General Data Protection Regulation (GDPR) Privacy Statement
Due to the nature of our work, as a sole practitioner offering intimacy coaching and sexological bodywork, I collect, store and use both personal and sensitive personal information about you. By signing the privacy statement on the unearthing form you are consenting to me doing this. You can withdraw consent at any time, and would stop me from maintaining a therapeutic relationship with you.
Data Controller is : Emerald May.
Contactable via email: email@example.com
In line with 2018 GDPR (General Data Protection Regulation) I’m outlining some information below as a data protection statement.
What Personal Data is collected about me? Name, phone number, email, emergency contact.
What ‘sensitive data’ has been collected about me? Racial and ethnic origin, religious beliefs, physical & mental health details (as given by you), details of your sexual life, your gender and sexuality. You will choose whether to disclose this information to me or not. Other data includes information gathered in history taken sessions, and summary content of sessions as well as ‘homework’ tasks. Notes will only have practical and informational material unless there are risks that may need noting.
Why do I collect data and how will I use it?
Lawful basis for processing your information
The lawful basis for my holding and using your information is in relation to delivery of a contract to you as a health-care professional. As a Student Member of Association of Certified Sexological Bodyworkers and Integrative Breathwork I operate under strict code of ethics and confidentiality. My ethics and personal boundaries statement will be emailed to you as part of your welcome package.
I use history-taking information and client notes, mostly typed and sometimes hand written to help me to help guide the nature of work, and to remind me of key information between weeks and over the length of our therapeutic relationship.
I will use your contact details (phone and email) for purposes of communication regarding administration of appointments, and occasionally to respond to your requests for further information in-between weeks.
N. B. my handwritten notes are not psychological assessments, analysis or reports and kept in shorthand.
Sharing of your data.
I anonymously disclose information about client work in my supervision processes on an ongoing basis. I may sometimes disclose / request support from other practitioners who you are connected to (such as a physio/ doctor or other therapist), but will ask you for written consent prior to doing so. As mentioned in the unearthing agreement, I reserve the right to break confidentiality, if I am concerned you may cause harm to yourself or others. I would always try to discuss this with you beforehand. Access to my electronic devices (by which I email and call) may also be given to people who technically assist me in the future.
I have appointed a trusted colleague in case of serious illness or death. They would access your contact details to contact you to let you know if I was unable to continue working with you, and help signpost to other practitioners if needs be. They would respectfully close my practice, including disposal of client notes and data.
If you attend sessions with another person, then the notes remain confidential material of the client relationship (both people) and one person cannot request access for a third party.
Storage and destruction of data.
Any client notes I make will not identify you. They are coded using a separate spreadsheet and are kept in a password protected file on my laptop. If I hand write notes, they are stored separately to contractual/ contact details to enhance security, within a locked cabinet, within a secure building.
I will hold your details and any brief notes for a period of 7 years following the end of our work together, to comply with any obligation placed upon me by my insurers and my accrediting organisation. Your notes will then be shredded.
Whilst an active client, I store your mobile number on a mobile phone, under your first name and initial of surname. No other details are linked to this, and it is removed on conclusion of our work.
Within 12 weeks of finishing client work, I will delete client emails from all inboxes. Both email account and phone are password protected.
As you may be aware the nature of email is never 100% secure. My email is currently not encrypted, so please limit the content of your emails to what you feel comfortable with, in case of an external data breach. I encourage all clients to use a notebook to write down any details from sessions. I would ask for a limit in text contact, if at all, to functional messages around attendance. SMS messaging is not encrypted, and therefore not secure, and open to a data breach. NOTE: SIGNAL is recommended as it offers free encrypted calls & messaging. Occasionally I access emails on a mobile device as well as a laptop. Both devices are password protected. The mobile device is more susceptible to theft and loss, but I take every precaution to make sure this is not the case.
What to do if you would like to access your data or have it destroyed before 7 years have elapsed?
You have rights relating to the information I hold to verify the accuracy. You have the right to request a copy of any information I hold about you. If you would like a copy of some or all of the personal information, please email me, as the Data Controller, at firstname.lastname@example.org I will need to ensure that it is you, and not a third party. Information will be provided to you within 30 days. Emails are usually within your own possession. Notes would be transcribed.
If you want to have your data deleted before the 7 years has elapsed, you need to email me, as above. I would need to keep a suppression list to evidence I had complied with the request and a decision to destroy data would take into account a clinical decision. Information about third parties (or where a second person has been part of the therapeutic process, can also not be destroyed without their express consent).
What happens if there is a data breach?
If a breach is likely to result in a high risk of adversely affecting an individual's rights and freedoms, I would notify the ICO within 72 hours and inform those individuals without undue delay.
Cookies are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. Like many other websites, my website, currently hosted by wix.com does this. This helps us to improve our website and deliver a better more personalised service to members and the public. I occasionally access the following information – country of origin, clicks made on website, post and pages looked at and search engine term used to get to the website.
It is possible to switch off cookies by setting your browser preferences. You can remove cookies stored in your computer via your browser settings. Alternatively, you can control some 3rd party cookies by using a privacy enhancement platform such as: optout.aboutads.info and youronlinechoices.com.
Links to other websites
My website contains links to other websites of interest and of schools I have trained with. However, once you have used these links to leave my site, you should note that I do not have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
This GDPR statement was written with attribution to Clare Staunton