Data Controller is : Clare Staunton. Contactable via email on sexualhealinguk at hotmail dot com
In line with 2018 GDPR (General Data Protection Regulation) I’m outlining some information below as a data protection statement. Due to the nature of our work, as a sole practitioner offering psychosexual and relationship therapy, I collect, store and use both personal and sensitive personal information about you. By signing the privacy statement you are consenting to me doing this. You can withdraw consent at any time, but it will stop me from maintaining a therapeutic relationship with you.
What Personal Data collected about me? Name, phone number, email, emergency contact.
What ‘sensitive data’ has been collected about me? Racial and ethnic origin, religious beliefs, physical & mental health details (as given by you), details of your sexual life. You will choose whether to disclose this information to me or not. As verbally stated in our first meeting, please let me know if you ever do not want me to write something down.
Other data includes information gathered in history taken sessions, and summary content of sessions as well as ‘homework’ tasks. Notes will only have practical and informational material unless there are risks that may need noting.
*Why do I collect data and how will I use it?
Lawful basis for processing your information
The lawful basis for my holding and using your information is in relation to delivery of a contract to you as a health-Care professional. As an accredited member or COSRT, I operate under strict code of ethics and confidentiality.
I use history taking information and client notes to help me to help guide the nature of work, and to remind me of key information between weeks and over the length of our therapeutic relationship.
I will use your contact details (phone and email) for purposes of communication regarding administration of appointments, and occasionally to respond to your requests for further information in-between weeks.
NB- my handwritten notes are not psychological assessments, analysis or reports and kept in shorthand.
* Sharing of your data.
I anonymously disclose information about client work in my supervision processes on an ongoing basis. I may sometimes disclose / request support from other practitioners who you are connected to (such as a physio/ doctor), but will ask for written consent over email to do so from you. As mentioned in the counselling agreement, I reserve the right to break confidentiality, if I am concerned you may cause harm to yourself or others. (Likely to your GP) I would always try to discuss this with you before I did so.
Access to my electronic devices (by which I email and call) may also be given to people who technically assist me in the future.
Therapists appoint a trusted colleague in case of my serious illness or death. They would access your contact details to contact you to let you know if I was unable to attend on continue working with you, and help signpost to other practitioners if needs be. They would respectfully close my practice, including disposal of client notes and data.
If you attend sessions with another person, then the notes remain confidential material of the client relationship (both people) and one person cannot request access for a third party.
*Storage and destruction of data.
Any client notes I make will not identify you. They are hand written and nothing is stored on my computer or on memory stick. They are coded, or may occasionally reference first names. Client notes are kept in locked storage. They are stored separately to contractual/ contact details to enhance security, within a locked cabinet, within a secure building.
I will hold your details and any brief notes for a period of time (7 years) following the end of your therapy to comply with any obligation placed upon me by my insurers and my accrediting organisation. They will then be destroyed via shredding.
Whilst an active client, I store your mobile number on a mobile phone, under your first name and initial of surname. No other details are linked to this, and it is removed on conclusion of our work.
Both email account and phone are password protected.
Within 12 weeks of finishing client work, I will delete client emails from all hotmail inboxes.
Although I am working towards tighter encryption regarding electronic communication, I would like to be fully transparent about possible data breeches.
My email provider is Hotmail, as a Microsoft product, they have a policy on GDPR. https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
As you may be aware the nature of email is never 100% secure. My email is currently not encrypted, so please limit the content of your emails to what you feel comfortable with, in case of an external data breech. I encourage all clients to bring a notebook to jot down any details that pop up in sessions, and not for me to email information over email after the event.
I would ask for a limit in text contact, if at all, to functional messages around attendance. SMS messaging is not encrypted, and therefore not secure, and open to a data breech.
Occasionally I access emails on a mobile device as well as a laptop. I limit my access to this to private third space (ie not sitting on the tube reading it). Both devices are both password protected. The mobile device is more susceptible to theft and loss, but I take every precaution to make sure this is not the case.
* What to do if you would like to access your data or have it destroyed before 7 years have elapsed?
You have rights relating to the information I hold to verify the accuracy. You have the right to request a copy of any information I hold about you. If you would like a copy of some or all of the personal information, please email me, as the Data Controller, at sexualhealinguk at hotmail.com I will need to ensure that it is you, and not a third party. Information will be provided to you within 30 days. Emails are usually within your own possession. Notes would be transcribed.
I you wanted to have your data deleted before the 7 years had elapsed, you would also need to email me, as above. I would need to keep a supression list to evidence I had complied with the request and a decision to destroy data would take into account a clinical decision. Information about third parties (or where a second person has been part of the therapeutic process, can also not be destroyed without their express consent).
*What happens if there is a data breach?
If a breach if likely to result in high risk of adversely affecting individual’s rights and freedoms, I would notify the ICO within 72 hours and inform those individuals without undue delay.
Like many other websites, my website, currently hosted by WordPress.com also does this. Cookies are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. This helps us to improve our website and deliver a better more personalised service to members and the public. I occasionally access the following information – country of origin, clicks made on website, post and pages looked at and search engine term used to get to the website.
It is possible to switch off cookies by setting your browser preferences. You can remove cookies stored in your computer via your browser settings. Alternatively, you can control some 3rd party cookies by using a privacy enhancement platform such as:
If you’d like to opt out of tracking by Google Analytics, visit the Google analytics opt out page.