background image
21st November 2018 

Therapy client data GDPR: for my new and current therapy clients

Therapy client data GDPR: As from 25th May 2018, under the General Data Protection Regulations (GDPR) I (K. Lea Schmitt-Eschle, Child Counsellor, BACP) am required by law to inform you (as my counselling client) about how I process and keep safe the data I hold that pertains to you. I am also required to gain your explicit consent to my holding and processing your data in certain ways (they’re detailed below).
As a child counsellor, I take confidentiality and privacy very seriously and am bound by a code of ethics.

If you do not wish to give your consent, you have the option to discuss with me, and it may be possible to create a bespoke agreement between us. You have the right to withdraw your consent at any time. We would need to discuss what this might mean in practice, with the primary aim being to keep you safe. However there may be certain situations that require certain information to be retained, and I may need to seek legal advice in this case.

What therapy client data GDPR is held about you?
I keep certain data so that I can work safely and professionally with you, in line with the guidelines of professional organisations that I belong to, including BACP.
The therapy client data GDPR I hold may include:
1.
You and your child’s name and address
2.
Your phone number and email address
3.
An emergency contact’s name and phone number
4.
Your GP name and contact details
5.
Relevant medical information
6.
Artworks your child may create
7.
Session notes/Initial assessment notes
8.
Payment information
9.
My emails to you, and yours to me
10.
Invoices

You have the right to know what therapy client data GDPR I hold, why I hold it, and for how long I hold it. You also have the right to view it, and to ask for changes to be made. When sensitive data is to be destroyed, it will be shredded. If I discover there has been a data breach of your personal information that could put you at risk, I will undertake to tell you as soon as possible.

How, why, and for how long is your data held?

1. Your name and address
I keep your name and address in paper form in a locked filing cabinet. These are kept separate from your session notes. My clinical supervisor has your first name and phone number in paper form, kept in their locked filing cabinet. This is required by my professional liability insurer and by my professional organisation (BACP). Only I will see this data. My clinical supervisor will see your first name but not your surname or address. My professional liability insurer advises that I keep this data for seven years. After that time it is destroyed. My clinical supervisor will destroy the data when you and I finish our work.

2. Your phone number and email address
I keep your phone number in my mobile phone under an identifying code, not your name. My phone is locked with a passcode when I am not using it. Your email address is held on my computer and secured with a password?? Neither my computer nor my phone are shared with anyone else, unless it is required by a technician for maintenance. I also keep your phone number and email address in paper form in a locked filing cabinet. These are kept separate from your session notes. My clinical supervisor has your first name and phone number in paper form, kept in a locked filing cabinet. I will delete any phone messages you sent me after I read them.
Only myself and my clinical supervisor see this data. I am required to keep it in case I have to contact you (for example for rescheduling sessions or sending an invoice). My clinical supervisor keeps this data so that you could be contacted in case I became suddenly incapacitated through a health crisis or other emergency, as required by my clinical will. I will remove this data when we have finished our work, unless you tell me that you would like me to retain it in case we work together again in the future.

3. Emergency contact’s name and phone number
I keep this data in paper form in a locked filing cabinet along with your name and contact details. Only I will see this, It is unlikely that I would ever use this information, but I hold it in case I become concerned for your child’s welfare and I cannot get hold of you. You and I may agree together on some other reason that I might contact this person, based on your best welfare. When we finish working together, I will delete this data, unless you and I decide to make other arrangements.

4. Your GP name and contact details
I keep this data in paper form in a locked filing cabinet along with your name and contact details. Only I have access to this data. I keep this data in case you and I agree together on some reason that I might contact your GP, based on your child’s best welfare, for example discussing diagnosis, treatment plan or safety procedures. When we finish working together, I will delete this data.

5. Relevant medical information
I keep this data in paper form in a locked filing cabinet along with your name and contact details.
I keep this data because it may be relevant to share certain medical information when:
(a) Your child’s mental health history, diagnoses etc may inform my treatment plan to make it more appropriate for him/her.
(b) There is any risk that health conditions such as seizures, diabetes, etc may impact a session
(c) Medications may affect our work
(d) You child has any allergies that I should be aware of in order to keep you safe. Only I have access to this data and when we finish working together, I will delete it.

6. Artworks
Your child’s artworks are kept in a lockable suitcase in my consulting room until the end of our work together. Your initials or identifying code are written on the back of each artwork, along with the date. Only I and my supervisor will see the artwork.
It is standard practice in Art Therapy for the artworks to be retained by the therapist whilst treatment is ongoing. However, your child may choose to take them away with you at any agreed time. Sometimes an artwork is temporary (e.g. play-dough, sand-tray) and will be dismantled after a session. Your child may choose to photograph the artworks, and as such you are responsible for the security of the content.
When our work together ends your child may take your artworks away. If he/she chooses not to take them, I will dispose of them securely.

7. Session notes/Initial assessment notes
I keep notes from our first assessment and our conversation regarding your child’s treatment plan so we can look back at it and review it regularly.
Other notes I keep may include dates and times of attendance, and brief notes on important themes from the session. I also keep session notes for purposes of supervision. Brief notes may remind me of important points I want to be sure to remember to discuss in our next session, and/or in supervision.
I keep all these notes in paper form in a locked filing cabinet. Only me and my supervisor will see them. Your name or other identifying details are not kept with your session notes; only a code is used.
My current policy is to destroy session records three years after our work finishes. If you would like me to retain them for a longer period, please discuss this with me.

8. Payment information
I make a note of payments you have made, on a password-protected financial spreadsheet for my business. I may also outline invoices and record payments in my paper diary, but under a code rather than your name. As a small business owner, I am required by law to retain certain financial information, primarily for tax purposes.
I keep financial information for 7 years. Payment by cheque will be processed by my bank, but your account name will not be visible on my bank statements. Banking transactions may be viewed by employees of the bank, my accountant, my financial advisor, and tax officers (HMRC). When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.

9. Your emails and texts
Your email address is stored on my password protected computer. I will delete emails after I have noted the contents (for example, emails around scheduling). Any emails that I consider it necessary to keep are printed off and retained together with the session notes in a lockable filing cabinet under a code. If I need to send you emails containing reports or clinical information I will attach them with password protected word documents.

10. Invoices
How I keep this data
I create invoices on my laptop using Pages, and then export as pdf. Invoices are kept as password protected documents on my computer, and are sent via email. I keep the invoice for a short time whilst I monitor payments (usually this is one month). Once payment has been made, and any further invoice has been created, I delete the invoice. Only I have access to this data.

If you have any other questions regarding how your therapy client data GDPR is processed and handled, please do not hesitate to discuss with me.