Dr Marc Williams Privacy Policy V.1

This document explains how I (Dr Marc Williams) comply with the General Data Protection Regulation (GDPR), and it applies to those receiving therapy and supervision from me.

I am the data controller and data protection officer, regulated by the Information Commissioner under GDPR and the UK Data Protection Act.

You (the client receiving either therapy or supervision) are the data subject.

  1. Personal data I collect and process

I process the following personal data from therapy clients and supervision clients:

Personal data

  • name and address
  • phone number
  • email address
  • video conference ID (for teletherapy such as Zoom)
  • name and phone number of emergency contact, GP, and other relevant medical specialists involved (e.g., your psychiatrist)

Sensitive personal data

  • therapy or supervision records (therapist / supervisor notes, letters, reports and/or outcome measures)
  • relevant medical information, my emails to you, and your emails to me.

I collect this information directly from you and relevant third parties, from my first contact with you and any subsequent sessions.

  1. The lawful basis for processing personal data

The basis for collecting data is to provide healthcare, treatment, and supervision. No information you provide is passed on without your consent (apart from in exceptional circumstances where I must comply with my legal and regulatory obligations - see section 5).

I will never sell your information to others. I will not share your personal information with third-parties for marketing purposes.

  1. What I do with your personal information

I will only use your personal data to provide the services you have requested from me. If you don’t provide the personal information requested, I may be unable to provide a service to you.

  1. How long do I store personal information?

I only store your personal information for as long as it is required. Basic contact information held on a phone or teleconferencing service is deleted after our final session. Other personal data and sensitive personal data described above is stored for 7 years after our final session. After this time, all data is deleted at the end of each calendar year.

  1. How I might share personal information

I hold information about each of my clients in confidence and will not normally share your personal information with anyone with the following exceptions:

In exceptional circumstances, I might need to share personal information with relevant authorities:

  • when the information concerns risk of harm to you, another adult or a child. I will discuss proposed disclosures with you unless I believe that to do so could increase the level of risk to you or someone else.

  • when disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.

  • I may share relevant clinical information with other health care providers such as you GP, on a need-to-know basis and only after discussion with you.

  • if treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared with legal services as required and with your written consent.

  • in line with best practice I receive regular clinical supervision from other mental healthcare professionals. If your case is discussed in clinical supervision, this will be done with your best interests in mind, your identity will always be kept confidential and the content of what we discuss will be treated as confidential.

  • for payment of fees I prefer to use bank transfers.

  1. How I ensure the security of personal information

Personal information is minimised in phone and email communication. Any sensitive personal data sent from me to you by email will be sent as a password-protected attachment. I use a GDPR-compliant email service.

I will monitor all emails sent to me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

  1. Teletherapy

I prefer to use Zoom for meetings, which is GDPR-compliant. I conduct sessions in a private room out of the sight and earshot of others to prevent data from being intercepted by a third party.

It is your responsibility to ensure that the electronic device you use for teletherapy is secure and that you are in a private room out of the sight and earshot of others during our sessions.

  1. Where is personal data held?

Personal data that you send me is held in my password-protected email client, which only I can access. I hold any notes from our therapy or supervision sessions on WriteUpp, which is a GDPR-compliant web package often used by therapists to safely store therapy/supervision notes and personal details.

  1. Your right to access the personal information I hold about you

You have a right to access a copy of personal data I hold about you.

I will usually share this with you within 30 days of receiving a request.

There may be an administration fee for supplying the information to you and I may request further evidence from you to check your identity.

A copy of your personal information will usually be sent to you in a permanent form as a printed copy.

You have a right to get your personal information corrected if it is inaccurate.

You have the right to require me to restrict processing of certain personal data and in certain circumstances (e.g. if the accuracy of the data is contested).

You have the right to require me to delete personal data. However, I reserve the right to refuse a request to delete a client’s personal information where this constitutes therapy records. I follow best practice guidelines of the British Psychological Society (2000)1 and The Health and Care Professions Council (2017)2 regarding the retention of personal data contained in (amongst other sources) patient notes and clinical records. I retain personal data for a period of 7 years following the cessation by data subjects of engagement with me. When it is no longer necessary to retain personal data I will delete it.

I hope that we can resolve any query or concern raised about my use of personal information. GDPR gives you the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner and you can contact them at https://ico.org.uk/concerns or: 0303 123 1113.

  1. Changes to this privacy policy

I may change this privacy policy from time to time, when I do I will inform clients via email.

By signing a therapy or supervision contract or indicating your consent by email or by attending an initial session with me, you are confirming that you fully consent to Dr Marc Williams holding, controlling, processing and storing your personal data as stated above.

Dr Marc Williams Clinical Psychologist

  1. The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS. ↩︎

  2. Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC. ↩︎