This is the privacy notice of Inside Out Psychology. In this document, “we”, “our” or “us” refer to Inside Out Psychology.
This notice is to inform you of our policy about all information that Inside Out Psychology record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.
Our policy complies with the UK law accordingly implemented, including that required by the EU General Protection Regulation (GDPR). The law requires us to tell you about your rights and our obligations to you in regards to the processing and control of your personal data. Further information can be found at www.knowyourprivacyrights.org
Why do we need to process information about you?
In providing you with our services, Inside Out Psychology will need to handle your personal information. Personal information is details about you from which you can be identified, such as your name and contact details. Depending on what services you receive from us, we may process additional sensitive data such as information about your health. This information is essential to inform, facilitate and provide assessment and therapeutic services which are appropriate to your individual needs.
Under the requirements of the Health Care Professions Council (HCPC) and British Psychological Society (BPS), Inside Out Psychology are obliged, according to the legitimate interests of provision of our services, to keep documentation of your personal data to allow us to provide assessment and therapy services to you.
What information will you hold?
Information about you will be held in the form of written notes, emails, questionnaires, and letters, in addition to our practice management software system and invoices. This information could be collected at any point during your contact with us and/or during your receipt of services from us.
Personal data will include information such as basic contact information, name, address, email, telephone number and GP contact details. Sensitive personal data will include information such as signed new client agreement form and therapy records (notes, letters, reports and questionnaires).
If you complete the web-based enquiry form, we will also collect any information you provide to us as well as your internet protocol (IP) address and browser user agent string to help spam detection. This is automatically supplied by the website software used to offer the form. All web services used by Inside Out Psychology are verified by themselves to be GDPR compliant.
If you are referred by your health insurance provider, then we will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, health insurance policy number and authorisation for psychological treatment.
Your information will be collected, managed and stored solely for the purposes of us communicating with you (e.g. to arrange appointments), providing you with the psychological services or training you have requested from us, and to process payment for such services. We will never sell your information to others.
Where do we keep the information?
We keep your information in the stores described below. Please note that we do not store your payment card details in any of our systems; these are passed straight through to our payment provider.
On our company computers:
We use personal computers that are located on our business premises. The computers are password protected and the hard drives are encrypted. Passwords are changed regularly and are not shared beyond those who need access to a given computer.
Where cloud services are used, these meet GDPR requirements and all data is securely encrypted when stored there.
We also record some aspects of our interaction with you in Microsoft Excel Spreadsheets on a laptop, which is password protected.
Clients who access Inside Out Psychology via In Motion Clinics also have information provided from their brief registration form inputted onto the practice management software, Cliniko, which is compliant with GDPR.
As a paper copy:
We take hand written notes when we meet you. These notes may be used to create a report on the services that we provide to you, or to an approved third party (i.e. your insurer). Mostly, however, our written notes serve simply as an aide memoire for your therapist to ensure continuity of treatment over time.
We keep a paper copy of your notes and any invoices in locked filing cabinets in our offices.
How long will you store my information for?
We will hold information about you for as long as you receive services from us and for 7 years following the date of our last contact with you. Personally identifiable information associated with an initial enquiry about our services is recorded, on paper, for us to reply with the information you need. This will be destroyed within one month of our response to you if you choose not to access our service.
Paper-based information for Inside Out Psychology will be electronically scanned and stored shortly after the point your case file is closed (usually defined as your last appointment). Once scanned, paper-based information will be shredded and securely disposed of in confidential waste. Electronically held files will be securely deleted after 7 years (or, if a minor, when they reach the age of majority plus 7 years). Paper registration forms for In Motion Clinics are scanned into Cliniko shortly after your first appointment and then shredded.
You also have the right to ask for your information we hold on you to be erased prior to this time by contacting our Data Protection Officer, Dr Maria Knapp, Clinical Psychologist, at our main office (In Motion Clinic), or via email to firstname.lastname@example.org. Verification of the identity of anyone making such a request will be required before information can be deleted.
However, if you want to have your data removed, we do have to determine if we need to keep the data. For example, if there is an on-going legal matter related to your case or if your request falls within the timeframe that our governing practice body has a requirement that we hold data for (around 7 years). In this instance, we may not be able to erase your data before that time has passed or any court action is ended.
How can I access the information you hold?
You can ask to access the information we hold by writing to our Data Protection Officer, Dr Maria Knapp, Clinical Psychologist at our main office (In Motion Clinic), or via email to email@example.com. You can also ask for your information to be transferred to another provider of psychological services. We will respond to your request within 30 days.
Verification of the identity of anyone making such a request will be required before information can be shared.
What if I believe the information you hold about me is incorrect?
Whilst you are receiving services from Inside Out Psychology, we will aim to keep the information we hold about you up-to-date. We would encourage you to tell us as soon as possible if your personal data changes so that we can update our records.
You can also let us know if you believe the information we hold about you is inaccurate, needs amending or updating, by contacting our Data Protection Officer, Dr Maria Knapp. We will aim to update your information within 72 hours.
How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records or if in doing so we would breach our professional organisation’s data protection requirements (see previous page). If we decide that we should delete the data, we will do so without undue delay.
Protecting your Information
Inside Out Psychology is committed to keeping the information we hold about you secure. To protect your personal data, we follow the guidelines and recommendations in line with our professional bodies (The British Psychological Society and The Health Care Professionals Council) and regulatory bodies such as the Information Commissioners Office. More detailed information can be found in our Data Protection Policy, which complies with the requirements detailed in the Data Protection Act (1998) and the General Data Protection Regulations (2018). This document is available on request.
Personal information is minimised in phone and email communication. Sensitive personal data will only be sent to clients in an email communication which is password protected. Email applications use private (SSL) settings, which encrypts email traffic, and unsecure Wi-Fi Networks are never used to open or send personal data.
Personal information is also stored on a secure, password protected computer. Malware and antivirus protections is installed. Mobile devices are protected with a passcode/thumbprint scanner, mobile security and antivirus software. We have physical, electronic, and operational procedures in place to protect your data. In the unlikely event of our security processes being compromised leading to a significant breach of your information, we will inform you within 72 hours.
The security of your personal information is very important to Inside Out Psychology. All our services are confidential, and we will not share your information unless we judge that there is a serious risk of harm to yourself or others, or with your written consent, or when we are legally obliged to do so. Confidential information is restricted only to those who have a reasonable need to access it.
There may be exceptions when we are required to liaise with other parties:
- If you are referred by a health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation for the purposes of billing. We may also be required to share information with that organisation to provide treatment updates (e.g. in the case of requesting additional sessions) and complete required outcome questionnaires.
- In cases where assessment or treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared as required and with your written consent.
Who can I contact if I have concerns about my data management?
Should you have any concerns about the management of your data by Inside Out Psychology, please contact our Data Protection Officer, Dr Knapp, in the first instance. If we are unable to resolve your concerns, you have a right to complain to the Information Commissioner’s Office: https://ico.org.uk/for-the-public/raising-concerns/
Policy prepared by: Dr Maria Knapp, Clinical Psychologist
Policy operational on: 14th May 2018
Policy review date: 14th May 2020