GDPR statement – Your Information
Who I am
My contact details: John Dray, john@johndray.com
What I keep
Notes in paper or electronic form.
Audio recordings of work with clients.
Possibly video recording of work with clients.
Why I am allowed to keep
I keep your data only if I have your consent. You can withdraw this consent at any time. You have the right to access your personal data, the right to rectify inaccurate data. If you withdraw your consent, then I will either destroy the data or anonymise it, unless prevented by law. If you withdraw your consent then I will not be able to continue to work with you as it is a condition of my training that I keep detailed notes of work, record the sessions, am able to contact you and maintain information that could be useful in emergencies.
Why I keep it
A record of sessions so that I can:
- give better continuity to my work with you.
- as a record to help work through issues with my supervisor and continue my learning
- as a record to help write up case studies
- to comply with legal requirements
- ensure that I have your details in order to contact you both as part of our work together and in case of emergency
- details of your GP in case of emergency
How I keep it
Paper records will be kept in a locked filing cabinet.
Electronic records will be kept on a password protected computer with an encrypted hard disk. In these cases, the records are anonymised so that a breach of data security will not allow someone to work out who the notes are about.
In secure cloud storage specifically designed with the needs of keeping client records and with confidentiality in mind. This includes our automated SMS and emails to remind you of appointments/send out security codes. (writeupp.com)
Emails are kept on a secure email system. (Proton mail)
Backups are stored on an encrypted system where no access is available to the backup provider.
Financial transactions may be electronically processed. These will be kept in systems adhering to Payment Card Industry Data Security Standards (PCI-DSS).
If you initially contacted us through Facebook or Instagram, or other Meta products, they may have tracked your information. That will be covered by your agreement with them.
How long I will keep it
In the case of adults, notes will be kept for up to seven years after therapy has ended. After this time the files will be destroyed or anonymised. Audio recordings will be destroyed after they have been transcribed.
Who gets to see it
My supervisor will get anonymised details of my sessions with you.
If I am required by law to reveal your information. Examples could include safeguarding, terrorism or money laundering. There could also be examples where your life or the life of another is in danger and revealing information could reasonably save a life.
How to ask for a copy of your personal information
You have the right to ask for a copy of the personal information I hold about you. This is called a subject access request. You can email me at john@johndray.com with the subject line “Subject access request – ICO ZB905315”.
I will respond to a subject access request without undue delay and normally within one month of receiving it. If the request is complex, or if you have made several requests, I may need longer. If that happens, I will tell you why and when I expect to respond, in line with data protection law. You also have the right to request this information verbally.
I may need to confirm your identity before sending personal information to you. I will usually provide the information free of charge and in a secure electronic form, unless you ask for another reasonable format. In rare cases, the law may allow me to charge a reasonable fee or refuse a request, for example if it is manifestly unfounded or excessive.
There may also be rare situations where I cannot disclose some information, for example where disclosure would adversely affect another person’s rights or where another legal or professional obligation applies. If I need to withhold any information, I will explain this unless the law prevents me from doing so.
How to make a data protection complaint
If you are concerned about how I have collected, used, stored or shared your personal information, please contact me directly so that I can look into it. You can email me at john@johndray.com with the subject line “Data protection complaint – ICO ZB905315”.
I will acknowledge receipt of a data protection complaint within 30 days. I will take appropriate steps to investigate the complaint without undue delay, keep you informed where the investigation is continuing, and tell you the outcome without undue delay once I have finished looking into it.
It is helpful if your complaint explains what has happened, what personal information you are concerned about, and what outcome you are seeking. If the complaint includes sensitive information, please use email or another direct method rather than social media.
You also have the right to complain to the Information Commissioner’s Office (ICO). The ICO website is https://ico.org.uk/make-a-complaint/ and their helpline is 0303 123 1113. My ICO registration number is ZB905315.
What happens if it leaks
If information leaks, then I am bound to notify you and the Information Commissioner’s Office (ICO) within a statutory period of time.
These are detailed on the ICO website: https://ico.org.uk/ My registration number is: ZB905315.
The notes of sessions will be kept separate from your personal notes.
What happens if I am no longer able to keep it
If I am no longer able to work with you on a long-term or permanent basis. I have made arrangements for another therapist to deal with my work. They would take over my notes.
If you were still in therapy with me at the time, You would have the option to continue therapy with them.