CHPA Privacy Notice Covering Your Data Protection

Why do we need to process information about you?
In providing you with our services, CHPA will need to handle your personal
information. Personal information is details about you from which you
can be identified, such as your name and contact details. Depending on what services
you receive from us, we may process additional sensitive data such as information
about your health. This information is essential to inform, facilitate and provide
assessment and therapeutic services which are appropriate to your individual needs.
Under the requirements of the Health Care Professions Council (HCPC) and British
Psychological Society (BPS), CHPA are obliged, according to the legitimate interests of provision of our services, to keep documentation of your personal data to allow us to provide assessment and therapy services to you.
What information will you hold?
Information about you will be held in the form of written notes, emails, questionnaires, and letters, in addition to our practice management software system and invoices. This information could be collected at any point during your contact with us and/or during your receipt of services from us.
Your information will be collected, managed and stored solely for the purposes of us
providing you with psychological services or training.
How do we use the information that we collect?
We use the information we collect:
• To communicate with you so that we can inform you about your appointments
with us, we use your name, your contact details such as your telephone number, email address or postal address;
• To deliver the correct service to you, we use your name, your contact details
and the details about your purchases;
• To create your invoice using our accounting package, we use your name and may use your email address;
• To process your payment, we use your name and your payment card details;
• To register any product you purchase from us, so that it is covered under
guarantee, we use your name, telephone number, email and postal address;
• To optimise our website so that users can find the information they need.

Where do we keep the information?
We keep your information in the stores described below. Please note that we do not
store your payment card details in any of our systems; these are passed straight
through to our payment provider.

On our company computers
We use personal computers that are located on our business premises. The
computers are password protected and the hard drives are encrypted. Passwords are
changed regularly and are not shared beyond those who need access to a given
computer. Where cloud services are used, these meet GDPR requirements and all data is securely encrypted when stored there.
Your client record
We use WriteUpp Practice Management Software which is a computer program that
stores the information on a computer in our office. We also record some aspects of
our interaction with you in Microsoft Excel Spreadsheets on a computer in our office.
In our practice management / accounts package
We use WriteUpp Practice Management Software and MS Excel to manage your
account. The company that provides WriteUpp software has stated that they are
compliant with GDPR. We occasionally need to transfer our accounts Excel
Spreadsheet to our (UK-based) accountant. This is done using encrypted transfer and
our accountant has stated that his company’s processes are GDPR compliant.
As a paper copy
We take hand written notes when we meet you. These notes may be used to create a
report on the services that we provide to you, to you or to an approved third party (i.e. your insurer). Mostly, however, our written notes serve simply as an aide memoire for your therapist to ensure continuity of treatment over time.
We keep a paper copy of your notes and any invoices in locked filing cabinets in our
offices. We send paper copies of invoices to our accountant to enable him to process
our accounts each year.
How long will you store my information for?
We will hold information about you for as long as you receive services from us and for
seven (7) years following the date of our last contact with you. If our identified client is a minor, we will hold information about the services that we have provided to them for seven years past the age of majority.
Paper-based information will be electronically scanned and stored shortly after the
point your case file is closed to the service (usually defined as your last appointment).
Once scanned, paper-based information will be shredded and disposed of in
confidential waste. Electronically held files will be securely and deleted after seven
years (or if a minor, when they reach the age of majority plus seven years).
You also have the right to ask for your information we hold on you to be erased prior
to this time by contacting our Data Protection Officer, Mr J Hill at our main office address, or via email to jhill@chpsych.co.uk.
However, if you want to have your data removed, we do have to determine if we need
to keep the data. For example, if there is an on-going legal matter related to your case
or if your request falls within the timeframe that our governing practice body has a
requirement that we hold data for (around seven years). In this instance, we may not
be able to erase your data before that time has passed or any court action is ended.
How can I access the information you hold?
You can ask to access the information we hold by writing to our Data Protection
Officer, Mr J Hill, at our main office address, or via email to
jhill@chpsych.co.uk, to make a Subject Access Request (SAR). You can
also ask for your information to be transferred to another provider of psychological
services. We will respond to your request within 30 days.
Verification of the identity of anyone making such a request will be required before
information can be shared.
What if I believe the information you hold about me is incorrect?
Whilst you are receiving services from CHPA, we will aim to keep the information we hold about you up-to-date. We would encourage you to tell us as soon as possible if your personal data changes so that we can update our records.
You can also let us know if you believe the information we hold about you is inaccurate, needs amending or updating, by contacting our Data Protection Officer, Mr J Hill. We will aim to update your information within 72 hours.
How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the
data, for example in case HMRC wish to inspect our records or if in doing so we would
breach our professional organisations data retention requirements (see above). If we
decide that we should delete the data, we will do so without undue delay.
Protecting your Information
CHPA is committed to keeping the information we hold about you secure. To protect your personal data, we follow the guidelines and recommendations in line with our professional bodies (The British Psychological Society and The Health Care Professionals Council) and regulatory bodies such as the Information Commissioners Office. More detailed information can be found in our Data Protection Policy, which complies with the requirements detailed in the Data Protection Act (1998) and the General Data Protection Regulations (2018). This document is available on request.
We have physical, electronic, and operational procedures in place to protect your data. In the unlikely event of our security processes being compromised leading to a
significant breach of your information, we will endeavour to inform you within 72 hours.
Confidentiality:
The confidentiality of your personal information is very important to CHPA. All our services are confidential, and we will not share your information unless we judge that there is a serious risk of harm to yourself or others, or with your written consent, or when we are legally obliged to do so. Confidential information is restricted only to those who have a reasonable need to access it.
Who can I contact if I have concerns about my data management?
Should you have any concerns about the management of your data by CHPA, please contact our Data Protection Officer, Mr Hill, in the first instance. If we are unable to resolve your concerns, you have a right to complain to the Information Commissioner’s Office: https://ico.org.uk/for-the-public/raisingconcerns/

Policy prepared by: JH
Approved by management on: August 19th 2018
Policy operational on: August 19th 2018
Policy review date: August 19th 2020

Privacy Notice

Clinical Health Psychology Associates practice according to The British Psychological Society's Code of Ethics and Conduct. Any data they collect is protected in accordance with The General Data Protection Regulation (GDPR 2018). Please see our Privacy Policy here.