Privacy policy
Privacy policy
Introduction
This GDPR policy outlines the data protection practices of Symphysis in, hereinafter referred to as”the Practice,” in accordance with the General Data Protection Regulations 2018 (GDPR). The Practice is committed to protecting the privacy and confidentiality of personal data, including client records, and ensuring compliance with GDPR requirements. The Practice is also registered with the Information Commissioner’s Office (ICO) under registration number [Your ICO Registration Number].
Definitions:
Data controller (Symphysis, Lee Smith): Under UK law, a data controller is an entity or individual that determines the purposes and means of processing personal data. They are responsible for ensuring that the processing of personal data complies with data protection laws, such as the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR). Data controllers have specific obligations and responsibilities, including obtaining consent when necessary, providing data subjects with information about how their data will be used, and implementing measures to protect the data they control.
Date Processor (practitioners/ therapists employed subcontract or working behalf of Symphysis):
Under UK law, a data processor is an entity or individual that processes personal data on behalf of a data controller. Data processors are responsible for carrying out specific processing activities as directed by the data controller. They are required to process personal data in accordance with the instructions of the data controller and take appropriate measures to ensure the security and protection of the data.
Data processors have certain obligations and responsibilities under data protection laws, including the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR). They must have appropriate data processing agreements in place with data controllers, ensure the confidentiality and security of the data they process, and assist data controllers in meeting their obligations, such as responding to data subject requests and reporting data breaches.
Data Collection and Processing
Data collected by Symphysis:
The Practice collects and processes personal data necessary for the provision of play therapy services. This includes but is not limited to, client names, dates of birth, contact information, and relevant medical and psychological information.
Data Security:
All client records are stored securely in both physical and digital formats to prevent unauthorised access, disclosure, or loss. Symphysis employs strict security measures to safeguard this data.
Data Retention
Records (electronic and physical) will be kept securely until the client’s/child’s 25th birthday or 8 years after the last case note entry. If a young person is 17 at the conclusion of treatment/interaction with Symphysis, records will be retained until their 26th birthday.
Deletion and Destruction:
At the end of the respective retention period, client records will be securely and permanently deleted or destroyed to ensure they cannot be recovered.
Data Access and Sharing:
Access Control: Client records are accessible only to authorised personnel involved in the delivery of play therapy services. Information will only be shared when either the legal guardian for the child has given written consent detailing who they are consenting the data to be shared with or when there is a genuine belief that a child or another individual may be at risk of harm, or a crime has been been committed.
Clincial supervision:
In accordance with ethic principles of both British Association of Counsellors and Psychotherapists (BACP) and British Associate of Play Therapists (BAPT) some basic details (age, gender, contact information and underlying difficulties/reasons for a referral to Symphysis) about the child and the consent of clincial therapy session will be shared with will the practitioner’s clinical supervisor. Clincial supervisors are also bound by confidentiality are expected uphold the principles of data protection within their work as clinical supervisors.
Such information is shared with clinical supervisors for the purpose of professional development and to ensure therapists maintain a good ethical basis for their work and the work in which they are completing with clients continues to be in the client’s best interests. Nonetheless, any identifiable information relating to the client, or their families will be withheld from the clinical supervisor and any clinical notes produced will be anonymised to protect the identity of the client and their families.
Clinical supervisors are legally and ethically bound to breach confidentially if they suspect that a child or other individual may be at risk of harm, they are concerned about the practice of a therapist which may lead to a child being harmed or their reasonably belief that a crime may have been committed.
Client Rights:
Access and Correction: Clients have the right to request access to their personal data and request corrections if necessary.
Data Portability: Clients can request their data in a structured, commonly used, and machine-readable format.
Withdrawal of Consent: Clients have the right to withdraw their consent for data processing at any time, where consent is the legal basis for processing.
Eraser of information: Under UK data protection law, the right to be forgotten concerning data relating to children is particularly important. It emphasises the need to protect the privacy and online reputation of minors by allowing parents or legal guardians to request the removal of their child’s personal data from online platforms and databases, ensuring a safer online environment for young individuals.
There is an emphasis on the right to have personal data erased if the request relates to data collected from children. This reflects the enhanced protection of children’s information, especially in online environments, under the UK GDPR.
Data Breach Notification:
In the event of a data breach, the Practice will promptly notify the affected individuals and the ICO (Information commissioner’s Office). Symphysis, have a legal responsibility to report any breaches to the ICO with 72 hours of discovering the breach.
Investigation of data breaches:
Once a data breach has been discovered and reported to ICO, Symphysis will seek to carry out a full investigation into the data breach to identify: the category of data that has been breached, the circumstances around the data breach and what measures can be taken in the future to prevent any further data breaches, which may include review of how data is handling and stored within the organisation.
Furthermore, Symphysis will seek to fully cooperate with ICO and law enforcement during to the period of any external investigation into a data breach.
Complaints:
For any complaints regarding the data that is collected, processed or stored by Symphysis please follow the complaints policy which can be found on the website. Alternatively, complains can also be made to the Information Commissioners office directly by following the link below:
https://ico.org.uk/make-a-complaint/.
Review and Updates
This GDPR policy will be reviewed regularly to ensure compliance with evolving data protection regulations and best practices.
Address
Symphysis Play Therapy
95 High St, Orpington BR6 0LF, UK
Contact
Phone: 01689 471 046
Email: lee.smith@symphysistherapy.co.uk
More links
© 2023 Symphysis Play Therapy