Dr Jo Steer & Associates
I, Dr Jo Steer provide psychology services (training workshops, supervision, psychological therapy and assessment). You may be aware of the law relating to General Data Protection Regulation (GDPR) that are in effect from 25 May 2018. The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries. This privacy policy explains how I comply with these laws and explains the personal or sensitive information that I collect, store and process about you as a data controller.
1. What are your rights?
I am committed to protecting your / your child’s rights to privacy. They include:
Right to be informed about what I do with your personal data
Right to have a copy of all the personal information I process about you
Right to rectification of any inaccurate data I process, and to add to the information I hold about you if it is incomplete
Right to be forgotten and your personal data destroyed
Right to restrict the processing of your personal data
Right to object to the processing we carry out based on our legitimate interest
2. Why do I collect information about you or your child?
I collect information about you or your child to provide them with psychological assessment and treatment and because it supports the provision of a safe and professional service. It is therefore in my legitimate interests as a Registered Psychologist to collect you or your child’s personal data. I also collect sensitive ‘special category’ data (such as details about psychological difficulty). My lawful reason for doing so is that it is necessary for the provision of safe and professional (mental) health treatment (psychological therapy). You and your child do not have to agree to share information with me, however, in many cases I may not be able to offer you a service if you do not.
Another lawful reason for processing your or your child’s data may be Legal Obligation. If I am processing “special category data” about you or your child, this is my second lawful reason to do so. This is likely to apply if they are being assessed as part of a litigation claim.
I may also collect information about you if I am providing supervision, training or other services to you. If you are a supervisee I will have a contract with you, which will be my lawful reason to process your data.
I may also ask for information on how you and your child found our service for the purpose of my own marketing research. No information you provide is passed on without your consent. I will never sell your information to others.
3. What information do I collect about you and your child?
In order to provide a safe and professional service I collect information about you and your child that includes personal and sensitive information. I collect information about you and your child that may include personal information, such as:
Name
Address
Telephone numbers
Date of birth
Gender (or preferred identity)
Age
Date of Birth
Relationships & children
Occupation
Address
Telephone/SMS number
Email address
School name and contact
In addition to the personal information above, I may also collect sensitive information including:
Medical conditions (if relevant)
Prescribed medication.
Psychological history and current difficulties.
Relationships and history (including therapy history)
Sexuality (if relevant)
Offences
Financial information, including bank account details
Session / assessment notes
Signed therapy/ GDPR agreement
Any illicit substance use
Completed questionnaires
Some of this information will be collected directly from you, it may also be collected from a referring agency such as GP, psychiatrist, school, healthcare provider or intermediary company. In such cases I will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment. Please be aware that if you do not provide the personal information requested, then I may be unable to provide an assessment service to you.
I also process personal data pursuant to my legitimate interests in running my business such as keeping invoices and receipts and documents relating to accounts and tax returns
Supervisees
I will only use the information you supply to me to support your supervision. Data that I collect about you, in addition to the above, may include:
Bank details for payments
Curricula vitae
Professional registration details
Information regarding previous supervision
Where I want to disclose information to a third party, for example in providing a reference I will not do so without disclosing it to you beforehand unless disclosure is required by law.
4. Web access collection of information
I collect information when you voluntarily complete contact forms. If you complete a web-based enquiry form, I will also collect any information you provide to me. I use cookies on my website to gather information about visitors in order to monitor the quantity of website traffic. I do not identify you or any other individuals from this information.
5. How do I use the information that I collect
To respond to your enquiries
To communicate with you about appointments
To offer you high quality psychological assessment and treatment including liaison with others involved in your care, where relevant and with your consent.
To create invoices.
6. How do I store and share the information about you?
I take your privacy very seriously and I am committed to taking reasonable steps to protect any individual identifying information that you provide to me. Once I receive your data, I make best efforts to ensure its security on my systems. All personal information provided is stored in compliance with EU General Data Protection Regulations (GDPR) rules.
Your data may be stored in the following ways:
Written assessment and session notes. Only initials are written on assessment and session. Whenever possible, notes are transported separately from your contact details and both are kept in locked cabinets.
Email correspondence between us is stored in my email account including your email address and anything you disclosed in emails. I regularly delete emails, however, please be aware that email is not a secure mode of communication and you may prefer to communicate personal information to me directly in person or on the telephone. My smartphone and computer are password protected.
Electronic information (e.g. a report) is held in highly secure encrypted cloud storage or on an encrypted hard-drive. These are password protected. Malware and antivirus protection is installed on all computing devices. Mobile devices are protected with a passcode. When electronic information needs to be shared this will be done securely through Egress.
Your telephone number may be stored in my SMS if we have communicated in this way.
If you choose to pay me by electronic bank transfer then I may hold a record of this transfer through my bank. This data is secured by the bank’s data security systems.
I use cookies on my website to gather information about visitors in order to monitor the quantity of website traffic. I do not identify you or any other individuals from this information.
6. How long do I keep your information for?
I do not keep your data for longer than is necessary.
Administrative data is retained for up to seven years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for seven years, it is destroyed as soon as possible.
The sensitive personal data defined above is stored, where necessary until a child’s 25th birthday in compliance with professional guidance and indemnity obligations. If you were over 18 years at the time of your assessment, the data will be kept for 7 years following the completion of the assessment. After this time, this data is deleted at the end of each calendar year. Where this is not necessary, it is destroyed on the conclusion of the work.
Basic contact information held on a mobile phone is deleted within 6 months of the end of our work together.
7. Who do I share your personal information with?
I take your privacy very seriously and your information is kept confidential at all times. I work to strict professional and contractual codes of confidentiality and where possible I will anonymise information so that individual people cannot be identified. I will only use your personal information to provide the services you have requested from me.
Reports to referrers or private health insurance companies: If you were referred to me by a psychiatrist, with your consent, I may write them an assessment and discharge report.
Supervision / consultation: It is a professional requirement that I have supervision. I therefore discuss my work with my supervisor (registered professional equally bound to keep information confidential). I do not disclose your name to them.
Risk and safeguarding: In certain circumstances, such as where I believed there was significant risk to you (e.g. suicide), to others (e.g. child protection) or where a crime was reported to me, I may have a legal and professional obligation to share information with third parties without seeking your prior permission.
I will not share your personal information with third-parties for marketing purposes.
8. How you can access your information and correct it, if necessary?
I try to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if I hold any personal information by making a ‘subject access request’ or ‘Right of Access’ under the Data Protection Act and the General Data Protection Regulation. I will then supply to you:
A description of all data I hold about you
Inform you how it was obtained (if not supplied by you)
Inform you why, what purposes, I am holding it
What categories of personal data is concerned
Inform you who it could be disclosed to
Inform you of the retention periods of the data
Inform you around any automated decision making including profiling
Let you have a copy of the information.
To make a request to me for any personal information I may hold please put the request in writing. You may ask me to correct or remove information you think is inaccurate. However, I reserve the right to refuse a request to delete a client’s personal information where this is assessment / therapy records. These records are retained until a child’s 25th birthday in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000)[1]and The Health and Care Professions Council (HCPC; 2017)[2].
9. Complaints or queries
I try to meet the highest standards when collecting and using personal information. For this reason, I take any complaints I receive about this very seriously. I encourage people to bring it to my attention if they think that my collection or use of information is unfair, misleading or inappropriate. I would also welcome any suggestions for improving my procedures. If you do have a complaint, contact me at drjosteer@gmail.com so I can investigate the matter on your behalf.
If you are not satisfied with the response from me or believe I am not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO). I (Dr Jo Steer) am the named Data Controller or my registration with the ICO.
Contact information ICO: Website: https://ico.org.uk/concerns/ Telephone: +44 (0) 303 123 1113
Last reviewed November 2022
[1]The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.
[2]Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.