Why do Psychology Sussex store client’s data?
For both practical and clinical reasons, we store both contact details and relevant clinical information that is gained from you over the phone, by email or in sessions. We will need to contact you and so will have to keep your contact details (e.g. telephone number(s), address, email address) and the contact details of someone you nominate to contact, should there be an emergency. These are kept, in hard copy format, in locked files and, in digital format, on an encrypted, password protected computer.
We are obliged by our practitioner’s respective governing bodies to store notes from the sessions that you attend (as well as clinically relevant information given by you over the phone or in emails). You will be asked to make a signed declaration at your first appointment stating that you are aware Psychology Sussex will store confidential information pertaining to you and that you give your consent for this to happen. This will then act as our lawful basis for processing your personal data.
It is vital that we process your data in order to maintain good practice and provide the highest standard of care. Also, should you return after some time has elapsed since your last appointment then your practitioner will need to go over your notes to ensure continuity of care – much like when you go to see your GP. Notes from your sessions are kept in hard copy format and are stored in locked drawers. Any typed reports with confidential, sensitive information will be stored on an encrypted, password protected computer and any documentation sent by email is password protected.
How long is data stored for?
Psychology Sussex retains session notes and any other relevant clinical information for no more than 7 years after your last appointment. All hard copies of notes/reports will be stored in locked files and digital information will be stored on an encrypted, password protected computer. After this time, hard copy information will be shredded and disposed of appropriately and digital information will be deleted.
The preceding legislation to GDPR, the Data Protection Act, specified that healthcare practitioners were legally required to store medical records for 7 years from the last appointment. Though the GDPR does not specify a period for the retention of medical records, it does encourage a limit to be set with a rationale for that limit. Psychology Sussex’s rationale for choosing a period of 7 years is that this is line with the legislation preceding GDPR and that this length of time provides an ample period from the date of your last appointment or contact. We retain these records for the best interests of both clients and practitioners.
Will Psychology Sussex share client’s data?
We will only share any reports or sensitive information concerning you with your consent. Any digital documents shared will be password protected and the recipients will be required to telephone the office for the password. After reviewing our privacy policies this was deemed to be an appropriate level of security to comply with the GDPR.
There are only three circumstances in which we are required to break confidentiality and potentially share confidential information without your consent:
- If we are concerned about the possibility of a serious risk to yourself;
- If we are concerned about the possibility of a serious risk to others;
- When we are legally obliged to do so.
Any hard copies of notes or reports are stored within locked filing cabinets in an office which is locked when staff are not present. Psychology Sussex uses the Microsoft One Drive for Business cloud. All software and antivirus protection mechanisms are regularly maintained and updated. All electronic information is stored on an encrypted, password protected computer.
In the event of a data breach, both the Information Commissioner’s Office (ICO) and all clients will be notified and the breach will be investigated within 72 hours.
What are your rights?
Under the GDPR you have several legal rights concerning your data. You have the right to:
Access any data we store concerning you;
Have any inaccuracies in the data we store concerning you corrected;
Have information deleted. [Please note that this only applies to your contact details. There are some exemptions to your ‘right of erasure’, one of those being the retention of medical records. We therefore keep medical records for no more than 7 years after the date of your last appointment – see ‘How long is data stored for?’ above for further information;
- Have your information moved to another practice or ‘data controller’;
- Prevent marketing;
- Prevent automated decision-making and profiling;
- Complain to the ICO;
- Be informed of data breaches without delay i.e. within 72 hours.
Should you wish to request any information we store pertaining to you then you will need to make a signed request in writing. You will not be charged for making a ‘subject access’ request and the information will be made available to you within one month of receiving your signed request.