Psychological Services Data Protection and Privacy Policy 

 

 

Dr Elizabeth Boyd Psychological Services Ltd aims to be clear as possible about, how and why, information obtained about client’s in the process of therapy services in the past, present or future, is collected so that they can be confident that their privacy is protected. Dr E Boyd Psychological Services Ltd has systems in place to protect client data. 

 

This policy describes the information that Dr Boyd Psychological Services Ltd (as Data Controller) collects when client’s use the service. This information includes personal information as defined in the General Data Protection Regulation (GDPR 2018). Dr Elizabeth Boyd Psychological services is registered with the Independent Commissioners Offices (ICO). The company’s ICO registration number is ZA072184.

 

The Policy describes how information obtained is managed when clients utilise the service, if they contact the service or when they are contacted by the service. It also provides further details to accompany specific statements about privacy that they may see when they use the website (such as cookies).

Information e.g. records about the client are kept in order to provide a service. Without doing so a service cannot be provided to the client and work undertaken by the company. 

Dr E Boyd Psychological Services Ltd follows the law and the codes of practice laid down by the HCPC and the BPS. Dr E Boyd Psychological Services Ltd uses the information collected in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and EU GDPR Rules. Dr Boyd has Legitimate Interestin keeping data. Dr Boyd has lawful reason in keeping data as per the criteria provided by ICO. 

 

As per these laws, Dr Elizabeth Boyd is the Data Controller. If another party has access to the client’s data the client will be informed if they are acting as a Data Controller or as a Data Processor, who they are, what they will be doing with the data and why that information needs to be shared.  For services around legal claims assessments, Dr E Boyd Psychological Services Ltd has 2 lawful bases for processing data – Legal Obligation and Legitimate Interest.  

 

Dr Elizabeth Boyd Services Ltd does not meet the necessary criteria for appointment of a Data Protection Officer.   

 

If client’s have any further questions that are not answered within the policy they can contact myself directly, Dr Elizabeth Boyd. 

 

1.     Why personal data needs to be collected

Dr E Boyd Psychological Services Ltd collects information about clients because they are a patient or client of the company. This includes those individuals assessed for the purposes of a legal or litigation claim. The legal basis of this data being processed is Legitimate Interest. In addition there is also lawful basis for processing of client data under Legal Obligation. This is because there may be instances in which ‘special category’ data needs to be processed about clients because within the service provided, provision of health or social care or treatment is being undertaken. This is usually for clients assessed for legal or litigation purposes. 

To provide a service, for payment of service and in order to maintain safety and prevention of serious harm, information about the client is collected so that: 

  • It is known who they are for communication with the client in a personal way. The legal basis for this is a Legitimate Interest. Data is processed because as a Clinical Psychologist or expert witness, documents need to be reviewed and analysed to enable an assessment and evaluation of the client or claimant. 

  • Services can be delivered to the client. The legal basis for this is the contract with the client. 

  • Payment for services can be processed. The legal basis for this is the contract with the client. 

  • The Client’s identity can be verified. The legal basis for this is a Legitimate Interest.

  • The client can be contacted where necessary for the facilitation of the service. The legal basis for this is a Legitimate Interest. 

2.     What personal information is collected and when

For services to be provided, the following personal and sensitive information is collected: 

  • Client’s full name (personal data).

  • Client’s contact details including a postal address, telephone number(s) and email address (personal data).

  • GP details and any referring agency e.g. health insurance company/solicitor (personal data).

  • Client’s Next of Kin (for emergency purposes only) (personal data).

  • Payment details or insurance details (personal data).

  • Therapy notes of sessions/meetings, gender and health history (Sensitive data).

  • If clients use the contact form via the website (Personal data)

Typically, this information will be collected directly from the client.  Information about the client may also be collected from third parties; for example, information from another health professional (e.g. Doctor or Occupational Therapist) to provide a complete health assessment; 

or from the referring agency if the client is being referred by another organisation. 

 

The Dr Boyd Psychological Services Ltd website is such that cookies are not used to gather information about visitors to the website or log the IP address of any user visiting the website. Where client’s use Google map links from the website, google may send cookies. Cookies are anonymous and contain no personal data. Clients or website visitors can turn off cookies in their website browser if they so wish. 

 

      Court or legal clients

      Where there is a legal reason for the involvement with the client (e.g. Expert witness, Court order) data is retained as required by the Court or solicitors involved. Special category data as well as personal data may be collected.  The source of this data could be from clients directly or their solicitors or other instructing party for litigation purposes. In the latter cases it should be that the client will have consented to the sharing of their personal data to us (e.g. medical record access). 

      

 

3.     How the information collected is used

The data collected is used in the following ways:

  • To communicate with the client in order to arrange appointments, the client’s name, contact details e.g. telephone number, email address or postal address, is used. 

  • To deliver the necessary service to the client the following is used, client’s name, contact details and the details about the case, including GP details and Next of Kin details, (in case of crisis and them needing to be contacted); and details of any other agency involved in the case for the purpose of a joined-up service.

  • Generation of invoices that uses the client’s name, date of birth, and details of any insurance or other agency that are invoiced on their behalf, including the case reference numbers for the respective agency to identify whom the invoice relates to.

  • For processing of any payment, the client’s name and payment card details are processed. The private therapy client’s payment card details will be processed at the time of any transaction. 

  • In accordance with HCPC (Health and Care Professions Council) good practice guidelines it is dictated that client’s case records and personal data are kept for 7 years whereupon they are then deleted.  This is because if any legal case, or further therapy occurs in that time, the client’s records are available to them, their legal party, or any allied treating clinicians/professionals as required.

 

4.     Where information is kept

Data is kept confidential within the Company at all times and shared only with relevant persons as absolutely necessary for the delivery of care. Information is stored as described below. Payment card details are not currently stored other than banking receipts.

  • Email Systems

Email systems used for business purposes are secured with a password.  Passwords are at least 10 characters long and contain letters, numbers, symbols with no actual words.  In order to manage secure incoming information from emails, data will be transferred from email to secure data storage and then the original email deleted e.g. where any email contains relevant client information in an email, the relevant data will be transferred. 

  • Mobile Phone

A client’s details e.g. first name and phone number, are not stored on a mobile phone. It is used to send and retrieve phone calls and texts and deleted after every use. The mobile phone can only be opened with a digit code known only to Dr Boyd. 

  • Company computers (Lap Top and Desk top)

A laptop stores temporarily client details for only as long as required for the purpose of service delivery (2 weeks). Client data will not be stored on the laptop for any longer than 2 weeks at a time. 

A personal laptop and desktop computer is located at the business base and at other locations as required. All computers are password protected. Passwords are changed regularly, and it is company policy that passwords are not shared. At base the laptop computer will be locked away in a lockable cabinet for security when not being used.

  • Customer records 

Paper notes made during sessions or client contact are electronically written up or scanned after the contact. The paper notes are then shredded. 

Client’s data records are encrypted and securely stored within the base office server (UK based) using Synology Network Attached Storage hardware, which conforms with GDPR requirements. 

All client’s personal data secure and away from potential malicious users, all data is stored via DiskStation Manager (DSM) which adopts an end to end encryption technology called Advanced Encryption Standard (AES), by storing all data in an encrypted format with a set of encryption keys. In addition, the DSM provides share-level AES 256-bit encryption to block unauthorized access attempts.  The server has a built-in firewall, accessible only via pre-authorised account holders.  The firewall permanently bans unauthorised access attempts after 2 failed logins. 

Dr Boyd is the only one that can decrypt the data and is the sole holder of the encryption key. The account is locked with a strong password and a 2-step verification. 

The laptop is encrypted using Apple’s full-disk Filevault, Apple’s firewall prevents others gaining access to the laptop.

  • Psychological Reports 

Where a legal claim process is the service delivery, report(s) are required that contain all the information gathered, the evaluation and conclusions to support the case or direct treatment. These are produced in Microsoft Word and usually password protected before being sent via a link to a SharePoint Microsoft 365 cloud system with the agency that requested the report.  In Civil Law cases these reports become the property of the Courts and will be used in the legal process.  It is important to note that anything discussed in an assessment, or therapy, may be included in the report. In addition, therapy notes may be requested by the Court, in which case anything discussed may be disclosed to the Courts and all parties in the case.

  • Accounts Processes 

Information about the client is kept in order to provide a service and to process payment (Accounts, Tax returns, invoices and receipts). 

Microsoft Excel is used for some aspects of accounting e.g. details of fee amounts and date fee is owed/received, but all client information in these documents is encrypted when stored.  Each year accounts are reviewed by an accountant who prepares a tax return.  The accountant has access to the Ltd company bank statements, that indicate payment data from individual clients and companies who choose to make bank transfers into the Ltd company.  These entries will often have the client’s name for reference purposes.

  • Paper documents

Hand written notes are used in face to face consultations with clients. These notes are used to create client records and reports produced either for the client, or other agencies, e.g. solicitors, case managers or insurance companies. Once a client record, or report has been created, the paper notes will be scanned, attached to the patient record in the electronic record system, and then shredded within 2 weeks of being generated.  Paper notes are stored in a locked filing cabinet at the business office until being scanned.  

5.     How long information is kept

Data is kept no longer than is necessary. Where it is not necessary to retain the data for any length of time, it will be deleted and/or destroyed as soon as possible. 

The electronic personal patient record, any reports and invoices are kept for six years in accordance and compliance with the HMRC and HCPC (professional indemnity) requirements. After six years the client records in the patient electronic record system including any reports and invoices are deleted. There may be legal exceptions to this however in the case of legal cases which will be discussed with the relevant clients as appropriate as required by the Court. 

6.     Who or where information is sent to or shared with

For therapy or private assessment purposes and where the client is self-funding, it is typical of good professional practice that GP is informed that their patient is involved and receiving psychological intervention by Dr E Boyd Psychological Services.    This is not essential however and therefore confirmation of consent for this information to be shared with the GP is obtained at first treatment contact.  In these circumstances personal data will not be shared without client consent. 

Duty of care and Professional obligations are such that the GP and any other relevant authorities e.g. Police or mental health crisis team, where there are immediate concerns about a person’s safety (client’s or other) which is determined by what information is provided by the client.  

Where clients are referred as part of a legal claim process or health insurance, a report is required to be sent to the solicitor, insurer or other referring agency, acting on the client’s behalf.  Information is shared on a need to know basis. All reports that are sent electronically are sent as attachments that are encrypted and password protected or shared via secure document sharing cloud systems. 

Electronic information in the form of invoices are sent to the company’ accountant. The accountant is based in the UK and all their computer systems are in the UK. 

Personal Therapy can be paid for via card payment via SumUp Terminal at sessions. For ease and preference however clients typically pay by bank transfer and client’s names therefore appear on the Ltd company bank statements.

Dr E Boyd Psychological Services Ltd does not currently have an online social media presence e.g. Twitter or Facebook.  

7.     How can clients have access to the information about them.

Clients can make a subject access request (SAR) or Right of Access’ under the Data Protection Act and the General Data Protection Regulation. This can be done by contacting the Data Controller (Dr E Boyd) in writing. Additional verification will be required to ensure a client’s identity for processing this request. A client can request a copy of their data free of charge. The following information can be supplied:

  • A description of all data held about the person

  • Information on how the data was obtained (if not supplied by individual themselves)

  • Information of why, what purposes the data is being held

  • What categories the personal data concerns

  • Who the data could be disclosed to

  • How long the data could be retained

  • Copy of the information in electronic form

 

The Ltd company can withhold such personal information to the extent permitted by law. In practice, this means that information may not be provided when it is considered that providing the information will violate the client’s vital interests.

For clients undergoing court reports requests for personal data held, requests need to go to the solicitor concerned. The Company may not be able to comply with requests to correct information held where it pertains to a litigation claim. This should be discussed with the solicitor involved. 

8.     When a client deems the information is incorrect or want it amended or erased.

A client is entitled to request that incorrect information is corrected. In such situations, the client should contact the Data Controller. Additional verification will be required to ensure a client’s identity for processing this request. 

Where information needs to be corrected, the client must provide the company with the correct data. The company will correct the data in the relevant systems and send the client a copy of the updated information. 

When a request is made to have data removed, it will be determined whether there is a need to keep the data, e.g. should HMRC wish to inspect the records. Where the decision is made that the data should be deleted, it will be undertaken without undue delay. Regulations apply differently to health records and a client’s or patient’s right to erasure and requests for erasure may be over-ridden by the requirements of health care professionals to keep records for 7 years after the last contact in the case of adults; until the age of 25 in the case of children; and indefinitely in the case of people whose mental capacity may be in question.

The Company may not be able to comply with requests to correct information held where it pertains to a litigation claim. This should be discussed with the solicitor involved.

9.     Contacting clients directly. 

With service provision it is necessary that some information regarding appointments will need to be sent via email or text messaging. The company keeps the information contained within communications and for the communications to a minimum in case a message is intercepted.  Where possible in accordance with the client encrypted messaging, and password protect attached documents can be utilised. 

The company does not currently send out marketing information to clients.

10.  Opting out of receiving emails and/or text messages from the company.  

If an individual phones to arrange an appointment they will be asked to provide an email address in order to send confirmation of the appointment along with any necessary details for conveyance of the appointment e.g. address of the appointment. A client can refuse to do this. Client’s may be asked at further appointments or contact whether they wish to opt-in to email or text reminders and confirmation of appointments. This is at the discretion of the client whether they wish to do so. Where clients do not wish to opt-in to the text or email service, a paper confirmation of appointments sent by post can be arranged. 

If there are any questions, concerns or feedback about data protection or privacy please ask Dr Boyd at Dr Elizabeth Boyd Psychological Services Ltd so that these can be addressed.  

11. Complaints and queries

Dr Elizabeth Boyd Psychological Services LTD aims to uphold the highest standards when collecting and using personal information. Any complaints received would be taken very seriously. It is advised that any queries or concerns about the fairness or appropriateness of the collection or use of information are bought to the attention of the Company. Any complaints should be bought to the attention of the Data Controller who will investigate the matter on the client’s behalf. The company welcomes any suggestions or feedback regarding data processing procedures. Should the client not be satisfied with the Company’s response or believe that processing of personal data is unlawful, they have the right to raise a complaint with the ICO. 


Website: https://ico.org.uk/concerns/

Email: casework@ico.org.uk

Telephone: +44 (0) 303 123 1113