The General Data Protection Regulation (GDPR), came into effect on 25th May 2018 and provides a legal framework for ensuring the safety of personal information by organisations. The framework insists that organisations have effective systems in place for handling and storing personal information. It also stipulates that people cannot be contacted by organisations without having given permission for sharing of information.
Dr Button Psychology understands that privacy is important to its clients and customers and that they care about how personal data is used. We are committed to safeguarding the privacy and security of the personal information of all our clients.
The following privacy notice outlines how Dr Button Psychology manages your data and your rights in relation to this. Dr Button is the Data Protection Officer (DPO) for the business.
Personal Information held by Dr Button and why:
Dr Button Psychology collects personal information provided by you or a referrer, e.g. insurance company/solicitor appropriate to the service you are accessing, e.g. therapy or supervision. Such information includes for example; your name, date of birth, contact details (phone numbers, email and address), GP details, your place of work, and where relevant previous reports generated in relation to accidents or injuries sustained. This information is held so that contact can be made with you to arrange appointments for relevant services but also to be able to access support systems for you should you require this over the course of your treatment with Dr Button. Information is also held to be able to communicate with you regarding payments (for self-referring clients), e.g. invoicing. Personal information held is with a view to providing you with a safe, effective and professional service.
Written notes are made during sessions and stored in a locked filing cabinet. Less comprehensive electronic notes summarising key themes and any risk concerns are documents on a secure online electronic notes system. Where electronic communications are made, emails and texts are also stored if they contain clinical information. Texts and emails arranging appointments are not stored. Your first name and the first letter of your surname will be held in Dr Button’s phone contacts for the duration of your therapy/supervision. At the end of therapy/supervision Dr Button will remove your contact from her phone. Written contact information and notes will be stored in the filing cabinet or electronic information on her laptop and backup system. Your basic contact information and history of appointments and payments is also stored on the Janeapp system which is GDPR compliant. Dr Button is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, she has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information she collects. Depending on the content and nature of emails, Dr Button may send via Egress secure email system if necessary.
Keeping information accurate and up-to-date:
It is your responsibility to ensure that Dr Button is made aware of any relevant changes to your personal information that she requires to be able to provide you with an effective service.
Sharing of information:
Often referring agencies require reports across the duration of assessment and therapy. Dr Button uses the information you share with her in sessions to provide referrers with a brief summary of assessment and treatment outcomes, e.g. progress made in relation to goals. Dr Button does not divulge sensitive information shared in sessions with referring agencies unless she is concerned about risk of harm to yourself or others. Where Dr Button is concerned about risks, she will endeavour to discuss this with you and seek your consent to share the information. However, there may be some instances where she has pressing concerns about safety to yourself or others and at such times it may not be appropriate to seek your consent before sharing with appropriate agencies, e.g. GP, police, other relevant professionals. Dr Button prioritises keeping people safe at all times. If information is shared without your consent, Dr Button will discuss this with you and her reasons why as soon as is practically possible.
Reports are shared with referrers electronically, and sent either via secure email systems, e.g. Egress or documents are password protected and the password is provided in a separate email. Different referring agencies have different requirements for sharing of reports. If you wish to see the content of reports prior to Dr Button sharing them, please do ask. Dr Button considers information shared with her by you, to be your information and is happy to discuss her clinical notes with you at any time. Dr Button does not accept referrals from outside of the UK so all sharing of information is within the UK.
In cases where supervisees are seeking Accreditation, personal information that is required on the application is shared with members of the EMDR Association. You will have provided that information to Dr Button and so will be aware of what is being shared with the Accreditation committee within the EMDR UK Association.
Dr Button may have to share your data with third parties, including third-party service providers. She may share personal data about you with outsourced service providers such as accountants and virtual assistants pursuant to GDPR compliant written contracts. Dr Button may be required to share your personal information with others where there are legal proceedings or in complying with legal obligations, a court order, or the instructions of a government authority.
Dr Button does not allow third-party service providers to use your personal data for their own purposes.
Dr Button only permits them to process your personal data for specified purposes and in accordance with her instructions.
How long is data held for and where?
Dr Button is legally required to keep clinical records for 7 years after the end of your contact/treatment for adults. Written notes are stored in a locked filing cabinet in anonymised envelopes. The filing cabinet key is kept in a coded key press and the key to the office is kept in a coded key press elsewhere to enhance security of your data. The building where the filing cabinet is held is alarmed. Electronic information is password protected. Emails and texts are kept on a laptop, ipad and iphones, all of which are password protected (passcodes of fingerprint access). IT systems are regularly backed up with appropriate secure and encrypted systems.
Notes relating to children are kept until they reach the age of 25 years. Notes relating to ongoing court cases are kept until the case is concluded or for up to 7 years after if concluded before that time. After the 7year deadline and where any court cases are resolved, paper notes are destroyed in line with GDPR regulations, and all electronic information is deleted. The practice guardian will ensure that this is adhered to in the event that Dr Button is unable to oversee this.
How to request access to your data:
You are able to request access to your notes by putting your request in writing or making a verbal request to Dr Button using the contact details for the business. You will be provided with your information within 40 days. You are able to check records for accuracy, and request correction or deletion of your information. Dr Button recommends that if you request to see your notes, that you go through them with her so that any concerns or queries can be addressed there and then. You can request that Dr Button transfer your data to another business.
You can also request that your information be deleted or destroyed before the 7/25 year expiration date. Dr Button will discuss each request with you and relevant parties, e.g. referring agencies. Dr Button will seek advice from her professional governing bodies, e.g. The Health Care and Professions Council (HCPC) and the Information Commission Office (ICO) on a case-by-case basis at the time of the request.
If Dr Button is aware of any breach of personal data security, she will contact you as soon as possible to discuss this. Where appropriate, Dr Button will advise the ICO.