Privacy policy.
UK GDPR Statement
This data privacy policy has been compiled according to the UK General Data Protection Regulations (UK GDPR, 2018) and the Data Protection Act (2018). The policy is designed to provide transparency to current and former clients about what personal information Christine Gregory, aka The Loss Therapist, will hold for a client and how this will be stored, processed and used. It also sets out how long personal data is retained for, information about a client’s rights concerning their data and under what circumstances data will be deleted or anonymised.
Christine Gregory, aka The Loss Therapist, acts as the data controller of any personal data collected and processed. Processing includes the organisation, retrieval, consultation, use and deletion or destruction of information and its disclosure to third parties. The information clients provide will be processed mainly in connection with administering my counselling and therapy services.
Data protection laws allow data to be processed for specific reasons. In this case, the reason provided is legitimate interests. This will enable me to provide the best possible service to my clients by recording relevant health and personal information through my website or information discussed during counselling sessions. Client data is also processed to carry out my contractual obligations, including confirming or rearranging appointments, informing clients of appointment changes, and delivering online counselling sessions. Additionally, certain personal data may be processed based on specific client consent. Further, certain data is processed to carry out legally required duties such as those required by any regulatory bodies.
Any personal data held on client files will be processed fairly, lawfully and in a clear, transparent way. It will be collected only for valid reasons during treatment and not used in any way that is incompatible with those purposes. Data will only be used in a way that has been described within this policy and will be accurate and kept up to date. Personal data will be kept only for as long as is necessary for the purposes outlined in this policy and will be processed transparently.
Client rights
Under UK GDPR, clients have several rights concerning their personal data. These include:
the right to be informed; clients have a right to be informed about the data I collect and how this is used.
the right of access; clients have a right to see any details that I hold on them through a formal request for data access
the right to rectification; clients have a right to request that their records be amended if they are inaccurate or incomplete (for instance, a change of name or address).
the right to erasure; clients have a right to withdraw consent to process their data and ask that their data be deleted or removed where there is no compelling reason for its continued processing. Where clients have provided consent to the collection, processing and transfer of their data, they have the right to withdraw that consent at any time. There will be no consequences for withdrawing their consent. However, in some cases, I may continue to use the data where permitted by having a legitimate legal reason for doing so.
the right to restrict processing; clients have a right to prevent processing their data.
the right to data portability; clients have a right to obtain copies of their personal data for re-use with alternative services or organisations.
the right to object; clients have a right to object to Christine Gregory, aka The Loss Therapist, using their data for particular purposes, such as direct marketing.
the right not to be subject to automated decision-making; Christine Gregory, aka The Loss Therapist, does not use automated decision-making to provide its services.
Any requests to view, amend, or delete personal information must be made in writing at christine@thelosstherapist.co.uk. All such requests will be actioned within one month of receipt. If I refuse a client's request under rights of access, a reason will be provided, and the client maintains a right to legal challenge.
Clients can see more about their rights at:
How data is collected
Personal data is collected from clients in a variety of ways. Typically, this will start when a client makes an initial enquiry through my website, via email or via counselling directories, such as the Counselling Directory, BACP, welldoing.org, wearekiku.com or Psychology Today. Such enquiries often contain personal information such as a client’s name, email address, and phone number. Such data will be processed for the proper and necessary administration of counselling and therapy services on the basis of consent. Data will continue to be collected during the initial 15-minute free consultation and following a client’s first and subsequent appointments.
I may receive information about a client from their GP or other health care provider regarding a client referral or, with a client’s permission, additional information that will help me continue with their treatment. I may also hold the results of tests that a client has undertaken as part of the therapeutic process relevant to their treatment.
All client data is stored electronically, and in the unlikely event that information is written in paper form, this will be transferred directly to our electronic client record and the paper copy destroyed.
Personal data collected
Certain personal data is collected to ensure I can work safely and professionally with my clients, in line with the ethical guidelines as set out by the National Counselling Society and the British Psychological Society. Personal data relates to any such data through which a client can be identified. The personal data I will hold on a client may include personal or special categories data, such as:
Full name
Home address
Date of birth
Phone number
Email address
Emergency contact name and phone number – though it is unlikely that this information would ever be used, it is held in case I believe a client is at risk of harm and I am concerned for their welfare. For instance, if I am unable to get hold of a client
GP name, address and contact details – this information is needed if, through the therapeutic process, a client and I agreed that I might contact their GP to discuss their welfare, diagnosis, treatment plan or appropriate safety procedures. Additionally, if I were to become concerned for a client’s safety, I may decide to contact their GP or the emergency services
Payment information
Invoices
Email correspondence
Occupation
Special categories data include more sensitive personal information that requires a higher degree of protection, such as:
Relevant medical information – including details of any physical or mental health condition
Initial assessment information – including information submitted through my website’s contact form and obtained during the initial 15-minute consultation and first few sessions. I will only collect what is relevant and necessary, including details concerning any medication, previous treatment or other health-related issues that may be relevant.
Session notes – these include the date and time of attendance and brief notes on important themes from the session
Preferred gender pronouns
Gender, ethnicity, sexuality and marital status – concerning discussions within our therapy sessions. This is not information that I would actively request as standard but may be included in session notes where relevant
Voice recordings (where consent has been requested and provided) – I occasionally record therapy sessions to support my growth and development, review what has been discussed, and ensure sessions are most beneficial to my clients.
Special categories data is collected to ensure an appropriate level of care can be provided and determine whether any reasonable adjustments are required during therapy sessions. Data are held securely and not shared with anyone without explicit consent. Any special categories data is processed based on one of the following assumptions:
A client has given explicit consent to their processing (for instance, in the therapeutic contract)
I must process the data to provide adequate mental health care
I must process the data to carry out my legal obligations
I must process data for reasons of substantial public interest
Less commonly, I may process this type of information where it is needed for legal claims, to protect a client’s interests (or someone else's interests) when they are not capable of giving their consent, or where they have already made the information public.
As with all cases of seeking consent from the client, they will have complete control over their decision to give or withhold consent. Similarly, consent, once provided, may be withdrawn. There will be no consequences where consent is withheld or withdrawn. However, in certain circumstances, withdrawal of consent may inhibit the ability to continue with counselling sessions.
Data storage
Personal data is stored in the following ways:
I use a clinic management software system called “Power Diary” to manage your personal data (including name, address, date of birth, GP information etc.), session notes, appointment bookings, payments, invoicing and any letters/communications. Any paper notes are uploaded into Power Diary and then shredded, and online forms completed by clients are saved directly into the software. Access to this system is by individualised password login only, and two-factor authentication is in place. Access is limited to myself and my Clinical Will Executor. The software management company also have access. PowerDiary is a GDPR-compliant platform and acts as a data processor. Further information about the platform and how it complies with GDPR can be found here.
Google Meet is used to conduct telehealth appointments and is compliant with the EU-US Privacy Shield Agreement/GDPR. Zoom, WhatsApp and FaceTime, all of which are also compliant with the EU-US Privacy Shield Agreement, can be considered as alternatives if issues are encountered with this software. Power Diary can also used to deliver online therapy through their securely encrypted telehealth portal. This works in a similar way to Zoom conferencing software. Power Diary is firewall-protected, and telehealth functionality is end-to-end encrypted. Please find further information about PowerDiary’s telehealth system here.
My computer systems, including desktop, laptop, and tablet, are username and password-protected, and I have anti-virus and malware protection.
Payment for sessions is collected via Stripe, which is integrated with Power Diary. Please note that no payment card or bank account details are stored directly within the clinic management software. Xero online accounting software is used to support my financial management and is integrated with PowerDiary.
Power Diary has an online document management facility, which I use to obtain client signatures on my Counselling Contract. Once a contract has been signed, it is stored against your client record in Power Diary.
Handwritten notes may be taken in the session using a “Remarkable” tablet. These notes summarise the client session and support the continuity of treatment. Following completion of therapy, these notes are destroyed or uploaded to the clinic management system if they need to be kept.
Any voice recording of sessions is conducted using a Sony ICD-TX650 digital voice recorder, which is kept in a locked cabinet. After completing a session, voice recordings are immediately transferred into a secure folder within Google Drive, saved using a pseudonym and deleted from the digital recording device.
Google Mail is used for all email correspondence. Power Diary has access to my Google Mail drive to send automated emails on my behalf. I am also able to access Google Mail via webmail with a password. Two-factor authentication is in place. You should be aware that any emails we send or receive may not be protected in transit. Similarly, while all online personal data is held in the UK, Google Mail is one of several exceptions which are US Privacy Shield and EU GDPR compliant. Other such services include Mailchimp and Zoom.
My professional executor has all client first names and phone numbers in paper form, kept in a locked filing cabinet in case of emergency. For instance, if I am suddenly incapacitated through poor health or in the case of an emergency, as detailed in my clinical will.
Data Use
Any personal data that I collect is used to:
Communicate with clients regarding upcoming or future appointments, cancellations and appointment rescheduling and provide reports or other information concerning their therapy
Provide an appropriate level of service to clients as set out in the counselling contract
Inform clients of changes to services
Personalise and tailor products and services to clients
Collect feedback following sessions
Process payments and raise invoices
Supply emails that a client has opted in to
Improve our services
Data disclosure & processing
There are several instances in which I may be obligated to share your personal data. These include:
I may share client data with third parties to facilitate a referral to another healthcare practitioner, investigation or to keep their GP informed about progress with treatment. In such instances and, where possible, I will inform the client before doing so
If I am legally obliged to do so, for instance, through court order or governmental authority, or as a legal requirement such as the risk of harm, safeguarding children or vulnerable adults, terrorism or money laundering
In the event of my incapacity or death, my client’s personal contact information will be disclosed to the executor of my clinical will so that they can notify my current client base. In the event of my death, my executor will also destroy any client data
Additionally, several third parties are engaged to process data on my behalf. These include:
PowerDiary
Xero
Stripe
Mailchimp
Google Drive
Zoom
Remarkable
WhatsApp
FaceTime
Data retention
In line with data protection principles, client data is only kept for as long as needed. Appropriate retention periods for personal data are determined through consideration of the amount, nature and sensitivity of data, any potential risk of harm from unauthorised use, or disclosure of client personal data, the purposes for which I process client data and whether I can achieve those purposes through other means, and the applicable legal requirements.
On termination of any counselling services, I will remove certain data, including a client’s phone number, emergency contact, any session recordings and GP name and contact details. All other data and information relating to clients and their therapy sessions will be held for the duration of counselling and for six years following the date of a client’s last counselling session. These timeframes are governed by UK legal requirements, my insurance provider and by the professional regulator.
After six years, and once there is no longer a lawful reason for retaining client data, I will dispose of any data securely. In certain circumstances, I may anonymise client personal data (after which point it can no longer be associated with a particular client) for research or statistical purposes. In this case, I may use such information indefinitely without further notice to you.
Right to erasure
Under data protection law, clients have the right to request that any data I hold on them be erased at any time. However, under certain circumstances, this may not be possible. For example, if there is a legal obligation to do so or if the request falls within the period during which there is a professional or regulatory reason to keep any data. In the case of counselling records, Common Law, insurers, ethical bodies and HMRC ask that records be made available for a period of six years. Where a request is made to delete data following a period of therapy provision, I will consult with the appropriate professional and regulatory organisations before making any decision. I will inform my client as soon as possible once a decision has been reached.
Data requests
Clients have the right to request a copy of their personal data. If they want to access such information, they must make a subject access request by contacting me at christine@thelosstherapist.co.uk. Similarly, clients can ask for information to be transferred to an alternative provider of psychological services. Any requests for data must be made in writing, and I will respond within 30 days.
The client does not have to pay a fee to access their personal information (or exercise any of the other rights). However, I may charge a reasonable fee for a second or subsequent copy of the information, for a summarised version/report or if a client’s request for access is clearly unfounded or excessive.
Additionally, I may need to request specific information from a client to help me confirm their identity and ensure their right to access the information (or exercise any of their other rights). This is a security measure to ensure that personal information is not disclosed to anyone who has no right to receive it. When personal data is requested, the following forms of ID will be accepted: a copy of a driving license, passport or birth certificate, and a utility bill not older than three months.
If a client believes the information I hold about them is out of date or inaccurate, I ask them to please let me know as soon as possible so that I can update my records.
Data breaches
While many procedures are in place to protect client data, my security process may be compromised, leading to a significant breach of client personal data. If this is the case, I have a legal obligation to report the data breach to any affected clients and to the Information Commissioners Office (ICO) within 72 hours.
Conclusion
A client’s use and undertaking of the services of Christine Gregory, aka The Loss Therapist, constitutes their approval and acceptance of this data privacy policy and the collection, storage and processing of personal data as laid out herein. Clients have a right to withdraw their consent at any time.
If you have any questions, concerns or wish to make a complaint regarding how your data is collected, stored, processed or handled, please do not hesitate to discuss this with me. If I do not respond within 30 days or you feel that the response has not been adequate, you also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO). The ICO may be contacted via its website or by calling its helpline on 0303 123 1113.
This data privacy policy is subject to regular review and will be updated as necessary. Where any changes are made, clients will be notified of these as soon as possible.