Privacy Policy
This privacy policy explains the personal data that I collect, store and process, and for what purposes. Your privacy is very important to me and you can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to me. I adhere to the General Data Protection Regulation (GDPR). As a Chartered Psychologist I also adhere to the ethical guidelines regarding protecting client privacy and confidentiality set by the British Psychological Society (BPS).
· Contact details
· What information I collect, use, and why
· Lawful bases and data protection rights
· Where I get personal information from
· How I store your personal information
· How long I keep information
· Who I share information with
· How to complain
Contact details
Telephone: 07886 256804
Email: anna@annajoyce.co.uk
What information I collect, use, and why
I collect or use the following information to provide services to you:
· Name, address and contact details
· Gender
· Pronoun preferences
· Date of birth
· Health information (including lifestyle, medical, mental health, and sleep history)
· Information about care needs (including disabilities, home conditions, medication and general care provisions)
· Test results - If relevant, and with your permission, I may collect information about you from third parties, for example sleep study or blood test results from your GP or other practitioner
· Payment details (including card or bank information for transfers)
· Records of meetings and decisions (including sleep diaries and brief notes of our therapy sessions)
Lawful bases and data protection rights
Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis I rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
Your right of access - You have the right to ask me for copies of your personal information. You can request other information such as details about where I get personal information from and who I share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
Your right to rectification - You have the right to ask me to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
Your right to erasure - You have the right to ask me to delete your personal information. You can read more about this right here.
Your right to restriction of processing - You have the right to ask me to limit how I can use your personal information. You can read more about this right here.
Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
Your right to data portability - You have the right to ask that I transfer the personal information you gave me to another organisation, or to you. You can read more about this right here.
Your right to withdraw consent – When I use consent as my lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
If you make a request, I must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact me using the contact details at the top of this privacy notice.
My lawful bases for the collection and use of your data
My lawful bases for collecting or using personal information to provide services are:
Consent – I have permission from you after I gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – I have to collect or use the information so I can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interest – I have the following legitimate interests for collecting a using your personal information.
- I will collect your name and contact details in order to liaise with you for enquiries and appointments, and to provide a contract between you and me for use of my services.
- Your bank details will be visible to me when you make payment. You will be asked to confirm your bank details in the event that I should need to make a refund.
- Information on your health and care is needed to provide and maintain a personalised service to you.
- I keep copies of your sleep diaries and brief notes of our therapy sessions for the purpose of assisting our work together. The notes help me to keep track of your sleep and the issues that we are working on, and they are for my use only. The notes do not include any personal details that could be used to identify you.
Where I get personal information from
The majority of personal information will be collected directly from you. In some cases, and only with your permission, I may collect information about you and your sleep from family members, carers, or other health and care providers, for example sleep study or blood test results from your GP or other practitioner.
How I store your personal information
I take the security of your data very seriously. I store all records digitally. My email account is password protected and mobile phones and laptops used to communicate with you are password- and biometrics-protected and have anti-virus software. To avoid data loss all my files are backed up to a GDPR-compliant cloud service.
Your therapy notes do not include any personal details that could be used to identify you and are referred to with a client reference code. The file linking your client reference code with your personally identifiable information is individually password-protected.
How long I keep information
Any email correspondence will be deleted within 12 months if it is not necessary to keep it.
If an enquiry is made and you decide not to proceed with CBT-I, I will ensure that any data your shared is deleted within 12 months. If you would like me to delete this information sooner please let me know.
If you do proceed with CBT-I then your contract and therapy notes will be retained after therapy has ended to ensure that I can continue to offer you an efficient service if you make contact for follow-up appointments. Your therapy notes do not include any personal details that could be used to identify you and will be stored for seven years after therapy has ended. Your contract will be stored separately from your therapy notes. This time frame adheres with current industry guidelines.
Your personal details will be kept for 12 months after therapy ends; after which I will only keep a record of your name, date of birth and your client reference code for seven years after therapy ends. Your client reference code corresponds with a client reference code on your therapy notes and therefore enables me to identify your therapy notes if necessary.
Seven years after therapy has ended, all personal information, contracts, and therapy notes will be deleted.
Who I share information with
Rest assured that what is said in our sessions will be kept confidential. I am a Chartered Member of the British Psychological Society (BPS) and I abide by their professional code of practice. I may discuss my work with professional colleagues, without using any identifying information, to uphold high professional standards and share good practice.
I am subject to a common law duty of confidentiality, which prevents the disclosure of personal information without legal justification or authority. However, there are circumstances where I will share relevant information. These are where:
you’ve provided me with your consent, for example, for referrals or communication with your GP and other health and care professionals;
I have a legal requirement (including court orders) to collect, share or use the data;
on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
in order to maintain high professional standards through peer discussion and the sharing of good practice, I may discuss your case in supervision with professional colleagues. No identifying information will be used in these discussions.
if in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or
if in Scotland – I have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.
How to complain
If you have any concerns about my use of your personal data, you can make a complaint to me using the contact details at the top of this privacy notice.
If you remain unhappy with how I have used your data after raising a complaint with me, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Last updated
17 October 2024