Last Updated 07 Sep 2022
My practice is committed to protecting the rights and freedoms of data subjects (natural persons), the safe and secure processing of their data, in accordance with UK Data Protection Legislation. UK Data Protection Legislation means the Data Protection Act 2018 (DPA ’18) which incorporates the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and any legislation implemented in connection with the General Data Protection Regulation. This includes any replacement legislation coming into effect from time to time.
To provide psychological services I hold Personal Data about my clients and other individuals related to them (e.g. next of kin, GP). The use of personal data is governed by the UK Data Protection Legislation. I take data protection very seriously and understand the impact that data breaches and misuse of data may have on data subjects as Ill as on my practice. Compliance with this policy is necessary for me to maintain the confidence and trust of those whose personal data I handle.
The aim of this policy statement is to give you a basic understanding of the data protection laws, my responsibility in respect of data protection practice, your rights and obligations and to explain why privacy is so important to us. It applies to all actions I take which involve the processing of and working with personal data.
I act as Data Protection Representative.
1.4.1. Data protection legislation is not intended to prevent processing of personal data but to ensure it is done fairly and lawfully and in a way which does not adversely affect an individual.
1.4.2. I will process personal data in accordance with the data protection laws. Processing includes obtaining, recording, holding, reading, using or destroying personal data.
1.4.3. The UK GDPR regulates the processing of personal data. Personal data is information relating to an identified or identifiable natural person. An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier, which include names, identification numbers, location data or other factors such as the physical, genetic, biometric, mental, economic or social identity of a natural person. Data about businesses/organisations is not covered by the UK GDPR but data about their directors, partners, employees, customers and suppliers is.
1.4.4. I will process personal data in accordance with the UK GDPR and good data protection practice and will only use personal data for the purposes it was intended for. I will keep a processing record of all processing of personal data I perform. I will make sure my privacy notices are up to date and reflect the processing activities I undertake.
1.4.5. I will store personal data in a safe and secure manner and only I will have access to it. I will keep personal data only as long as is necessary for the purposes it was collected for. Once personal data is no longer required, I will take reasonable steps to delete, destroy or erase it.
1.4.6. I will keep personal data up to date. Where a data subject reports an inaccuracy in the personal data I hold, I will correct it (unless the information is correct) and will inform any recipients of that personal data of the amendments.
1.4.7. I will avoid collecting special categories of personal data or criminal data unless absolutely necessary. If I do collect it, I will take ensure it is kept safe and secure.
1.5.1. I will process personal data securely by ensuring the confidentiality, integrity and availability of personal data is kept secure. I will ensure the level of security I use is appropriate to the risks arising out of the processing.
1.5.2. I will keep data secure in order to reduce, as far as reasonably possible, the risks involved in processing personal data.
1.5.3. I will ensure that if electronic equipment containing personal data is taken out of the office environment, the device contains security to keep the personal data safe and secure.
1.5.4. I have put in place physical security measures to protect personal data.
1.6.1. Individuals are entitled to make a request to me for a copy of the personal data that I hold about them. Requests should describe the information sought. Where I receive requests for personal data I will answer the request without undue delay and normally within one calendar month of receipt.
1.6.2. All data subject access requests will be considered properly whether from individuals or agencies such as the police, NHS or social services
1.7.1. Data subjects have a number of rights including a right to erasure, a right to data portability, a right to object to certain processing, a right to restrict processing in certain circumstances and a right to prevent automated decision making in certain circumstances, a data subject may request that the processing of their personal data be restricted.
1.7.2. I am committed to ensuring data subject rights are upheld and I will work hard to make sure these rights can be exercised.
I will not send personal data to a third party or another organisation unless the data subject has given us their authority to do so or I am otherwise required by law. I will take care to consider whether the data subject has given authority to their data being passed to another organisation before I transmit the data. Where data is being sent to an organisation I will make sure they have adequate data protection standards and processes.
Personal data will be retained by me as long as I need to process it or for as long as the law requires me to keep it. When I no longer need data I will delete or destroy it in accordance with good data protection practice. Unless specifically outlined in the Data Retention Policy I will retain most data for 7 calendar years from the date it was provided or last updated.
A data breach is a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed. In the event of a data breach, I will log the breach, deal with it and resolve any issues arising out of the breach.
Some of our suppliers run their operations outside of the UK. Although they may not be subject to the same data protection laws as companies based in the UK I will ensure any such transfer is carried out in accordance with the requirements of the UK GDPR, to ensure that the level of protection to data subjects guaranteed by the UK GDPR is not undermined by any such transfer.
On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances.
Both decisions are expected to last until 27 June 2025. I shall continue to ensure that any transfer of personal data overseas is transferred in accordance with all applicable data protection legislation in place at the time.
I reserve the right to change this policy at any time where it is appropriate for me to do so.
Date: 07 Sep 2022
Review: September 2023