Privacy Notice

General Data Protection Regulation (GDPR)

I value your privacy greatly. The following privacy notice explains how I collect and manage your personal information, including matters covered by the General Data Protection Regulation (GDPR).

GDPR data rights encompass various privileges regarding your personal data. These rights include the ability to access your data, rectify any inaccuracies, erase it under certain conditions, restrict processing, receive a copy for transfer, and object to processing for specific reasons.

Additional information regarding these rights can be obtained from the Information Commissioner’s Office (ICO), with whom I am registered.

Should you wish to utilise your data rights or seek clarifications regarding the security measures I have in place to protect your information and data, please don't hesitate to contact me via email.

Location of therapy sessions

Online sessions are held in a private and confidential environment. Please ensure you have a private space to talk.

Internet related security

It is important to be aware of the risks of third parties gaining access to private information shared over the internet. End-to-end encryption scrambles messages to reduce the risk of others reading your messages or listening to your calls. I provide online sessions using Microsoft Teams, with end-to-end encryption enabled. 

My outgoing emails are sent with encryption in transit as standard (as long as the recipient’s email provider supports this, which most major providers do). I use end-to-end encryption for sending emails containing sensitive information, and can assist you in setting this up before sending emails containing sensitive information to me. Internet communication can be vulnerable to spyware (listening in). This risk is reduced by:

• Turning off listening devices (such as Alexa and Siri)

• Using Firewall and Antivirus programmes

• Running legitimate software updates

• Not opening unexpected and suspicious looking emails

I do each of the above, and recommend that you do the same.

Information I collect about you and how I use it

Enquiry:

When you first enquire about therapy, I will ask for your initial details, including your first name, email address, and phone number. Additionally, I will also ask for some sensitive information related to your present and past mental health.

Registration:

I will require your full name, address and date of birth. I also request details of your next of kin, GP, any private health insurance details and any other professionals who may be supporting you.

Notes taken during assessment and therapy sessions:

Information collected from online therapy sessions, email or telephone will be used to support your treatment and future therapy plan.

Data retention periods:

Within 30 days: Emails including enquiries and registrations that do not result in CBT therapy will be deleted.

A period of seven years: For registrations that result in CBT therapy (i.e. one or more therapy sessions) I will securely store private and/or sensitive data in your clinical record following the end of your treatment.

More than 7 years: If your therapy is funded by a third party (i.e., health insurance company), they may require notes to be kept for longer. Please check with them for more details.

All Personal and Sensitive Data shall be deleted once the retention period ends.

Sharing and Security of Data

All personal information, from enquiry to end of data retention period, is store in a password-protected encrypted cloud-based data storage system which my clinical supervisor / clinical executor(s) have access to. This is so that you could be appropriately informed should unanticipated serious events (e.g., my death or becoming incapacitated) result in me not being able to continue with your session(s), you could be appropriately informed. I also enter your first name and phone number into my (password protected) mobile phone, in case I need to contact you regarding any technical issues during online therapy. Your name and number are deleted from the shared cloud and my phone when therapy comes to an end.

Enquiries, registration information, assessment and therapy notes (summarising the content of sessions, and other personal and sensitive information which has been shared) are stored in a ISO27001 certified, cloud-based system, which is encrypted in flight and at rest (with navigation running on 256 bit SSL). Access is protected using two-factor authentication (‘2FA’ – meaning that both password, and use of a trusted devise is required).

My tax is calculated by an accountant. Invoices may include your Personal data (i.e., name, address, date of birth and relevant codes). However, no sensitive data (such as diagnosis, or personal circumstances) is disclosed to them. There may be times that your information needs to be shared with other third parties. For example, referrers, or other professionals who are supporting you. I will check your consent before sharing your information (unless this was not possible in an emergency situation and / or doing so may increase any identified dangers to you or others).

I would notify you of any security or confidentiality breaches, in line with my legal requirements to do so.

Lawful basis for processing your information

In my role as a health care professional, the ‘lawful basis’ for my holding and using your information is in relation to the contract I hold with you. This is permitted under data privacy law as part of my legitimate interest in understanding my clients and delivering the best service possible.

Owner and data controller

I Alexander Preston (trading as Home CBT) am the data owner and data controller. I manage my own email account and therapy records.

The legal bases I rely on for processing

The owner, Alexander Preston (Home CBT) may process Personal Data relating to clients when it is necessary for specific purposes: Performance of an agreement with the client and any pre-contractual obligations; Compliance with a legal obligation to which the owner is subject; Legitimate interests pursued by the owner or by a third party. I will not sell your data. I will not use it in any way that could result in personal, professional, or financial gain (without your informed consent).

Issues regarding handling of your data

I will attempt to respond to any concerns or requests to exercise your data rights within 30 days of your email. If you are not satisfied with the response that you receive, you have the right to lodge a complaint with the Information Commissioner’s Office online or by calling 0303 123 1113.