General Data Protection Regulation (GDPR) Privacy Policy

Privacy Statement about Personal Information Collected, Stored, Processed and Kept by Dr Sonarzu Gullu-Mcphee, Chartered Clinical Psychologist.

The General Data Protection Regulation (GDPR) is concerned with the personal information about you that I collect, store and share. This document details my GDPR policy.

Personal Information I will Collect

As I psychologist I will collect both personal and sensitive data. The reason I collect your personal information is to enable me to deliver psychological therapy. I collect information at the point of initial contact (which might be via email, website contact page or phone call) as well as during the initial assessment session and any subsequent therapy sessions. The information I collect may include the following;

  • Name
  • Address
  • Date of birth
  • Gender (or preferred identity)
  • Telephone/SMS/Whats App contact details (plus permission to send SMS and Whats App message and leave voice messages)
  • Email address
  • GP name and practice details, Psychiatrist, Community Mental Health Team Coordinator.
  • Occupation
  • Relationships, including emergency contact of a family member’s phone number and address
  • Psychological therapy history including any current or historical psychiatric diagnoses and treatment outcomes.
  • Medical conditions relevant to psychological therapy
  • Prescribed medication
  • Current psychological difficulties
  • Historical psychological difficulties
  • Lifestyle and social circumstances
  • Risk information such as suicidal and self-harming history and alcohol and drug use
  • Responses to psychological testing instruments (questionnaires and surveys)
  • Details of insurance policy information and any payment details from insurance company

Information Storage

I have implemented technical measures to ensure your personal and sensitive data remains secure. Your information may be stored in the following ways;

  • Paper; written notes which will include the initial email you sent or website contact sheet and therapy contracts. It may also include the work we have done together in therapy that cannot be produced electronically e.g. schema mode map, assessment record, client information sheet, brief session notes, and client code (linking documents). These will be stored in a locked filing cabinet.
  • WriteUpp: From 21st of May 2018 I use WriteUpp, which is cloud based online software that is GDPR compliant to help manage my practice. I store names, address, date of birth, email, phone, appointments, invoices, GP details, insurance company details and next of kin in this online software. I also store session notes on this software. Your record is linked to a unique client code. The software for my practice is password protected.
  • Smartphone; I will store your contact information in my contacts but will use a non-identifiable code rather than your name.
  • Google G Suite; Session notes and invoices prior to 24th of May 2018 are stored in my drive in Google G Suite.
  • Email/SMS/WhatsApp; your email address and correspondence will be stored in my email account (currently G-Mail) by nature of you contacting me. Your telephone number may be stored in my SMS or WhatsApp should we exchange messages this way but will be stored via a non-identifiable code rather than your name. Electronic correspondence will also be held by the corresponding app (Gmail, Phone’s SMS, WhatsApp) all of which are GDPR compliant.
  • Paypal: I use Paypal to Store your name and email address if other types of payments cannot be made. This is password protected.
  • Website; none of your personal information is stored on my website, other than to momentarily collect and send a contact sheet to my Gmail account for the purpose of making initial contact via that contact page. The privacy policy on my website details how information is collected and securely stored. You will be asked whether you agree to the privacy policy when completing the contact form.
  • Dropbox; Should you wish for us to share documents via dropbox I can set us up a shared dropbox account and all the information shared will be held by us and dropbox which is GDPR compliant.
  • Vsee: If you are using Vsee for the sessions, your name and email address will be stored. The Vsee account is password protected.
  • Zoom session recordings; If you are using Zoom for your online psychological therapy sessions and would like your sessions to be recorded so you can listen to them again then a recording of the session will be saved within my zoom app on my computer and uploaded onto dropbox immediately after the session. The recording will then be deleted from zoom and my trash will be emptied immediately.
  • Audio recordings; With your permission I sometimes record sessions for supervision purposes on an audio device. If needed for supervision, some recordings are transferred to my computer and to my Google drive on G Suite. If you have not give permission, sessions are not recorded. At times, you may need audio recording of the sessions for your own personal use. It is important that this is not to be shared with any other parties or uploaded to other platforms/internet. Should any violation of this condition occur, this would represent a violation of the boundaries of our therapeutic agreement and may result in therapy being terminated or legal action.
  • Electronic devices; All electronic devices (including computers, laptops and mobile phone) used to access stored information will themselves be password protected.

How I may Process and Share your Personal Information

  • Supervision/Accreditation; I have regular supervision with other qualified psychologists and therapists. Supervision is for my practice to ensure I am adhering to professional standards and evidence based ways of working. All of my supervisors are GDPR compliant and thus we are considered joint data controllers. With your written permission, I share some of the recording with my supervisor who will help me by ensuring that I am adhering to the professional standards and rate the recording for Advanced Level Certification for Schema Therapy. To reach the Advanced Level Certification, my supervisor might choose to share the audio recording to an external rater, who will be another Clinical Psychologist and data controller herself. I transfer the audio recordings from my audio device to my computer, and back them to my Google Drive. I then send the file via G Suite email account using Google Drive. As soon as supervision is over, the files are permanently deleted from the Google Drive or emails.
  • Therapeutic Will; Your name, contact details, brief treatment outline, risk issues, stage in therapy and family contact details will be stored in my Dropbox and a paper copy of it will be stored in my Petersfield Clinic address above, which my Therapeutic Executor can access in the event of my death so she can contact you should you still be in therapy with me. My therapeutic Executor is a Chartered Psychologist and is GDPR compliant. She is therefore a joint data controller.
  • Sharing Information with your GP/Other Health Professionals; Some clients like their GP (or other professionals involved in their mental health care such as a Psychiatrist or the insurance (AXA, Cigna, WPA mental health care team) to be kept informed of the work they are doing in psychological therapy. This might include sending assessment/progress/discharge reports or having telephone conversations disclosing personal and sensitive information pertaining to you. We can discuss what and how much information is disclosed and you will be given an opportunity to make amendments before any letter/report is sent. I will only send reports or have telephone discussions of this kind if I have your permission to do so and you can withdraw consent for any further correspondence at any point during our work together (assuming there is no duty of care to disclose information-please see the point below). Your GP and other health professionals should be GDPR compliant (I would check to ensure this before sending any confidential information) and thus would be considered joint data controllers.
  • Duty of Care and Confidentiality; All the information you share with me is treated confidentially unless you request I share it, for example with your GP. The only exclusion to confidentiality is if I suspect there is a risk of harm, either to you or someone else. If I thought there was such a risk, I would discuss it with you if at all possible so we could consider how we can best manage the risk, which may include involving your GP or other care agencies. Only information relevant to managing the risk would be shared. If I don’t have your permission to share information and I deem there to be serious and imminent risk to yourself or someone else then my professional codes of conduct and the law may require that I inform an authority and share your personal information without your knowledge and permission (known as whistle-blowing for example in cases of suspected terrorism).
  • E-Mail Exchange; Although G-Mail is GDPR compliant, any confidential (e.g. personal and sensitive) information that I need to send to you will be typed into a memo, password protected and then attached to the email. I will inform you of the password in person or via videoconferencing. I advise you to share confidential information with me in the same way.
  • Postal Mail; Should I send any confidential mail in the post (to you or your GP) this will be clearly marked confidential.
  • Erasing Your Information; When we have finished working together, I will hold onto your information for seven years past the end of our work together. This is in line with my professional code of practice and is for example so that I have a reference of our work in situations such as you returning to psychological therapy in the future. After this time has passed I will shred any written information via a confidential waste service and securely delete any electronically held information.

Your Rights

You have the following rights…

  • To be informed what information I hold (i.e. to be given or have access to this document)
  • To see the demographic information I have about you (free of charge for the initial request)
  • To make a ‘subject access request’ (SAR) for copies of your records. There may be an administrative charge for this and these will be provided within one calendar month of the request being made.
  • To rectify any inaccurate or incomplete personal information
  • To withdraw consent to me using your personal information e.g. to withdraw consent for me to telephone you and request I contact you via email only
  • To request your personal information to be erased (though I can decline whilst the information is needed for me to practice within my own professional code of ethics and conduct).

If you wish to assert any of these rights you should contact me.