For the purposes of General Data Processing Regulations (GDPR), Eleanor McMillan is the Data Controller of the personal information you provide, unless otherwise stated.
This privacy statement is reviewed regularly and updated as necessary. Where we have established a contract for counselling and psychotherapy services, I will inform you when changes mean a significant difference to how I process your data. Changes will be published on my website at: https://eleanormcmillan.co.uk/privacy-policy/.
Last update: 29th September 2021
1. What type of information I have
I currently collect and process the following information:
- Your name and contact information, including email address, telephone number, home address
- Your date of birth
- Emergency contact information, including name and telephone number
- GP name and contact details
- Relevant medical, mental health and wellbeing information
- Client notes, which may include attendance dates and times, summary and themes from the session, agreements we’ve made and other clinically relevant material, such as risk assessment and plan where relevant to our work.
- Correspondence between us
- Appointment schedule
- A record of financial transactions, invoices and receipts
- Copies of signed contracts and agreements
2. Purpose and lawful basis
I hold and process your data in order to provide an efficient, professional and safe counselling and psychotherapy service.
The lawful basis I generally rely on for processing your personal information is the fulfilment of a contract to provide counselling and psychotherapy services. In specific circumstances, I also rely on the lawful bases of: your consent, legal obligation, vital interests and legitimate interest.
I hold and process special category data, which includes health data and may also include information relating to : religion, trade union membership, political opinions, race or ethnicity, sex life, sexual orientation where these relate to the therapeutic work.
The condition I generally rely on to process special category data is health and social care. In specific circumstances I also rely on conditions of explicit consent, vital interests, substantial public interest and legal obligation.
Where I rely on your consent as the lawful basis or condition for processing, you are able to remove your consent at any time by contacting me using the details provided on my contact page.
3. How I get the information
Most of the information I processes is provided directly by you in the following ways:
- An enquiry by email, text, telephone or through my website.
- Contact through an online directory or listing on a third party website.
- Communication by text, telephone or email, either initiated by you or where I request information.
- Information you provide in documents and forms.
- Where my website collects personal data, this will be clearly stated.
- If you fill in a form on my website, it is sent to my email address.
Counselling and Psychotherapy Sessions
- Information you share with me in sessions from which I may write client notes.
4. What I do with the information
I process your personal data to:
- Respond to queries.
- Establish a contract for counselling and psychotherapy services, this includes provision of an initial consultation and pre-therapy information.
- Provide the contracted counselling and psychotherapy services.
- Manage, and communicate with you about, administrative aspects of the service, including appointment scheduling and payments.
- Keep financial and administrative records.
- Communicate with you as we may agree in our sessions from time to time.
- Seek client feedback.
I use anonymised data to improve the effectiveness of my service and for professional purposes.
I process your sensitive data, including client notes to:
- Assess whether my skills and experience are a good fit for the issues you may be bringing.
- Assess any risk and work collaboratively to adjust the work to suit your needs.
- Support me in providing the contracted service (client notes serve as an aide memoire for future sessions or supervision).
- Monitor my effectiveness.
- Meet professional standards.
I also process your information to fulfil legal and ethical obligations.
5. Who I share the information with
The information you share with me is treated as highly confidential and will not be shared with other people or organisations except in the following circumstances:
- When you provide your explicit consent, for example a referral to another professional or service, you request or agree for me to contact your GP.
- To maintain professional standards, I attend regular supervision. I may discuss aspects of our sessions to support both our work together and my development as a therapist. My supervisor is committed to the same ethical and confidentiality standards as I am.
- In exceptional circumstances, I may break confidentiality without your consent. This is only:
- When I am required by subpoena (court order or instructions from a coroner)
- Where I have reason to believe yourself or others are at risk of imminent and serious harm (in your vital interest and in the public’s interest)
- Where I become aware of serious illegal activities notifiable by law, which include terrorism, money laundering and drug trafficking.
- For safeguarding purposes where I become aware of risk of harm or neglect to children or vulnerable adults.
- If I am required by NHS Track and Trace to provide details of my contacts. I will provide the minimum necessary information. Reasons for contact will not be given.
- For my legitimate interests to address any claim, complaint or dispute.
Information disclosed will be limited to what is necessary for each specific case and will be provided only to the appropriate authorities, bodies, organisations or persons.
I use third parties who provide services for me, including email and cloud data storage. These act as data processors on my behalf. They hold the data securely and only process it on my instructions. Your data may also be processed by my mobile phone operator, bank, payments processor and online video call provider. They act as Data Controllers. Privacy policies are available on request.
6. How and where the information is stored
Data is mainly stored electronically in documents, spreadsheets and databases. Data may be stored on my computer, external storage device and cloud services. Your name and contact number may be held on my smartphone. I may temporarily hold some paper records.
Third Party Services: For email and cloud data storage services are currently provided by Proton Technologies, with data held in Switzerland, and Sync.com, with data held in Canada.
7. How I protect the information
While it’s not possible to protect 100% against a data-breach, I take the following step to minimise risk.
- Data I store is maintained solely by myself.
- All devices are password protected and encrypted.
- Use of a password system so I can use stronger passwords.
- Use of a firewall.
- Software is kept up to date.
- Use of zero-knowledge end-to-end encrypted services where available. This means the systems are designed to prevent access to the data by anyone except the account holder. This currently includes cloud data storage and email.
- Sensitive therapeutic notes are kept using a pseudonym code and separate from personal contact data and administrative records. Individual documents are protected by password and fingerprint.
- I have a locked screen policy.
- An HTTP secure website at https://eleanormcmillan.co.uk
- Any paper record are locked away when not in use and shredded when no longer needed.
- I have a clear desk policy.
8. How long I keep the information for
For enquiries that do not lead to a contract for counselling and psychotherapy services, all personal data will be deleted within two months after the date of last contact, unless we agree otherwise.
Where we agree a contract for counselling and psychotherapy services, within two months after our last session (unless we agree otherwise):
- Contact details will be deleted from my smartphone.
- Emergency contact details, date of birth and GP details will be deleted from my records.
- Therapeutic records (including client notes, correspondence) will be kept for up to seven years after the last session.
- Financial records (including name, contact details and payments transactions) will be kept for at least six years, as per HMRC requirements.
9. Your data protection rights
You have rights under data protection law. These include:
- Your right to access: You have the right to ask me for a copy of your information.
- Your right to rectification: You have the right to ask me to rectify information you think is inaccurate. You also have the right to ask me to complete information you think is incomplete.
- Your right to erasure: You have the right to ask me to erase your personal information, in certain circumstances. I may also have the right to refuse to comply with your request.
- Your right to restriction of processing: You have the right to ask me to restrict the processing of your information, in certain circumstances.
- Your right to object to processing: You have the right to object to the processing of your personal data, in certain circumstances.
If you wish to make a request, please contact me using the details provided on my contact page. I will respond to you within one month. Exercising your rights is normally free of charge.
If you have a complaint about the way I have handled your personal data, please communicate this to me. I will do my best to address your concerns and resolve any issues. Should you wish to take the matter further, you can make a complaint to the Information Commissioner’s Office (ICO): https://ico.org.uk