Metta Therapy Privacy Policy (UK)
Contact details.
I, Mark Rae am the Data Controller and Processor of Metta Therapy.
The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (i.e. to provide therapy) and that it is data that you would reasonably expect me to hold and use.
For those who enquire about therapy, the data I hold includes any information you have sent me by email/text/message.
For those who book and attend at least one session, the data I hold includes:
Data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure which are detailed and discussed when we first meet.
The data is primarily used to enable me to provide therapy for you. It may also be used scientific research purposes and statistical purposes.
Details of where data is held:
Any emails sent between us are held either on my computer’s hard drive or if archived, in Dropbox which is secure cloud-based storage which is itself GDPR compliant.
Any texts/WhatsApp Private Messages sent between us (See Social Media and Electronic Information section) are held on my iPhone which is pin code and biometric protected.
Your notes are handwritten and are kept in a locked filing cabinet.
A client database is kept with name, address, telephone number and condition(s). This file is password protected and stored on my laptop which is again password protected. The use of the database allows me to quickly check if I have seen a client before even if I am away from my paper filing cabinet allowing me to respond to my clients quickly. It is also used for statistical analysis.
Payment is by Online Bank Transfer and clearly these systems will hold your data.
Your data is kept for 7 years. The length of time is based on the stipulation of my insurer. After this time any paper records are shredded and computer records permanently deleted.
Metta Therapy takes the security of data seriously and as such:
All data is held securely (see details of where data is held above).
Any data transmitted is sent encrypted where possible.
However:
I am not in control of data (including emails and texts) which you send me.
Apps such as Facebook routinely access any information held and this is beyond my control.
If there is any breach of data security Metta Therapy will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
You have rights with regards to the data held:
The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, but this would never include case notes or data such as address/email/phone
The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure
The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.
The right to object to:
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). Metta Therapy does not engage in these things
Direct marketing.
Processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
Automated decision making and profiling. HMH Therapy does not engage in automated decision making or profiling.
How will my data be processed and stored?
In May 2018, the Data Protection Act was replaced by the General Data Protection Regulation (GDPR). Mark Rae is GDPR registered. The changes to the Data Protection Act are aimed at ensuring your personal, confidential and sometimes sensitive data, is held privately and securely. This means that any data you give to Mark Rae must be processed in a way you agree with. GDPR exists to protect your rights as a consumer. It applies to your identifiable data, eg your name and address & any reason you might have for visiting Mark Rae. It also covers any session records, text messages or emails between Mark Rae & yourself.
This privacy statement does not apply to third party websites connected by links on our website. We cannot guarantee that these third parties handle your personal data in a reliable or secure manner. We recommend you read the privacy statements of these websites prior to making use of these websites.
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
(a) Your consent. You are able to remove your consent at any time. You can do this by contacting mark.rae@mettatherapy.co.uk or by phone on 0784 680 5317.
(b) We have a legal obligation.
How we store your personal information
Your information is securely stored with appropriate security measures to limit abuse of and unauthorised access to personal data. This ensures that only the necessary persons have access to your data, that access to the data is protected, and that our security measures are regularly reviewed.
• Paper session notes – Mark Rae stores all paperwork in locked filing cabinets
• Text messages – Mark Rae’s work phone is secured by pin and biometric security
• Emails- Mark Rae’s email account requires a unique username and password/biometric security to access emails
How long will we hold your information for?
Mark Rae is a member of the CNHC. As such they are bound by their regulations regarding the length of time they must hold onto your information. The CNHC insists that Mark Rae must hold onto your data for 8 years after your final session. However, the rule for children is different and the CNHC stipulates that their data must be held until their 25th birthday. The exception to this rule applies to young adults whose treatment ends when they are 17 years old when Mark Rae must keep their records until they reach their 26th birthday. Client records will be destroyed in the January after the dates given above. This is in line with NHS regulations for holding data.
What if I would like my data to be destroyed before this date?
Under the GDPR rules, you are able to request the deletion of any of your records at any time. Simply write to Mark Rae requesting that your records are destroyed and once they have confirmed your identity, they will do so. There is no charge for this service.
Mark Rae will then ensure that all your paper records are shredded with a cross shredding machine. Any electronic data held by Mark Rae, such as emails or texts will be permanently deleted from the devices they are stored on.
NB. Mark Rae may need to save the written deletion request you sent them, if their insurance company insists on it, but would destroy any other data.
Am I able to see or get a copy of the information held by you?
In line with GDPR, if you send Mark Rae a request in writing, specifying the data you wish to see, they will supply you with a copy of your data within 30 days. Mark Rae will need to confirm your identity before sending you the information. There will be no charge for this service.
NB. Mark Rae’s insurance company’s legal team may wish to verify any information Mark Rae sends out.
What are your reasons for collecting this information?
Mark Rae is keen to offer the highest quality support to his clients and in order to do so will collect the following information:
This information allows Mark Rae to provide continuity within the sessions, in order to help you towards your goal. This information will allow Mark Rae to refer to the content of earlier sessions and previous discussions. Mark Rae will only use your contact details/address and GP’s details with your explicit consent. See client agreement and initial consultation.
Are our discussions within Metta Therapy sessions confidential?
Everything you discuss with Mark Rae during your sessions remains strictly confidential. Occasionally it may be necessary for Mark Rae to discuss elements of your sessions with their supervisor to ensure that they are helping you in the most effective way. However, no identifying features about you will be disclosed during these discussions. Mark Rae’s supervisor is also registered with the ICO and abides by GDPR requirements.
What if I see Mark Rae outside of a Metta Therapy session?
Mark Rae is obliged by GDPR to always protect your confidentiality. So, for this reason, I will follow the clients lead in terms of any acknowledgement or no acknowledgement, if there is an unexpected meeting outside of a Metta Therapy session. If you wish to discuss your Metta Therapy session(s) with other people, that is your choice, and you are welcome to do so.
Will Mark Rae discuss information about me with other health and social care professionals?
Mark Rae is only able to contact other health and social care professionals with your written consent. Should they write to your GP, to notify them that you have entered into a therapeutic relationship with them, or to notify them that your therapy has been successfully concluded, Mark Rae would require your signature, in line with GDPR requirements.
Mark Rae does have a ‘duty of care’ towards their clients, so the only exceptions to this would be if they believed that you were about to harm yourself or others. Should this occur then Mark Rae would be required to inform the relevant authorities. However, Mark Rae would always aim to discuss this with you before taking any action. Legally, Mark Rae would also have to provide the police with information as set out in a warrant or court order, should the situation arise.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at:
Address: Metta Therapy, Irving Church Manse, Dorrator Road, Falkirk, FK1 4BN.
Phone Number: 0784 680 5317
E-mail: mark@mettatherapy.co.uk
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: www.ico.org.uk
