Inter-Mind Psychological Services Ltd takes your privacy very seriously. We will only collect and store personal and sensitive information which is relevant to our work together and will do so in a way that is compliant with the General Data Protection Regulations (GDPR; 2018).
This policy describes how we manage your information when you use our services. If your questions are not fully answered by this policy, please contact Dr Steven Lilley (Data Controller). If you are still not satisfied with the answers given, you can contact the Information Commissioner’s Office (ICO): https://ico.org.uk
Inter-Mind Psychological Services Ltd is registered with ICO (registration reference: ZA099927).
- Why do we need to collect personal data?
We need to collect certain information about you so that we can:
- Know who you are so that we can communicate with you in a personal way.
- Verify your identity so that we can be sure we are dealing with the right person and ensure confidentiality at all times.
- Deliver services to you.
- Process your payment for services.
The legal basis that we have for collecting the information is called legitimate interest. We are unable to provide a service to you unless we collect certain information about you.
- What personal information do we collect?
In order to provide a service to you, we need to collect the following information:
- Name, address, email address, phone number, financial details, for the purposes of identifying you, reviewing our services, your payment details and to contact you with any changes to the service you receive (e.g. altered appointments).
- Details of your General Practitioner (GP) and referring agency (e.g. solicitor, rehabilitation company, health insurance company.
- Your personal information may be shared with a third party you have informed us is already involved, where applicable (e.g. solicitor, insurance company, rehabilitation agency) to enable us to carry out the service which you or they have contracted with us. This sharing forms part of our contract as a psychological service provider and if we are legally obliged to do so, e.g. if instructed to by the Court. Please contact the third party if you wish to know how they use, store, and share information about you.
- Details of your next of kin.
- We need to collect a range of ‘clinical’ information in order for us, as a provider of psychological assessment and therapy, to fulfil our contract to you. This information includes your psychological history and current difficulties, basic family details, lifestyle and social circumstances, employment and education details, medical conditions (if relevant), prescribed medications, and criminal history (if relevant). Additional information in the form of symptom questionnaires and other psychological inventories may also be collected in discussion with you if, for instance, they increase our understanding of your difficulties and enable us to enhance our services to you.
- How do we use the information we collect?
- To communicate with you (e.g. so that we can inform you about your appointments with us), we use your name and contact details (e.g. email, telephone number) that you have provided us with.
- To communicate with third parties that are involved in your care (e.g. referring agency), we use your name and contact details. We may also use your name and contact details to liaise with your GP, if you have consented to this (e.g. update letter), or without your consent in the case of an emergency/crisis.
- To be able to deliver a psychological assessment and therapy service to you, we keep clinical notes. The general content of assessment and therapy sessions is recorded in clinical records as an essential part of our service.
- If you are seeing us as part of a legal claim process, we will be required to produce a report that contains information we gather from the assessment and to comment on matters relevant to your claim. These cases become the property of the Courts and will be used in the legal process. It is important to note that anything discussed in your assessment, or therapy, may be included in the report. In addition, your therapy notes may be requested by the Court, in which case anything discussed may be disclosed to the Courts and all parties in the case.
- To process your payment, we use your name to generate an invoice. Your name will also appear on our bank statements, or statements generated by the fee-paying agency (e.g. health insurance company). Any relevant reference/policy numbers will also be used, where necessary.
- The British Psychological Society (BPS) guidelines for clinical practice recommend that each Psychologist use a Supervisor to ensure the quality and standards of their work. We will use supervision for this purpose with a HCPC registered practitioner who is bound by the same rules of confidentiality and who is compliant with the GDPR. We will share sensitive data with this person to benefit the quality of the service you receive, but not personal data (names, etc).
- We will not use your data for marketing purposes and will not sell it to any third party.
- How do we store the information and use electronic communication?
We use personal laptop computers that are located on our business premises and transported to other premises as required. The computers are password protected and hard drives are encrypted. Passwords are not shared.
Electronic information is kept on Tresorit. Tresorit is an end-to-end encrypted file storage cloud. Only the psychologist working with you can decrypt the data; even the people at Tresorit cannot read it. Our account is locked with a strong password and two-step verification. These records are only accessed by the psychologist delivering the service to you. Good practice guidelines from the Health & Care Professions Council (HCPC) recommend that we must keep your case records and personal data for 7 years, after which, we will securely destroy the data.
We protect your privacy and the security of your data by using only encrypted products for electronic communication (e.g. Zoom, Microsoft) that are GDPR-compliant. In order to reduce the risk of a data breach, we request that you do not disclose sensitive information by email or text message and we will not do so.
Only Dr Lilley’s mobile phone will be used for text correspondence. This mobile is encrypted and can only be opened with a password or fingerprint each time it is accessed/opened.
Emails and other electronic communication
We only use electronic communication service providers (e.g. Zoom, Microsoft Outlook) that are compliant with the General Data Protection Regulation 2018 (GDPR).
Paper copy records
Clinical records are usually handwritten and are kept confidentially in locked filing cabinets on the secure business premises. They are stored and destroyed in line with current recommendations (see below).
As noted above, invoices are generated that contain your name and/or client reference number (depending upon who is paying your fees). Each year, our accounts are reviewed by a Chartered Accountant, who prepares the Company Accounts and Tax Returns. The accountant has access to our bank statements, which will show payment data from individual clients who have chosen to pay using online banking (BACS). These entries will often have your name as a reference. We do not currently offer card payments. If this service is introduced in the future, we will require your card details at the time of the transaction.
- Who do we send information to and how do we send it?
If you make an enquiry or are referred to us, we will contact you in the way you have requested or implied (e.g. email, text, telephone call). We will not ask for you to send personal information to us except for that we require to offer a service to you. We advise that you do not send detailed information to us. You will be responsible for information that you share with us (e.g. via email, text).
Good practice guidelines recommend that GPs are informed of a patient’s involvement in private therapy, although it is not essential to do this as part of routine practice. We will discuss this with you at your first appointment and gain your consent if you wish us to liaise with your GP as part of us delivering a service to you. If you agree, we would usually write your GP a brief letter updating them of your involvement/progress. We would recommend that you discuss any involvement in therapy with your GP but this is not essential, except on occasions where there may be a risk of harm to yourself or others. On these occasions, we may need to liaise with your GP (e.g. by telephone or letter), or other appropriate agency, without your consent (see below).
In most cases, we will not share your personal information without your consent. However, the Health & Care Professions Council (HCPC) and British Psychological Society (BPS) standards of ethics and the General Data Protection Regulations (GDPR) state that data processing may be vital in the legitimate interests of the client (‘data subject’). For example, in order for us, service provider, to fulfil our services, we may need to contact your general practitioner (GP) or other healthcare provider if we have concerns about the safety and welfare of you or that of someone you have informed us about. If possible, you will be made aware of this prior to contact being made, but there may be occasions where this is not possible.
If you are referred to our service as part of a legal claim or via your health insurance, we will send a report to your solicitor, insurer or other referring agency (e.g. Rehabilitation Company). All reports are sent electronically as attachments that are encrypted with a password or as an encrypted link from our Tresorit cloud account.
We send both electronic accounts information to our accountant via the above encrypted process. Any hard copy information that is required is delivered securely to the accountants’ office. Our accountant is based locally.
In the event of a complaint against Inter-Mind Psychological Services Ltd, your personal data may need to be shared with relevant bodies (e.g. ICO, HCPC).
- How can we see all the information we have about you?
You can make a Subject Access Request (SAR) by contacting the Data Controller, Dr Steven Lilley. We may require additional verification of your identity to process this request. In most cases, you will receive scanned or electronic information in a portable format. You will be responsible for the security of that information once it is in your possession. We may withhold some personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.
- What if the information we hold about you is incorrect or you want it erased?
You have the right to request changes to factually inaccurate information we hold about you and the right to request the deletion of information. If it is no longer necessary for us to hold this data in order to protect your or our current or future legitimate interests, and if we have no legal obligation to hold the data, then we will comply with your request. We will discuss this with you at the time and explain if it is not possible to delete the data.
- How long do we keep information for?
In accordance with recommended guidelines, your personal information and clinical records (hard copy and electronic copy, if relevant) will be stored in a secure location for 7 years (or 7 years after your 18th birthday if you are under 18 years currently). Sensitive information relating to the work completed will be destroyed 7 years after the end of our work together. By law, this is the length of time we are required to store this information.
If you have any questions or concerns about the information we hold about you, please contact us in the first instance at email@example.com. If you feel we cannot resolve your concerns adequately, please contact the Information Commissioners Office: www.ico.org.uk.