On 25 May 2018 the law changed with regard to how organisations have to protect your ‘data’ (personal details and records) and this is called the General Data Protection Regulation or GDPR. The following summary highlights how GDPR is being implemented, by explaining why confidential information is held and how this is protected. Further information about GDPR can be found at https://ico.org.uk.
The registered data controller for the service is Dr Helen Galloway.
The purpose of collecting and processing your data is to provide you with a service (psychiatric/psychological care). It is assumed that by engaging with the service you are consenting to records being kept. Keeping records is an essential component of healthcare, which aids in understanding how best to help and forms the basis of any reports needed. The lawful basis under which your data is processed is legitimate interest. The data collected may be described as ‘special category data’ and this is processed under the conditions highlighted by GDPR Article 9”(2)h.
Your confidentiality is maintained at all times (i.e. your information is not shared), unless you have explicitly consented, or there are exceptional circumstances such as risk to yourself or others. In these circumstances, other services such as your GP or police may be contacted without your consent as this is a recognised professional obligation.
Consultation notes and questionnaires will be held for varying lengths of time depending on the content (and then carefully disposed of). Some records may be held indefinitely, e.g. if there were any issues of concern that could lead to police investigation in the future. Your records will be kept for 7 years after the conclusion of our contact, in line with British Psychological Society guidance.
All information recorded on paper will be securely stored in a locked filing cabinet. Confidential digital information will be stored in a secure cloud service offering high levels of security. Confidential information sent by the psychologist via the internet will be securely sent through Protonmail with end-to-end encryption. Letters sent to professionals such as GPs, by surface mail, will be clearly marked Confidential. All electronic devices (e.g. computer, laptop and phone) used to access stored information will themselves be password protected.
Right of access; a ‘subject access request’ or SAR can be made for copies of records but there may be an admin charge and these will be provided within 1 calendar month of the request being made.
If you have any questions about this policy, please discuss them with Dr Galloway at The St Andrews Practice.