Hollybrook Health Psychology Information Governance Policy and Procedures

This document outlines the framework Hollybrook Health Psychology has in place to ensure the rights of individuals in relation to personal data. We are committed to ensuring the highest standards of data privacy and all data held by Hollybrook Health Psychology will be held lawfully and for the retention periods documented in this policy.

Where reference in this document is made to Hollybrook Health Psychology this relates to all forms of trading by Hollybrook Health Psychology. Hollybrook Health Psychology uses the ICO Codes of Practice and the Caldicott Principles to ensure we adopt best practice when handling personal data.

This document states our privacy policy and explains what data we need from you and why.

‘Data’ in this policy refers to:

• Case notes and files
• Written documents
• Database and spreadsheets
• images
• Recordings
• Text messages
• Emails
• Supervision notes
• Social media communication
• Visits to the organisations website

Purposes/reasons for information processing

Hollybrook Health Psychology processes personal information to enable the provision of person-centred psychological therapy and clinical hypnotherapy, psychoeducational wellbeing workshops, supervision, to maintain accounts and records, and to advertise services.

Personal data is used for the following purposes:

• To enable us to contact you with important information about the services we provide i.e. responses to enquiries, changes to booked appointments, notice of holidays, changes to working hours or fees;
• To enable communication about therapy in between sessions, where relevant; and to comply with regulatory professional bodies (British Psychological Society, Health and Care Professions Council, Complementary & Natural Healthcare Council).

• Name
• Address
• Telephone number
• Email address
• Employment and education details
• Racial or ethnic origin
• Religious beliefs
• Medical information relating to the reason for your visit including physical and
• mental health details.
• Offences and alleged offences
• Financial details
• Goods and services

Hollybrook Health Psychology complies with UK data protection law and follows the medical confidentiality guidelines issued by the professional bodies with which the practice owner is registered. Hollybrook Health Psychology processes personal information about clients, business contacts, professional collaborators, supervisors, and suppliers.

Data Processing

The data Hollybrook Health Psychology collects is needed for your attendance with the Practice. We will obtain your consent for data processing for the purposes detailed on the consent form when you register as a client. This will be stored in your personal file. Participating in the service by attending a subsequent session will imply that you agree with the Hollybrook Health Psychology terms and conditions provided to you at registration as a client.

Data Storage and deletion

Records are updated after every contact we have with you to keep the information we have about your therapy and any adjustments up to date. These records and all personal data are stored on an encrypted, password protected computer. Only your Psychologist has access to these records. All documents containing personal data are clearly marked with ‘Private and Confidential’.

In accordance with professional body regulations, Hollybrook Health Psychology are required to hold your client records including consultation notes for 8 years after your last appointment. After this period, if we have not heard from you, all data held about you will be destroyed. There may be instances when data is not destroyed due to ongoing enquiry, investigation or litigation. This data will be deleted once it has been confirmed that it is no longer required.

If a client provides a testimonial for use on the organisation’s website, this anonymised personal data will be retained. Anonymised data is not subject to UK GDPR law and so in this instance GDPR law is not applicable.

Your rights under GDPR

Under the UK General Data Protection and Retention legislation (GDPR, 2018) all individuals have the following rights with regards to personal data:

• To be informed about processing of your personal data.
• To request access to your personal data and information about how we process it.
• To have your personal data corrected in case of inaccuracy and to have incomplete information completed (Data rectification).
• To erasure of your personal data/to be forgotten.
• To restrict processing of your personal data.
• To move your personal data (Data portability).
• To object to processing of your personal data.
• To not be subject to automated decision-making including profiling.
• Hollybrook Health Psychology does not use automated decision-making or profiling. If you wish to exercise any of the rights detailed above, please contact us.

Data sharing

Information about you may be shared with other healthcare professionals such as your GP or others involved in your care. We will talk to you about this if it is necessary.

Website privacy

The website is owned by Hollybrook Health Psychology. Hollybrook Health psychology uses Google analytics and Stat Counter, which are third-party service, to collect information about what visitors do when they visit the website, for example, which page is most frequently visited. This data collected by Google analytics and Stat Counter are non-identifiable, and so Google analytics, Stat Counter and Hollybrook Health Psychology cannot identify who has visited the website.

Updates and contact information

This is a live document and may be updated at any time to reflect changes in the law or the business and accordingly you are advised to revisit the privacy policy regularly to check for updates. Hollybrook Health Psychology will be transparent about the collection of personal data and will be clear about its processing. All emails you receive from Hollybrook Health Psychology will include our privacy policy. If you have any data protection queries, please contact us.

Data controller/processor: Dr Katherine Swainston, Practice Owner.