Matthew Harwood

PRIVACY OF INFORMATION STATEMENT

(Private Clients)

 (In compliance with the General Data Protection Regulation, GDPR.)

Who is the Data Controller?

1. Myself – Matthew Harwood.

What information do I hold?

2. I collect the following: client/supervisee name, address, phone numbers, email address, date of birth, email mailing preference, next-of-kin contact details and GP details together with dates of appointments with me, dates of cancellations and payment records.

3. I also hold copies of emails between the client and myself.

4. I also record notes of some but not all client/supervisee sessions on paper records and on computer.

Where does the data come from?

5. Supplied by yourself when applying to work with me, or before or during sessions, or by colleague referral, or from practitioner directories.

What do I do with your information?

6. The information referred to in paras 2 & 3 above is stored on paper records and on a password protected computer.

7. The information referred to in para 4 above is stored on paper records in a locked filing cabinet and/or in a locked store and on my password protected computer. The surname is not included on the notes and all reasonable care is taken to exclude any information by which you may be personally identified.

8. Your name and phone number may be stored on my mobile and in my landline phone.

9. I will use your phone number, text address, email or postal address to contact you regarding appointments and to reply to you if you make contact with me. (If you ask me not to contact you by email this will be respected.)

10. Statements of Account and/or Invoices recording the dates of your sessions and any cancellations and the amount to be paid may be sent to you monthly by post or by email or given by hand when we meet. (If you ask me not to post or email them this will be respected.)

11. The information covered by this privacy statement is backed up (a) on a password protected external hard drive and (b) in the cloud using a secure encrypted back-up service. 

Who do I share it with?

12. I do not share the information which you give me with any third party except as shown in the section on confidentiality below.

How long is the information kept?

13. The information covered by this privacy statement will not be retained by me later than 7 years after your last session with me as a client. Thereafter it will be destroyed.

14. Where a computer is decommissioned specialist software will be used to erase the information from the hard drive.

Confidentiality

15. Information you share with me will be kept strictly confidential and will not be disclosed without your consent. There are some exceptions to this rule, however, and a comprehensive list is provided in the IGAP Code of Ethics & Practice obtainable from www.igap.co.uk. The main exceptions can be summarised as follows:-

(a) I reserve the right to contact your doctor (and to hold any necessary discussions) in the event of an emergency.

(b) I reserve the right to break confidentiality if necessary to prevent harm to yourself or others. This would include situations in which children are put at risk (eg by sexual or physical abuse or neglect).

(c) In accordance with accepted good practice, I reserve the right to review your treatment from time to time in ‘supervision’ with a professional colleague or colleagues or for the purposes of applying for professional accreditation. Any such colleague would be bound by similar rules as to confidentiality. I would take pains to preserve your anonymity and disguise any information by which you might be identified.

(d) Names and phone numbers of clients and supervisees are shared with/or available to my two professional executors as required by the rules of my professional society. One of these would contact you in the event of my death or being unable to work and unable to contact you myself.

(e) I reserve the right to disclose client information in other circumstances but only where you have given me explicit permission in writing.

(f) In common with normal NHS practice, I sometimes use the services of a confidential secretary to type up notes of sessions which I dictate and then email to her. The notes which she types are anonymous and are referenced by a numbering system. In addition my secretary is bound by a written contract (available on request) to observe the utmost confidentiality. This includes deleting the information from her computer as soon as the completed notes are emailed back to me. The email transmission from me to her is protected by one password and from her to me by another password. (If you do not wish me to use my secretary for typing up the notes of your sessions please let me know in writing and alternative arrangements will be made.)

(g) I reserve the right to disclose any client information which a court order obliges me to disclose.

How do I ask for and record consent?

16. I supply each new client with notes about how I conduct my practice and ask for them to sign to show that they accept the terms and conditions outlined. I also serve them with a copy of this (GDPR) leaflet. Any other consents are obtained in writing.

How long are records kept?

17. Client records and personal information are stored for a maximum of 7 years after a client has ended, then all client files are securely destroyed.
18. Information kept upon any computer will be erased when the computer is decommissioned.

What is the legal basis for processing personal data?

19. I am required to keep such data by the professional associations of which I am a member (IGAP, IAAP, UKCP) and also by my Professional Indemnity Insurers.

What are your rights?

20. You, as the client, have the right to: access a copy of your personal data and/or request a correction and/or erasure in certain circumstances, request limiting or ceasing data processing where applicable and a right to compensation for substantial damage or distress caused by data processing where applicable. Any request for your data will incur no fee and will be met by myself within 30 days.