Sarah Enderby – Therapist
MA (Hons, 1st), D.Min, MBACP
Dip. Psychodynamic Therapy, Level 5 Certificate in Relational Counselling (Relate)
Privacy & Data Protection Policy
- The General Data Protection Regulation (GDPR) is concerned with protecting your personal data. I am registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018 and follow the ethical guidelines of the BACP.
- To help protect your confidentiality and the risk of data breaches, I recommend you share sensitive personal information with me either verbally or via Cliniko, the practice management software platform I use to manage case load. I prefer not to share sensitive data by email/text as viruses mean these channels are not always safe.
I collect your…
- Names and contact details; GP; next of kin; counselling history; prescribed medication and medical history relevant to counselling.
- I keep brief notes of our sessions; these outline the main themes of our work together.
I store your information…
- Securely in Google Cloud, who assure me they are GDPR compliant, and also on Cliniko. Cliniko regularly conducts security assessments of it’s practice management platform by engaging security consultancies. The security assessment of the platform is conducted annually and a Letter of Assessment is available to view and download here.
- I hold and use your personal data under a legitimate interest and in order to provide a professional counselling service. I hold and use my notes of our sessions (“special category data”) as it is necessary for the provision of counselling services.
- At any point you can request that I delete your records, subject to any requirement by my professional body (the BACP) or my insurers to retain certain records for longer. I only wish to hold your information for as long as is necessary, and will otherwise securely delete/destroy your records within 3 years from the end of our sessions together. Any emails, voice and text messages that you send me will be deleted within 1 year of receipt.
I access your data…
- via my encrypted smartphone/tablet accessible via password and/or faceID. All my devices are regularly updated and have the latest anti-virus software installed.
How I process/share your information:
- I have regular supervision for ongoing professional development. I refer to you by your first name, and I may refer to your information verbally when it’s helpful to my professional processes.
- Your name and contact details will be shared with my Therapeutic Executor to ensure you are contacted in the event of me not being able to attend your session through illness or death. They will arrange for your notes to be passed to you or shredded.
- Information about your data rights can be read here: ico.org.uk/your-data-matters
Other agencies….
- Stripe; Cliniko; What’s App; Microsoft Teams; Zoom; My Accountant
- If you pay me or contact me using any of the above methods, there is a record of your name and account details within those servers. These companies are also required to be GDPR compliant. My accountant is also bound by confidentiality.