Spa Valley CBT logo

Sarah Eva: GDPR and privacy statement

Protecting your confidentiality is an ethical, professional and legal requirement. Under the General Data Protection Regulation (GDPR), your rights regarding information that I record about you, and your child if they are the client, are:

Session confidentiality

I adhere to the British Association for Counselling and Psychotherapy (BACP) ethical framework which means our sessions are confidential. I may be legally or ethically obliged to break confidentiality when, for example, I consider your welfare or the welfare of others to be at risk. Wherever possible, I will consult with you beforehand to gain your consent.

Recording sessions

It may be helpful for you to record your sessions. The recordings are for your use only and not to be viewed or heard by others, or distributed in any other way or form.

Supervision

I am ethically bound by the BACP to be supported by supervision. All therapists have a duty to their clients to engage in supervision. This is either an individual arrangement or within a group of peers often led by a consultant who is an experienced clinician. My client work is discussed to enable my clients to have the best quality of therapy. In this context, clients are not identified other than by their first name.

Sharing information

If you or your child has been referred to me by another health professional, it is often helpful and necessary, especially for medication requirements, that the referrer is updated regarding your treatment plan. Updates are sent by encrypted email and are respectful of your privacy. They do not contain information about session content but communicate your progress and interventions used. I need your agreement to enable me to do this. If your child (under 18) is the client then I will need the agreement of both you and your child.

Storing your information

To enable me provide therapy, receive clinical supervision and consultation, and to maintain my accounts for billing and invoicing, I will require certain information from you that I will record and store safely. If your child is the client, I will need to record a combination of information from both you and your child.

How I process your information

All of the digital platforms that I use to store your information are compliant with the General Data Protection Regulation (GDPR) and have been specifically selected to ensure that I protect your privacy. All your information will be deleted 12 months after sessions end.

Client information management system (WriteUpp)

I store your personal identifying information securely within WriteUpp, a password-protected client information management system that can be accessed from my smartphone, tablet and computer. I store the following information in Writeupp: name, gender, date of birth, address, telephone number, email address, GP name and contact number, next of kin, health care provider, brief session summaries, medical reports. I am bound by my insurer, and ethically, to hold this information for seven years, after which it will be deleted.

Electronic devices

No sensitive information is stored on my password-protected smartphone, tablet or computer. I store your first name, phone number and email address in my contacts list. I may use my smartphone for text message communication of a non-sensitive nature.

My website

I do not store any client information on my website apart from anonymous and approved client testimonials.

Web-based sessions

Your email address is stored in the contacts list of the secure platform I use for web-based sessions (Vsee).

In the potential international context of web-based sessions, any complaints shall be construed and governed in all respects in accordance with the laws of England and Wales and any dispute or differences in relation to this agreement shall be subject to the exclusive jurisdiction of the English Courts.

Hardcopies

I keep non-identifying paper notes with the client’s first name. Paper notes are kept in a locked filing cabinet in my locked office. Paper notes include keywords about relationships, family history, career, school, counselling history, difficulties (reason for counselling), therapy goals, medical history, substance use, risk, resilience, psychometric measures, and session prompt.

Data breaches

If you wish to complain about data breaches then contact the Independent Commissioner’s Office.