privacy statement

Privacy Policy

I take your privacy seriously and I am fully committed to ensuring that your privacy is protected. This policy intends to provide you with the information that you need about how I use and protect the information that you provide to me, from the point at which you are first in touch through the completion of our work together.

Third party privacy statement

I own and operate the website www.lukebrinsford.com through which I advertise my clinical services to potential clients and collaborators.

I operate my business as an independent “sole trader”. As such, your information does not get shared with anyone else.

From the point at which you first contact me, I will not obtain information about you from any third party without your knowledge and consent.

I will never share your information with any third party - unless you have explicitly told me that you would like me to, in order to help you get further support or healthcare.

I am required to have regular clinical supervision with a qualified clinical supervisor as part of my ongoing accreditations with the Health and Care Professions Council (HCPC) and the British Association for Dramatherapists (BADth). I never disclose any personally identifying information about my clients within my clinical supervision.

There are only three lawful exceptions where I do not need your consent to share information to a third party: child protection, court order and risk to life.

The lawful basis for processing your data

Under GDPR regulations (2018), I am required by law to provide information regarding how I process and safely store client data. This statement outlines my commitment to safeguarding and protecting your information and confirms that any information that I may ask for will only be used in accordance with this privacy statement.

Under the GDPR regulations, I am what is known as the 'data controller' and also the 'data processor', and I have specific responsibilities and requirements, accompanying these roles to protect your privacy.

My business is registered with the Information Commissioners Office, the UK authority for upholding data protection, (www.ico.org.uk). I am bound by their policies with regards your privacy, as well as the HCPC standards of conduct, performance and ethics.

Under the GDPR regulations, I only use information about you in ways that are core or legally essential for me to fulfil my role as an effective, safe, ethical and responsive practitioner. I never keep or use your information in non-essential ways.

Your role in protecting your own privacy

I make every effort to ensure that my clients' personal information is held securely and to safeguard against unauthorised access, whether I receive it via my website, emails, text, over Google Meet or phone or in person.

At the same time you play an active role to play in protecting your own privacy and in agreeing to my privacy policy:

• You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.

• You acknowledge and agree that you share information via the internet at your own risk.

• You agree to take responsibility for your own role in safeguarding your data privacy in the email address you choose to use and whether or not you choose to password protect the information that you send to me.

My policy is to request that clients endeavour to take the following actions wherever possible:

• To only include your first name in any documents that you may send to me

• To password protect documents that you may send to me

• To use initials of any children, young people, or young adults under the age of 21 in email communications or documents that you may send to me

How do I obtain information about you?

I obtain information from:

• what you choose to share with me when you first contact me via my website's contact form, or when you phone or email me to make an enquiry

• what you choose to share with me during the course of work together, including any information that you may send to me by email and over the phone (text or voice message)

• the content of the sessions we have together, either face to face, or online

Your privacy when you first contact me

I'll only keep your contact information if I have the capacity to respond and be of help to you.

My website's contact form

If you contact me via my website’s contact form, you are responsible for choosing what information you wish to share with me.

Your information is not stored anywhere on my website platform - I've disabled that option, so your contact form goes directly through to me via email.

My email

I use a password protected Google Mail account for all work emails. Please see Google’s GDPR compliant security measures.:

https://business.safety.google/compliance/#?modal_active=none

About your initial free online call

If you request an initial free online call, you can choose how much information you would like to share with me at that point. The intention of the call is to find out if our schedules are mutually workable, for you to ask any questions about my approach, and for me to provide you with some information about the ways in which I might be able to help. Having a brief understanding of your reasons for seeking support and what you might want from the sessions, can be helpful in thinking about if I we may be a good fit to work together.

Your privacy in our work together

Emailing each other: After we have decided on an initial appointment I will send you a confirmation email detailing the venue, fee and other relevant practicalities.

Online sessions: I currently use Google Meet for online sessions. Google services have updated their privacy measures to ensure they are fully compliant with GDPR regulations (2018). See here for more information:

https://business.safety.google/compliance/#?modal_active=none

In person sessions: The rooms I use on a weekly basis are dedicated therapy rooms, and as such are purposed for discretion and privacy.

What type of information do I collect about you?

As a registered healthcare practitioner, I would be expected to hold the following information in case of an emergency:

• Your name and contact details

• Who should be contacted in case of an emergency (e.g. next of kin)

• GP address

As a registered independent provider for working with children, young people and families, I would be expected to hold the following information:

• Client name and address

• Reasons for referral/referral information

• Phone numbers and email address of clients, their carers and other professionals directly involved in the care of the client

• Client artworks (and/or photos of)

• Session notes

• Emails relating to client work

• Written reports based on client work/progress

Holding sensitive information

Given the nature of healthcare related data, some of the information you share with me may be classified as sensitive. As such, it is a legal requirement for me to take strong measures to protect your confidentiality with any of the following sensitive information that would be important for me to know:

• Your mental and physical health

• Use of alcohol, prescribed and non-prescribed drug use

• Any criminal offences or alleged offences

If you choose to share any information with me about your intimate relationships, your sexual history or orientation, your family, lifestyle, employment, religion or cultural background, this is also respected and treated as 'sensitive'.

What do I use your information for?

I may at times need to ask you about some of the above sensitive information with the specific purposes of ensuring that:

• the service I provide to you is properly responsive to your specific circumstances and needs.

• I make safe and effective clinical and therapeutic decisions

• I respond to you in the most considerate way

• we communicate openly with one another in order to make clear and appropriate decisions together

With regards to information held about children, young people and families, I will use information for the following purposes:

• To maintain contact with clients and relevant carers/parents/professionals, monitor client wellbeing and progress during therapy, and to ensure compliance with my insurer and professional body requirements

• To create written reports, which are shared as part of a multi-agency approach. Clients have a right to view these at any time. Clients will always be informed that a report is going to be written and that they can contribute to them should they wish. If a client wishes to change the information in the reports this can be discussed, and reports can be adapted

• Written reports are sent via encrypted email to the appropriate professionals involved in the client’s care

• To ensure effective engagement in regular clinical supervision as required by the HCPC and BADth

Transparency of record keeping

In all areas of my work there are legal parameters for things that I must have a written record of, specifically where information is shared that is in direct relation to your safety or the safety others, such as emergency contact information, or information related to suicide risk, child protection, domestic abuse, or other violent crime, or should I ever need to account for my clinical decisions and/or respond to complaints.

Records will typically comprise of:

• Any email correspondence, written reports, forms or letters that you have opted to share with me directly

• Any email correspondence, written reports, forms or letters that I have shared with you directly

• Any information pertaining to a legal or risk issue that has been identified: risk assessment and risk management plan, and my clinical supervisor's recommendations, which I will also share with you, unless it would increase a safety risk to do so

• Client artworks and process material (and/or photos of)

• Session notes relating to work with children, young people and families

• Email correspondence relating to work with children, young people and families

• Written reports based on client work/progress/outcomes

How I keep this data – physical

I keep all data in paper form in a secured filing cabinet.

Client artwork/process material is kept until the end of the client’s therapeutic process and is stored securely in my home. At the end of the therapeutic process the client will have the option to take their artwork/process material home with them or destroy it.

No other physical data is shared with anyone other than myself unless there is a legal or safeguarding reason to do so and, in such cases, where confidentiality has been broken, appropriate child protection/legal guidelines will be followed.

How I keep this data – digital

My electronic devices are all password protected, with strong passwords that are all different from each other, and which I change at suitable intervals.

I do not store any personally identifying information of my clients on a mobile phone, unless it is necessary to hold a contact number. In this case a coded name shall be used.

If you we use Google Meet for online sessions the contact details you use are stored, but no other therapy related information is kept on this platform.

I do not record Google Meet sessions.

If I need to electronically send a report or invoice, I send this separate to your personally identifying information and/or I password protect the document.

I clear my downloads related to client information on all devices when I am not actively making use of those downloads.

I do not keep your personal or sensitive information stored on any external hard drive or memory stick.

Consent

Clients who are over the age of 16 (or 13 if deemed appropriate) will be asked to provide consent to their information being stored whenever possible. For children under the age 16 (or 13 if deemed appropriate) the person with parental responsibility will be asked to consent. Consent can be withdrawn at any time. This can be discussed with me and adaptations can be made if possible.

Clients have the right to view their information, and to ask for changes to be made. Clients may also wish to have their information deleted which I will do whenever possible unless there are specific circumstances restricting me from doing so. In such cases I will seek legal advice.

If I discover there has been a data breach of personal information that could put a client at risk, I will undertake to report this as soon as possible and notify clients.

Legal exceptions to obtaining your consent

There are some situations where I would be required to share your information with third parties, without your consent:

• Court Order: If I am required to disclose data about you, under a Court Order for me to do so.

• Child Protection: If I am concerned about the welfare of a child, i.e., where there are child protection issues relating to potential physical, mental, sexual abuse or serious neglect

• Risk to self or others: Where there is an imminent risk of serious harm to yourself or harm or exploitation of others. If you are seeking help and you are perpetrating a serious crime against someone, or you are actively suicidal, I am unable to protect your right to privacy, as I must take appropriate action to protect the rights of children and vulnerable adults if I believe they are at risk. In those instances, I will always follow local and national safeguarding policies and the HCPC Standards of Conduct, Performance and Ethics.

If you are worried about your safety or the safety of someone else, it is very important that you get access to the right kind of help as soon as is possible. In crisis or high-risk situations, it may well be more suitable for you to prioritise getting in touch with a therapeutic team who specialise in crisis or high-risk situations.

How long do I keep your information for?

I will retain your personal information for a period of three years following the completion of our work together. At this point I will permanently delete any electronic files that are stored on my computer.

My session notes are my personal process notes which do not contain any identifiable information relating to a client and are kept separately to other client information. These I keep for the duration of the therapy then are permanently deleted.

When sensitive information in physical form is to be destroyed, it is incinerated.

Your rights

Your right of access: You have a right to make a written request for the details of personal information that I hold about you. You can email me and I will be happy to share the records that I have for you.

Your right to rectification: If you believe that any information I am holding on you is incorrect, incomplete or needs updating, please email me with details and I will promptly make the appropriate changes.

Your right to portability: Any information that is generated through our work together, such as written reports or letters, you are welcome to share with other people if that would be helpful to you. I will do my best to only keep information in a form that is easily portable for your convenience.

Your right to lodge a formal complaint: If you believe that your rights under the GDPR regulation have been infringed, or that the processing of personal data relating to you does not comply with lawful regulation, you can visit the Information Commissioners Office to find out how such matters can be dealt with on your behalf. Their helpline is 0303 123 1113.

Contact

This document regarding client data GDPR is subject to regular review and will be updated as and when is necessary.

If you wish to contact me with any questions, concerns, or a request for your information then please speak to me directly or contact me via email connect@lukebrinsford.com.