I take your privacy seriously. My privacy notice as detailed here includes measures for us both to take to protect your privacy, and details of how I collect and process your personal data, including those relating to General Data Protection Regulation (GDPR). Your data rights under GDPR are:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • and the right not to be subject to automated decision-making

You can learn more about these rights from the Information Commissioner’s office (which I am registered with). Should you wish to exercise any of your data rights, or if you have any questions about the measures I take to protect the security of your information and data, please do not hesitate to email me.

Location of CBT sessions

Both face-to-face and online sessions are provided from a private and confidential space, free from distractions. For online sessions, please ensure that you have somewhere private to talk.

Internet related security

It is important to be aware of the risks of third parties gaining access to private information shared over the internet. End-to-end encryption scrambles messages to reduce the risk of others reading your messages or listening to your calls. I provide online sessions using Zoom, with end-to-end encryption enabled. My outgoing emails are sent with encryption in transit as standard (as long as the recipient’s email provider supports this, which most major providers do). I use end-to-end encryption for sending emails containing sensitive information, and can assist you in setting this up before sending emails containing sensitive information to me. Internet communication can be vulnerable to spyware (listening in). This risk is reduced by:

  • Turning off listening devices (such as Alexa and Siri)
  • Using Firewall and Antivirus programmes
  • Running legitimate software updates
  • Not opening unexpected and suspicious looking emails

I do each of the above, and recommend that you do the same.

Information I collect about you and how I use it

Upon making an initial enquiry about CBT, I request your first name; email address; and phone number. I also request some sensitive data regarding your current and past mental health.

On registering, I request further Personal / identity data: your full name, address, date of birth. I also request details of your next of kin, GP, and any other professionals who may be supporting you.

Notes are taken during assessment and therapy sessions. These include sensitive details about your life. Information may be collected through email, post, telephone, video calls, and/or in person. Information provided is used to support treatment planning, and to aid continuity between sessions.

How long I keep your information – data retention

Emails will be deleted within 30 days of receipt, as will any enquiries and registrations which do not result in booking a session. If you register for CBT with me, personal and/or sensitive data will be transferred into your clinical records. Otherwise it will be deleted.

If you book in for CBT, I will keep your clinical records (which include personal and sensitive data) for a period of 7 years following the end of treatment. However, if your therapy is funded by a third party (i.e., health insurance company), they may require notes to be kept for longer. Please check with them for more details. All Personal and Sensitive Data shall be deleted once the retention period ends.

Sharing and Security of Data

Upon booking your first appointment, your first name and telephone number will be entered into a password-protected encrypted cloud based data storage system which my clinical supervisor / clinical executor(s) have access to. This is so that you could be appropriately informed should unanticipated serious events (e.g., my death or becoming incapacitated) result in me not being able to continue with your session(s), you could be appropriately informed. I also enter your first name and phone number into my (password protected) mobile phone, in case I need to contact you regarding any technical issues during online therapy. Your name and number are deleted from the shared cloud and my phone when therapy comes to an end.

Enquiries, registration information, assessment and therapy notes (summarising the content of sessions, and other personal and sensitive information which has been shared) are stored in a ISO27001 certified, cloud-based system, which is encrypted in flight and at rest (with navigation running on 256 bit SSL). Access is protected using two-factor authentication (‘2FA’ – meaning that both password, and use of a trusted devise is required).

My tax is calculated by an accountant. Invoices may include your Personal data (i.e., name, address, date of birth and relevant codes). However, no sensitive data (such as diagnosis, or personal circumstances) is disclosed to them. There may be times that your information needs to be shared with other third parties. For example, referrers, or other professionals who are supporting you. I will check your consent before sharing your information (unless this was not possible in an emergency situation and / or doing so may increase any identified dangers to you or others).

I would notify you of any security or confidentiality breaches, in line with my legal requirements to do so.

Lawful basis for processing your information

The ‘lawful basis’ for my holding and using your information is in relation to the
delivery of a consenting contract with you, in my health care professional role. This is permitted under data privacy law as part of my legitimate interest in understanding my clients and delivering the best service possible.

Owner and data controller

I (Charlotte Rose) am the data owner and data controller. I manage my own email account and therapy records.

The legal bases I rely on for processing

The owner (Charlotte Rose) may process Personal Data relating to clients when it is necessary for specific purposes: Performance of an agreement with the client and any pre-contractual obligations; Compliance with a legal obligation to which the owner is subject; Legitimate interests pursued by the owner or by a third party. I will not sell your data. I will not use it in any way that could result in personal, professional, or financial gain (without your informed consent).

Issues regarding handling of your data

I will attempt to respond to any concerns or requests to exercise your data rights within 30 days of your email. If you are not satisfied with the response that you receive, you have the right to lodge a complaint with the Information Commissioner’s Office online or by calling 0303 123 1113.