Catalyst Clinical Psychology

Home | About Me | What is Clinical Psychology? | Psychological Therapy | Expert Witness & Professional Services | Sport Psychology & Coaching | Your Data Privacy | Contact Me

Data Protection and Privacy

Catalyst Clinical Psychology aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected.

This policy describes the information that Catalyst Clinical Psychology collects when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent UK Data Protection Bill that is expected to be enacted in 2018].

The policy describes how we manage your information when you use our services; if you contact us; or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Twitter).

Catalyst Clinical Psychology uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Dr Yvonne Waft is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.

If your questions are not fully answered by this policy, please contact Dr Yvonne Waft. If you are not satisfied with the answers given, you can contact the Information Commissioner's Office (ICO)

1.     Why do we need to collect your personal data?

We need to collect information about you so that we can:

·       Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest.

·       Deliver services to you. The legal basis for this is the contract with you.

·       Process your payment for services. The legal basis for this is the contract with you.

·       Verify your identity do that we can be sure we are dealing with right person. The legal basis for this is a legitimate interest.

·       Contact you in case there is a problem. The legal basis for this is a legitimate interest. 

2.     What personal information do we collect and when?

For us to provide you with services, we need to collect the following information:

·       Your name

·       Your contact details including a postal address, telephone number(s) and electronic contact such as email address.

·       Details of your GP and any referring agency such as your health insurance company.

·       Details of your Next of Kin.

·       We may also communicate via Twitter or Facebook in which case we will need to know your Facebook user or Twitter username.

·       Your payment details or insurance details.

We collect this information directly from you.

We may also collect information about you from third parties; for example, if we need to gather information from another health professional (such as your Doctor or Occupational Therapist) to provide a complete health assessment; or from the referring agency if you are being referred by another organisation.

Our website is very basic and does not use cookies to gather information about visitors nor does it log the IP address of any user visiting the website.

3.     How do we use the information that we collect?

We use the data we collect from you in the following ways:

·       To communicate with you so that we can inform you about your appointments with us we use your name, your contact details such as your telephone number, email address or postal address.

·       To deliver the correct service to you we use your name, your contact details and the details about your case, including your GP details and Next of Kin details, so we can contact them in case of a crisis; and details of any other agency involved in your case so that we can deliver a joined-up service.

·       To create your invoice using our practice management software package we use your name and email address, and details of any insurance or other agency that we are invoicing on your behalf, including any case reference numbers so that the agency can identify to whom the invoice relates.

·       To process your payment, we use your name and your payment card details. We currently don’t accept card payments, but if we begin to do so in the future we will need to have the card details at the time of the transaction.

·       To be able to deliver a psychology service to you, good practice guidelines from the HCPC (Health and Care Professions Council) dictate that I must keep your case records and personal data for 7 years and then I must delete it.  This is so that if any legal case, or further therapy occurs in that time, your records can be made available to you, your legal advisors, or your treating clinicians as required.

4.     Where do we keep the information?

We keep your information in the stores described below. Please note that we do not store your payment card details in any of our systems.

·       On our company computers

We use personal laptop computers that are located on our business premises and transported to other locations as needed. The computers are password protected and the hard drives are encrypted. Passwords are changed regularly, and it is company policy that passwords are not shared. If left on the premises, any laptop computer will be locked away in a filing cabinet for security.

·       Our customer records

We use a cloud-based practice management system called WriteUpp to store the majority of our client records.  WriteUpp is password protected and encrypted, and its servers are based in the UK. WriteUpp has been very active in ensuring its own GDPR compliance, as well as advising independent professionals on GDPR. We also use Tresorit secure cloud storage system to keep larger files that cannot be stored in WriteUpp and to keep our business admin files.

·       Your reports

If you are seeing us as part of a legal claim process, we may be required to create a report that contains all the information that we gather and our findings and conclusions to support your case or direct your treatment. These are produced in Microsoft Word and usually saved to PDF and password protected before being sent by encrypted email or as a link from our Tresorit account to the agency that requested the report.  In Civil Law cases these reports become the property of the Courts and will be used in the legal process.  It is important to note that anything discussed in your assessment, or therapy, may be included in the report. In addition, your therapy notes may be requested by the Court, in which case anything discussed may be disclosed to the Courts and all parties in the case.

·       In our accounts processes

Our practice management software contains all the accounting details for each client.  We also use Microsoft Excel for some aspects of accounting, but all client information in these documents is anonymised.  Each year the accounts are reviewed by an accountant who prepares a tax return.  The accountant also has access to our bank statements, which will show payment data from individual clients who choose to make bank transfers, these entries will often have your name as a reference.

·       As a paper copy

We may take hand written notes when we first meet you and during subsequent sessions. These notes are used to create your client record and any reports produced either for yourself, or for some other agency, such as your solicitor, case manager or insurance company. Once a client record, or report has been created, the paper notes will be scanned, attached to the patient record in WriteUpp, and then shredded.  Paper notes will be stored in a locked filing cabinet at out office until such time as they are scanned and shredded.  We are gradually moving away from the use of paper notes, but at the present time some paper notes are kept and processed as detailed above.

5.     How long do we keep the information?

We keep the electronic patient record, any reports and invoices for seven years as this is the required length to comply with the HMRC and HCPC requirements. After seven years we delete the client records in WriteUpp and Tresorit including any reports and invoices.

6.     Who do we send the information to?

If you are coming for therapy and self-funding then we should, as a matter of good professional practice, inform your GP of our involvement in your care. However, this is not always essential, and we will confirm your consent for this at our first appointment. 

We must also inform your GP, and other relevant authorities, if we have concerns about your safety, or the safety of anyone else, based on what you have told us.

If you are being referred as part of a claim process or via your Health Insurance, we will send a report to your solicitor, insurer or other referring agency acting on your behalf. All reports that are sent electronically are sent as attachments that are encrypted and password protected or as an encrypted link from our OneDrive account.

We send electronic information about our invoices to our accountant. The accountant is based in the UK and all their computer systems are in the UK.

We do not currently use card payments or any card payment provider. However, we do encourage people to pay by bank transfer and your name may appear on our bank statements as a result.

7.     How can you see all the information we have about you?

You can make a subject access request (SAR) by contacting the Data Protection Officer. We may require additional verification that you are who you say you are to process this request.

We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

8.     What if my information is incorrect or I want it erased?

Please contact the Data Protection Officer. We may require additional verification that you are who you say you are to process this request.

If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format at the subject access request in section 7.

If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay. The regulations apply differently to health records and your right to erasure may be over-ridden by the requirements of health care professionals to keep records for 7 years after the last contact in the case of adults; until the age of 25 in the case of children; and indefinitely in the case of people whose mental capacity may be in question.

9.     Will we send emails and text messages to you or about you?

As part of providing our service to you we will send appointment information to you via email and text messaging. We keep the information in such communications to a minimum in case a message is intercepted.  Where possible we use encrypted messaging, and password protect attached documents.  We use a ProtonMail account for secure email communications, if you also have a ProtonMail account this would allow complete email security. However, you do not need to have ProtonMail, you can still receive our emails and you can be sure they are secure and encrypted from our end. We also have a less secure email account which is now only used for admin purposes.

We do not send marketing information out to clients.

We have a Facebook page and Twitter account @CatalystClinPsy but we do not contact our clients personally via these. If clients choose to use these as forms of communication, we will acknowledge their contact but will not engage in any discussion of your clinical issues on our social media platforms.

10.  How do you opt out of receiving emails and/or text messages from us?

If you phone to book an appointment we will ask you to give us an email address where we can send the confirmation letter, with the details of the appointment. If you do not wish to do this that is your choice, simply do not give us an email address at that time.

At our first face-to-face contact we will ask you whether you wish to opt in to receiving text or email reminders and confirmations of appointments. Again, this is up to you, most clients find it a helpful service, but if you do not wish to use it, please say so.

We do not send marketing texts or emails to clients.

If you have any questions about data protection or privacy please ask Dr Yvonne Waft at Catalyst Clinical Psychology. 

Dr Yvonne Waft BSc (Hons), DClinPsychol, CPsychol, AFBPsS
Trinity Space Centre, Waldorf Way, Wakefield, WF2 8DH
07947 067847