GENERAL DATA PROTECTION REGULATION POLICY
During the first session with myself, clients will be asked to complete an initial intake form consisting of relevant information including name, address, contact phone number, email address, and either a GP or emergency contact name and phone number. This form is then signed and a copy of this form will be given to clients at their following scheduled session. The original copy will be held in paper form in a locked and secure filing cabinet in my home. This form and the personal data held within it will not be shared with any other party without the clients' consent, except for in a circumstance where there is a legal requirement or court order to do so, or where there is an immediate risk of harm to the client or others.
In terms of any further personal data relating to the client that I store in paper form in a locked and secure filing cabinet in my home, this would be in the form of anonymized, hand-written notes containing a brief summary from therapy sessions attended.
All personal data will be held by me for a period of 10 years from the date of our last sessions, in line with direction from the insurance company with whom I hold my professional indemnity. The data will then be securely shredded. Data will be held for longer if necessary where there is an ongoing or pending court case or complaint.
Any emails or text messages received by me (to my phone number, through my Gmail account, or through the website) from existing or new clients, will be captured in hand-written form and stored with the individual and relevant client contact form in a locked and secure filing cabinet in my home, before being electronically deleted.
Any emails, text messages, or phone calls (sent directly to me or forwarded from other referral sources) seeking to make the first appointment or enquiring about the service I offer will be held for no more than 3 months after being responded to and then deleted from all electronic devices.
For those attending appointments with me, the initial of their first name, initial of their surname, and phone number will be stored in the contact section of my work (not personal) smartphone but will not identify the individuals in any other way. The smartphone is password protected.
Clients have the right to access their data records via a Subject Access Request (SAR). This access will be arranged within 30 days. Clients may request the updating or correction of data held. Clients may request the return, copy, or deletion of their data. However, this is subject to legal requirements where I must hold data for a minimum of 10 years. Clients may also request that their data be sent to another data controller. The method of sending the information will be agreed upon with each request/individual.
I will notify affected parties of any serious breach of identifiable data. This would include incidents such as theft, loss or unauthorized access by another person. The Data Protection Commission will be notified of a serious breach of data.