek legal advice in this case.
1. Your name and address
How I keep this data?
I keep your name and address in a digital password protected file and the file is stored in my online password protected cloud account. These are kept separate from your session notes.
My clinical supervisor has your first name in paper form, kept in their locked filing cabinet.
Why I keep this data?
This is required by my professional liability insurer and by my professional organisations (BACP and UKCP).
How long I keep this data?
My professional liability insurer advises that I keep this data for seven years. After that time it is destroyed.
My clinical supervisor will destroy the data when you and I finish our work.
Who sees the data?
Myself. My clinical supervisor will see your first name, but not your surname or address.
2. Your phone number and email address
How I keep this data?
I keep your phone number in my mobile phone under an identifying code, not your name. My phone is locked with a passcode when I am not using it. Your email address is held in my password protected email account, which is encrypted.
Neither my computer nor my phone are shared with anyone else, unless it is required by a technician for maintenance.
I also keep your phone number and email address in a digital password protected file and the file is stored in my online password protected cloud account. These are kept separate from your session notes.
Why I keep this data?
This is needed in case I have to contact you (for example for rescheduling sessions or sending an invoice).
How long I keep this data?
I will remove this data when we have finished our work, unless you tell me that you would like me to retain it in case we work together again in the future.
Who sees the data?
Only myself.
3. Emergency contact’s name and phone number
How I keep this data?
I keep this data along with your name and contact details in a digital password protected file and the file is stored in my online password protected cloud account.
Why I keep this data
It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you. You and I may agree together on some other reason that I might contact this person, based on your best welfare.
How long I keep this data
When we finish working together, I will delete this data, unless you and I decide to make other arrangements.
Who sees the data
Only myself.
4. Your GP name and contact details
How I keep this data
I keep this data along with your name and contact details in a digital password protected file and the file is stored in my online password protected cloud account.
Why I keep this data
You and I may agree together on some reason that I might contact your GP, based on your best welfare, for example discussing diagnosis, treatment plan or safety procedures.
How long I keep this data
When we finish working together, I will delete this data.
Who sees the data
Only myself.
5. Relevant medical information
How I keep this data
I keep this data along with your name and contact details in a digital password protected file and the file is stored in my online password protected cloud account.
Why I keep this data
It may be relevant to share certain medical information when:
(a) Your mental health history, diagnoses etc may inform my treatment plan to make it more appropriate for you
(b) There is any risk that health conditions such as seizures, diabetes, etc may impact a session
(c) Your medications may affect our work
(d) You have any allergies that I should be aware of in order to keep you safe.
How long I keep this data
When we finish working together, I will delete this data.
Who sees the data
Only myself.
6. Artworks
How I keep this data
Your artworks are kept in a locked cabinet in my house until the end of our work together. Your initials or identifying code are written on the back of each artwork, along with the date.
Why I keep this data
It is standard practice in Therapy for the artworks to be retained by the therapist whilst treatment is ongoing. However, you may choose to take them away with you at any agreed time. Sometimes an artwork is temporary (e.g. play-dough, sand-tray) and will be dismantled after a session. You may choose to photograph your artworks, and as such you are responsible for the security of the content.
If we are working together online, you hold the artworks, unless we jointly agree that they are digitally kept e.g. on a designated Pinterest board. You are advised that images held digitally may not be secure. Where you choose to email artworks to me, this should be done securely, e.g. using WeTransfer, and I will transfer them onto in my password protected cloud account.
How long I keep this data
When our work together ends, you may take your artworks away. If you choose not to take them, I will dispose of them securely.
Who sees the data
Myself and my clinical supervisor.
7. Session notes
Notes may include dates and times of attendance, and brief notes on important themes from the session. I do not keep detailed session notes. I keep a ‘clear desk’ policy, which means that session notes and other information are not left unattended.
How I keep this data
I keep brief session notes in paper form in a locked filing cabinet. Your name or other identifying details are not kept with your session notes; only a code is used.
Why I keep this data
Brief notes may remind me of important points I want to be sure to remember to discuss in our next session, and/or in supervision.
How long I keep this data
After the work has been discussed in supervision, I may destroy any notes (or parts of notes) that my supervisor and I do not consider necessary to keep for longer.
My current policy is to destroy session records three years after our work finishes. If you would like me to retain them for a longer period, please discuss this with me.
Who sees the data
Only myself.
8. Payment information
How I keep this data
I make a note of payments you have made, on a password-protected financial spreadsheet for my business which is stored in my online password protected cloud account. I may also outline invoices and record payments in my paper diary, but under a code rather than your name.
Why I keep this data
As a small business owner, I am required by law to retain certain financial information, primarily for tax purposes.
How long I keep this data
I keep financial information for 7 years as advised by HMRC.
Who sees the data
Payment by cheque will be processed by my bank, but your account name will not be visible on my bank statements.
Banking transactions may be viewed by employees of the bank, my accountant, my financial advisor, and tax officers (HMRC).
When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.
9. Your emails and texts
How I keep this data
I may delete emails after I have noted the contents (for example, emails around scheduling). Any emails that I consider it necessary to keep are retained in my password protected email account, which is encrypted.
Why I keep this data
I may keep emails if I consider it clinically necessary.
How long I keep this data
I will delete emails when our work ends, unless they form session notes (in which case, see above).
Who sees the data
Only myself.
10. Invoices
How I keep this data
I create invoices on my laptop using Pages, and then export as pdf. Invoices are kept as password protected documents in my cloud password protected account.
Why I keep this data
I use the invoice to create the next one (in the case of ongoing work) so that I can revise and update it with new information.
How long I keep this data
I keep the invoice for a short time whilst I monitor payments (usually this is one month). Once payment has been made, and any further invoice has been created, I delete the invoice.
Who sees the data
Only myself.
11. Clinical Will
In the event of my death or sudden illness that means I am unable to contact you; I have appointed a Therapeutic Executor who will take care of contacting you on my behalf. They are a qualified counsellor/therapist and adhere to the same ethical framework and confidentiality that I adhere to. They will only access your contact details in an emergency and discuss with you appropriate onward arrangements.