Privacy Policy

Please read this privacy notice carefully as it contains important information on who I am and how and why I collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact me or supervisory authorities in the event you have a complaint.

When I use personal data we are regulated by the Information Commissioner under UK General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018. I am required to meet the regulations of the EU General Data Protection Regulation which applies across the European Union.

The individual receiving the service from Ewbank Psychotherapy is consenting to providing the personal data outlined in this document, and the use and restriction that this document details.

Definitions

“Ewbank Psychotherapy”, ‘I’, “Me” and ‘Your Therapist’ are used interchangeably and relate to the Service that I will provide to You;

“Service/s” means the therapy engagement sessions I will provide to You;

“You”, “The individual” and “The Client” are also terms used interchangeably and relate to the individual receiving the Service/s if aged over 18 years or the parent/guardian of the individual receiving the Service/sif aged under 18 years;

“Personal Data” means any information relating to an identified or identifiable person;

“Special Category Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, Genetic and biometric data, and/or data concerning health, sex life or sexual orientation;

Personal Data I Collect

Personal data I collect depending on your engagement with us and use of my Services.

When you browse my website:

Data submitted through forms such as when you make a self-referral form:

If you choose to answer questions and/or want to measure items yourself we may collect information such as:

If you have made an enquiry about therapy Services:

If you have a therapy session:

This personal data is required to enable me to provide my Services. If I am not provided with the personal data I ask for, it may delay or prevent me from providing the Services which you are requesting.

I store all data you enter on a Practice Management System in order to best safeguard (even deleted data).

How Personal Data is collected

I collect all of this information directly from you, when you use my website, and when you express interest, or complete a new client registration form. If you engage in sessions with me, I may upload or amend information after the session.

How and why I use personal data

Under Data Protection legislation, I can only use personal data if I have a legal basis for doing so. These are mandated by the legislation and include:

A legitimate interest is when I have a business reason to use personal data, so long as this is not overridden by the data subject’s own rights and freedoms.

The table below explains what I use (process) personal data for (our purpose) and my legal basis for doing so: Purpose

Legal Basis

To enable me to provide my personalised, face-to-face or online psychological therapy

For the performance of my contract with clients or to take steps at a client’s request before entering into a contract

Ensuring the confidentiality of client’s sensitive information

For my legitimate interests or those of a third party, e.g. to prevent data breaches which could be damaging for clients. To comply with my legal and regulatory obligations

Updating and enhancing Client’s, and parents/guardians/carers records

To comply with our legal and regulatory obligations

The above table does not apply to special category personal data, which I will only process on the basis of article 9(2)(h) of the UK GDPR, specifically for the purposes of the provision of health or social care under the supervision of a health professional.

Promotional Communications

Your personal data will not be used for promotional purposes.

I will always treat personal data with the utmost respect and never sell it to other organisations for marketing purposes.

Who I share Personal Data with

I only share Personal Data as necessary with my clinical supervisor, who is bound by professional codes of confidentiality. You will not be identifiable and a pseudonym will be used.

I only allow external third parties to handle Personal Data if I am satisfied they take appropriate measures to protect all Personal Data.

I may very occasionally disclose and exchange information with law enforcement agencies and regulatory bodies to comply with my legal and regulatory obligations.

Where Personal Data is held

Personal Data is kept in an encrypted form on secure servers primarily inside the UK or European Economic Area (EEA). It is sometimes necessary for us to store some elements of Personal Data outside the UK or the European Economic Area (EEA). These transfers are subject to special rules under European and UK Data Protection legislation.

In exceptional circumstances, for example when information needs to be communicated by a referrer who cannot receive encrypted email we may send some Personal Data in a password protected pdf document.

Keeping Personal Data secure

Security

The privacy and the security of your Personal Data is my utmost priority. I recognise that you trust me to keep it secure and private. I have in place appropriate security measures to prevent your Personal Data from being accidentally lost, or used or accessed unlawfully. I protect your Personal Data at all times with strong encryption, password protecting, and two-factor authentication. I limit access to Personal Data to those who have a genuine business need to access it and are subject to strict obligations of confidence.

Protecting your Personal Data

All your Personal Data is encrypted using strong encryption both in transit and at rest. I have strict procedures and systems in place to prevent unauthorised access to data. Card Payments are processed via a third party payment provider that is fully compliant with data security standards.

Personal Data and special category Personal Data is primarily stored on a secure practice management system and cloud storage, protected by two-factor authentication.

How long will personal data be kept

I follow the best practice guidelines of the British Psychological Society regarding the retention of Personal Data contained in (amongst other sources) client notes and clinical records and I retain Personal Data for a period of 7 years following the cessation by data subjects of engagement with me.

When it is no longer necessary to retain Personal Data, I will delete or anonymise it.

Rights

Data subjects have the following rights, which can be exercised free of charge: Access

The right to be provided with a copy of Personal Data held on a data subject

Rectification

The right to require me to correct any mistakes in a data subject’s Personal Data

To be forgotten

The right to require me to delete Personal Data – in certain situations

Restriction of processing

The right to require me to restrict processing of certain Personal Data – in certain circumstances, e.g. if the accuracy of the data is contested

Data portability

The right to receive the Personal Data provided to me, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations

To object

The right to object:

At any time to Personal Data being processed for direct marketing (including profiling);

In certain other situations to our continued processing of Personal Data, e.g. Processing carried out for the purpose of my legitimate interests

Not to be subjected to automated individual decision-making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning a data subject

Consent

The right to withdraw consent at any time

For further information on each of those rights, including the circumstances in which they apply, please see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation

To exercise any of those rights, please contact me via email: info@ellieewbank.co.uk

How to complain

I hope that I can resolve any query or concern raised about my use of Personal Data.

The UK GDPR also gives the right to lodge a complaint with the UK Information Commissioner who may be contacted at https://ico.org.uk/make-a-complaint/ or telephone: 0303 123 1113.

Changes to this privacy policy

I may change this privacy policy from time to time, when I do I will inform clients via email and update my website.

Updated February 2023.