Clinical Psychology aims to be as clear as possible about how and why we use information about you so that you can be confident
that your privacy is protected.
This policy describes the information that Catalyst Clinical Psychology collects when you use our services.
This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent
UK Data Protection Bill that is expected to be enacted in 2018].
The policy describes how we manage your information when you use our
services; if you contact us; or when we contact you. It also provides extra details to accompany specific statements about
privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Twitter).
Psychology uses the information we collect in accordance with all laws concerning the protection of personal data, including
the Data Protection Act 1998 and the GDPR 2016. As per these laws, Dr Yvonne Waft is the data controller; if another party
has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they
are doing with your data and why we need to provide them with the information.
If your questions are not fully answered by this policy, please contact
Dr Yvonne Waft. If you are not satisfied with the answers given, you can contact the Information Commissioner's Office
1. Why do we need to collect your personal data?
need to collect information about you so that we can:
· Know who you are so that we can communicate with you in a personal way. The legal basis for this
is a legitimate interest.
to you. The legal basis for this is the contract with you.
· Process your payment for services. The legal basis for this is the contract
Verify your identity
do that we can be sure we are dealing with right person. The legal basis for this is a legitimate interest.
· Contact you in case there is a problem. The legal
basis for this is a legitimate interest.
What personal information
do we collect and when?
For us to provide you with services, we need to collect the following information:
· Your name
· Your contact details including a postal address, telephone number(s)
and electronic contact such as email address.
· Details of your GP and any referring agency such as your health insurance company.
· Details of your Next of Kin.
· We may also communicate via Twitter or Facebook in
which case we will need to know your Facebook user or Twitter username.
· Your payment details or insurance details.
collect this information directly from you.
We may also collect information about you from third parties; for example,
if we need to gather information from another health professional (such as your Doctor or Occupational Therapist) to provide
a complete health assessment; or from the referring agency if you are being referred by another organisation.
user visiting the website.
3. How do we use the information that we collect?
use the data we collect from you in the following ways:
· To communicate with you so that we can inform you about your appointments with us we use
your name, your contact details such as your telephone number, email address or postal address.
· To deliver the correct service to you we use your name, your contact
details and the details about your case, including your GP details and Next of Kin details, so we can contact them in case
of a crisis; and details of any other agency involved in your case so that we can deliver a joined-up service.
· To create your invoice using our practice management
software package we use your name and email address, and details of any insurance or other agency that we are invoicing on
your behalf, including any case reference numbers so that the agency can identify to whom the invoice relates.
· To process your payment, we use your name and your
payment card details. We currently don’t accept card payments, but if we begin to do so in the future we will need to
have the card details at the time of the transaction.
· To be able to deliver a psychology service to you, good practice guidelines
from the HCPC (Health and Care Professions Council) dictate that I must keep your case records and personal data for 7 years
and then I must delete it. This is so that if any legal case, or further therapy occurs in that time, your records can
be made available to you, your legal advisors, or your treating clinicians as required.
4. Where do we keep the information?
We keep your information in the stores
described below. Please note that we do not store your payment card details in any of our systems.
· On our company computers
We use personal laptop
computers that are located on our business premises and transported to other locations as needed. The computers are password
protected and the hard drives are encrypted. Passwords are changed regularly, and it is company policy that passwords are
not shared. If left on the premises, any laptop computer will be locked away in a filing cabinet for security.
· Our customer records
We use a cloud-based
practice management system called WriteUpp to store the majority of our client records. WriteUpp is password protected
and encrypted, and its servers are based in the UK. WriteUpp has been very active in ensuring its own GDPR compliance, as
well as advising independent professionals on GDPR. We also use Tresorit secure cloud storage system to keep larger files that
cannot be stored in WriteUpp and to keep our business admin files.
· Your reports
If you are seeing us as part of a legal claim process,
we may be required to create a report that contains all the information that we gather and our findings and conclusions to
support your case or direct your treatment. These are produced in Microsoft Word and usually saved to PDF and password protected
before being sent by encrypted email or as a link from our Tresorit account to the agency that requested the report.
In Civil Law cases these reports become the property of the Courts and will be used in the legal process. It is important
to note that anything discussed in your assessment, or therapy, may be included in the report. In addition, your therapy notes
may be requested by the Court, in which case anything discussed may be disclosed to the Courts and all parties in the case.
· In our accounts processes
Our practice management
software contains all the accounting details for each client. We also use Microsoft Excel for some aspects of accounting,
but all client information in these documents is anonymised. Each year the accounts are reviewed by an accountant who
prepares a tax return. The accountant also has access to our bank statements, which will show payment data from individual
clients who choose to make bank transfers, these entries will often have your name as a reference.
· As a paper copy
We may take hand written notes when we
first meet you and during subsequent sessions. These notes are used to create your client record and any reports produced
either for yourself, or for some other agency, such as your solicitor, case manager or insurance company. Once a client record,
or report has been created, the paper notes will be scanned, attached to the patient record in WriteUpp, and then shredded.
Paper notes will be stored in a locked filing cabinet at out office until such time as they are scanned and shredded.
We are gradually moving away from the use of paper notes, but at the present time some paper notes are kept and processed
as detailed above.
5. How long do we keep the information?
keep the electronic patient record, any reports and invoices for seven years as this is the required length to comply with
the HMRC and HCPC requirements. After seven years we delete the client records in WriteUpp and Tresorit including any reports
6. Who do we send the information to?
you are coming for therapy and self-funding then we should, as a matter of good professional practice, inform your GP of our
involvement in your care. However, this is not always essential, and we will confirm your consent for this at our first appointment.
We must also inform your GP, and other relevant authorities, if we have concerns about your safety, or the
safety of anyone else, based on what you have told us.
If you are being referred as part of a claim process or via your Health
Insurance, we will send a report to your solicitor, insurer or other referring agency acting on your behalf. All reports that
are sent electronically are sent as attachments that are encrypted and password protected or as an encrypted link from our
We send electronic information about our invoices to our accountant. The accountant is based in
the UK and all their computer systems are in the UK.
We do not currently use card payments or any card payment provider.
However, we do encourage people to pay by bank transfer and your name may appear on our bank statements as a result.
7. How can you see all the information we have about you?
You can make a subject access request (SAR) by contacting the Data Protection
Officer. We may require additional verification that you are who you say you are to process this request.
may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information
if we consider that providing the information will violate your vital interests.
What if my information
is incorrect or I want it erased?
Please contact the Data Protection Officer. We may require additional verification
that you are who you say you are to process this request.
If you wish to have your information corrected, you
must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated
information in the same format at the subject access request in section 7.
If you want to have your data removed
we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that
we should delete the data, we will do so without undue delay. The regulations apply differently to health records and your
right to erasure may be over-ridden by the requirements of health care professionals to keep records for 7 years after the
last contact in the case of adults; until the age of 25 in the case of children; and indefinitely in the case of people whose
mental capacity may be in question.
9. Will we send emails and text messages to you or about
As part of providing our service to you we will send appointment information to you via email and text messaging.
We keep the information in such communications to a minimum in case a message is intercepted. Where possible we use
encrypted messaging, and password protect attached documents. We use a ProtonMail account for secure email communications,
if you also have a ProtonMail account this would allow complete email security. However, you do not need to have ProtonMail,
you can still receive our emails and you can be sure they are secure and encrypted from our end. We also have a less secure
email account which is now only used for admin purposes.
We do not send marketing information out to clients.
We have a Facebook page and Twitter account @CatalystClinPsy but we do not contact our clients personally
via these. If clients choose to use these as forms of communication, we will acknowledge their contact but will not engage
in any discussion of your clinical issues on our social media platforms.
10. How do you opt out of receiving emails and/or text
messages from us?
If you phone to book an appointment we will ask you to give us an email address where we can send
the confirmation letter, with the details of the appointment. If you do not wish to do this that is your choice, simply do
not give us an email address at that time.
At our first face-to-face contact we will ask you whether you wish to
opt in to receiving text or email reminders and confirmations of appointments. Again, this is up to you, most clients find
it a helpful service, but if you do not wish to use it, please say so.
We do not send marketing texts or emails
If you have any
questions about data protection or privacy please ask Dr Yvonne Waft at Catalyst Clinical Psychology.