Who we are
Our website address is: www.driftwoodtherapeuticservices.co.uk
Yvonne Dark MA, MBACP, MBPsS, PG Cert, BSc Hons is a counsellor and psychotherapist trading as a sole trader under the business name of Driftwood Therapeutic Services.
Yvonne Dark is registered and accredited by the British Association of Counselling and Psychotherapy.
Your privacy is paramount at Driftwood Therapeutic Services and I want you to be confident that any personal information will be safeguarded and kept secure and will only be used for the purpose of providing you with a service, with your consent. I adhere to current data protection legislation, including GDPR, the Data Protection Act and ICO Framework, and I am registered with the ICO (Information Commissioners Office) to demonstrate my commitment to safeguarding your privacy, my registration number is ZA853426.
This privacy notice explains what I will do with your personal information from your initial enquiry, during therapy and afterwards. I am always happy to discuss any questions or concerns you may have about data protection and you can contact me if you wish to do so.
I am the Data Controller at Driftwood and what this means is that I am the person that collects, stores and has responsibility for people’s personal data who are involved with this service.
The General Data Protection Regulation (GDPR) states that I must have a lawful basis for processing your personal data. The lawful basis on which I will process your data depends on which stage of involvement you are at.
If you are a current client accessing therapy or you are in contact as you are considering therapy, I will process your personal data only where it is necessary within the responsibilities of the contract.
Once therapy has ended, my lawful basis for holding and using your personal data comes under Article 6 (1) (f) Legitimate interest where “ processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
GDPR regulations also make sure that I safeguard any sensitive personal information that you may disclose to me, in an appropriate manner. Sensitive personal information is termed ‘special category personal information’. The lawful basis for processing any special categories of personal information is for provision of health treatment (in this instance it would be counselling) and necessary for a contract with a health professional.
How will I use your information?
When you initially enquire about a service
While you are receiving a service
Everything you discuss within our sessions is confidential. However there are limits to that confidentiality. Confidentiality will be broken if you disclose your involvement with the following; money laundering, drug trafficking, terrorism related activity or most importantly if I think you are at an extreme risk of harm to yourself or to someone else. Unless there are safeguarding issues that prevent me from doing so, I will always try to speak to you about this before I break confidentiality.
I do keep a record of your personal details the lawful basis for this is in relation to communication and will be processed for the specific purposes detailed in the contract. These details are kept securely on a password protected data stick which is locked away. I do keep written notes of each session, the purpose of these are two-fold;
- They help me to provide a quality service to you as my client.
- Due to a requirement of my Professional Indemnity Insurance these records are kept on a password protected hard drive and anonymised for extra security.
I do not retain any text messages for more than 28 days. However if there is any relevant information sent to me in a text message I will record it in a separate document alongside your client notes, again on a password protected hard drive. Similarly, any email correspondence will also be deleted after 28 days, again if an email contains relevant information to your therapy I will save it alongside your client notes in a separate document on the password protected hard drive.
Subject Access Request
A subject access request permits individuals to request a copy of their personal information. Should you wish access to your information you need to request this in writing. I will then respond to you formally in writing and; give you a description of the data, inform you as to why we are holding it, inform you who it could be disclosed to and let you have an intelligible copy of the information held. If any information is noted by you to be incorrect you can request a correction be made. If you wish for another provider to be given a copy of your information this request must also be made in writing. If I have a legal basis to continue to retain this information I will inform you and your application for an SAR will be held alongside your client notes unless the application was made after 8 years following the completion of service in which case it will be held for a further two years after the closure of the SAR.
After our work has ended
Once our work has ended if you are an adult your records will be retained for five years from the end of our contract with each other and are then securely destroyed. If you are a child then your records will be retained for five years following your 18th Birthday and then securely destroyed.
Everyone has what is called a “Right to Erasure” or the “Right to be Forgotten”. Therefore should you wish for me to delete your information sooner than this, you would need to contact me in writing and there is a procedure that would have to be followed, in conjunction with my insurance company and my ethical body. So in some instances I may be required lawfully to hold your files until the end of the stated retention period and I will notify you of this at my earliest opportunity. However if the request is granted then I would securely destroy your data and provide you with a confirmation of completion, I would then securely hold the request of deletion and the confirmation of completion on file for a period of 8 years after the request was made.
Third party recipients of personal data
It is unlikely that I will ever have to share your data. I will not sell it on or use it for unethical reasons or for reasons outside of the contract. However, I may have to share it if my notes are subpoenaed by a court of law. If either you, or anyone you tell me about, is at an extreme risk of harm to self or others, I may then have to pass this information on. I may also inform the relevant authorities if you disclose any information regarding terrorism, drug trafficking, safeguarding issues or money laundering to me.
When you make a payment to me electronically, please be aware that your payment will appear on my bank records. You also need to be aware that these records may then be seen by a third party such as an accountant or by HMRC. These third parties however, will be bound by confidentiality, therefore if you would prefer a more anonymous way of paying, please discuss with me at our first assessment session.
For any questions you may have regarding your rights in terms of your personal information, I would recommend you read further at ico.org.uk/your-data-matters.
If you have any complaint about how I handle your personal data please do not hesitate to get in touch with me either in writing or email. At Driftwood Therapeutic Services I hope to meet a high standard when processing your data. I feel complaints are valuable in identifying areas for improvement. Therefore, I would welcome any suggestions for improving my data protection procedures or to hearing any concerns you may have. However if you are not satisfied with my response and want to make a formal complaint about the way I have processed your personal information you can contact the ICO which is the statutory body that oversees data protection law in the UK. For more information go to ico.org.uk/make-a-complaint.
All personal and sensitive data held by Driftwood Therapeutic Services is held securely, electronic data is stored on a password protected computer or on an password protected data stick which is then locked in secure storage. In case of a data breach we will comply with the regulations set out under Article 33 of the GDPR you can find more information about this here.
In the event of my death or sudden illness, my colleague Katherine Baxter will contact existing clients and archive any client files in accordance with GDPR regulations. This may mean having existing electronic documents wiped or destroyed by a GDPR compliant technician.
Yvonne Dark – Data Controller – Driftwood Therapeutic Services