Privacy Policy 

 

Dr Sophie Thomas’ (my name) registered office is: 40 Palace Chambers, London Road, Stroud, GL5 2AJ. I offer clinical psychological services. This privacy policy explains how I use any personal information I collect about you, as a past, present, future employee or associate or a service user (client or patient). 

 

Dr Sophie Thomas provides psychological therapy and assessment services online. This privacy notice provides information about the personal information I process about you as a data controller, in compliance with the General Data Protection Regulation (GDPR). 

My ICO registration number is C1304707 

 

Please contact Sophie Thomas at sophie@pelicanpsychology.co.uk with any questions or requests about the personal information I process. 

 

  1. What are your rights? 

 

I am committed to protecting your rights to privacy. They include: 

  • Right to be informed about what I do with your personal data 
  • Right to have a copy of all the personal information I process about you 
  • Right to rectification of any inaccurate data I process, and to add to the information I hold about you if it is incomplete 
  • Right to be forgotten and your personal data destroyed 
  • Right to restrict the processing of your personal data 
  • Right to object to the processing I carry out based on my legitimate interest 

 

  1. Why do I collect information about you? 

 

I may collect information about you because you are a patient or client. You may be an associate or employee. You might be a claimant who is part of a legal or litigation claim. 

I process the data because it is in my legitimate interests as a clinical psychologist to do so. I need to see and analyse documents containing this information in order to carry out an assessment or to deliver psychological intervention. 

Another lawful reason for me processing your data may be Legal Obligation. If I am processing “special category data” about you, this is my second lawful reason to do so. This is likely to apply if you are being assessed as part of a litigation claim. 

As a client or patient of Pelican Psychology, my lawful reason for processing “special category data” is that it is necessary for the purposes of the provision of health or social care or treatment. 

 

 

  1. What information do I collect about you? 

 

I collect information about you that may include personal or sensitive information, such as: 

  • First name or given name 
  • Family name or surname 
  • Address 
  • Telephone numbers 
  • Date of birth 
  • Gender (or preferred identity). 
  • Age 
  • Date of Birth. 
  • Relationships & children 
  • Occupation 
  • Address 
  • Telephone/SMS number 
  • Email address 
  • Health insurance details 

 

To make sure that you are assessed and/or treated safely and appropriately, I record your personal information, such as your name, address, as well as all contacts you have with the Company such as appointments and the results of assessments and letters relating to your care/report. Your data is kept confidential within the Company at all times. 

I also process personal data pursuant to my legitimate interests in running my business such as: 

  • Invoices and receipts 
  • Accounts and tax returns 

 

Please see section below on information about my website cookies. 

Patients/Clients (Therapy or private assessment) 

When you are a patient or client of Pelican Psychology I record all your treatment and details of your appointment so that I can plan your treatment correctly. In addition to the personal information above, I may also collect information regarding: 

  • Medical conditions (if relevant) 
  • Prescribed medication. 
  • Psychological history and current difficulties. 
  • Sexuality 
  • Offences (including alleged offences) 
  • Financial information, including bank account details (if you are a private patient/client of Pelican Psychology) 

 

I may collect some of this information from your insurance company if you have one, and some of this information will be collected directly from you. 

Clients involved in Legal proceedings / Court Reports 

In the case of a court report I retain the information as required by the courts or your solicitor. 

In addition to the personal information above, I may also collect information regarding: 

  • Medical conditions (if relevant) 
  • Prescribed medication. 
  • Psychological history and current difficulties. 
  • Sexuality 
  • Offences (including alleged offences) 

 

I may be given some of this information from your solicitor or the party instructing me for the purposes of litigation, and some of this information will be collected directly from you. 

In many cases, an individual has consented to the transfer of their personal data to me. Where an individual has consented, he or she may easily withdraw it by notifying me (Sophie Thomas) at sophie@pelicanpsychology.co.uk. 

 

 

 

  1. How do I store the information about you? 

 

I take your privacy very seriously. 

 

I am committed to taking reasonable steps to protect any individual identifying information that you provide to me. Once I receive your data, I make best efforts to ensure its security. 

All personal information provided is stored in compliance with EU General Data Protection Regulations (GDPR) rules.  More information is provided prior to first appointment. 

 

  1. How long do I keep your information for? 

 

I do not keep your data for longer than is necessary. 

 

Administrative data is retained for up to seven years as necessary, in the unlikely event there are queries from HMRC. Where it is not necessary to retain the data for seven years, it is destroyed as soon as possible. 

 

Patients/Clients (Therapy or private assessment) 

Personal data is retained, where necessary, for seven years in compliance with my professional indemnity and professional regulations. For clients under the age of 18, personal data is retained until their 26th birthday or seven years after our last contact whichever is the later. 

 

Clients involved in Legal proceedings / Court Reports 

Personal data in legal cases is retained, where necessary, for seven years in compliance with my professional indemnity and professional regulations. For clients under the age of 18, personal data is retained until their 26th birthday or seven years after our last contact whichever is the later. Where this is not necessary, it is destroyed on the conclusion of the case. 

 

  1. Who do I share your personal information with? 

 

Your information is kept confidential within the Company at all times. Where possible I will anonymise information so that individual patients cannot be identified.  

If I become aware of your intent to cause harm to another person/organisation (e.g. terrorism), the law may require that I inform an authority without seeking your permission. In such a situation, the law may require that I share your personal information without your knowledge. 

 

By contacting the Information Security Officer, by email and/or using the address below you can also get more details on: 

  • agreements I have with other organisations for sharing information; 
  • circumstances where I can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics; 
  • how I check that the information I hold is accurate and up to date 

 

Special category data and personnel files held electronically are encrypted with restricted access. 

For those funding through health insurance, personal information including your name, address, date of birth, membership number, authorisation number may be stored on the Healthcode system for the purposes of invoicing your insurers securely. 

For the purposes of completing tax returns, your name and dates of payment(s) are shared with the accredited accountant of Pelican Psychology who themselves are governed by GDPR and strict confidentiality codes. 

 

Patients/Clients (Therapy or private assessment) 

In many circumstances I will not disclose personal data without consent. 

Your information may be shared with outside organisations if they are directly involved in your care/case, for instance, your insurer if they are funding your treatment, your GP, or others involved in your care. I will discuss with you who I would discuss your care with, and what details I would share with them. 

 

If your health is in jeopardy I may share your contact information with an emergency healthcare service (e.g. Mental Health Crisis Team). If you are a child and your health is in jeopardy I may share information with your parent / guardian. 

 

In many circumstances I will not disclose personal data without consent. 

 

However, when I investigate a complaint I may need to share personal information with other relevant bodies. 

 

If I do need to share your information, I will always try and ask for your permission for this. I may not be able to ask your permission under special circumstances where we are legally required to do so. 

Clients referred to colleagues / associates

By consenting to me passing on your details to a colleague/associate, you are consenting me to pass on your contact details (name/phone/email). You are also consenting to the sharing with the colleague/associate the details we have discussed over email/phone and appointments booked unless you have stated otherwise. 

Clients involved in Legal proceedings / Court Reports 

I share personal data internally strictly on a need to know basis. 

I do not share personal data with anyone external to the organisation, other than with: 

  • With others pursuant to a court order
      
  1. How you can access your information and correct it, if necessary? 

 

I try to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if I hold any personal information by making a ‘subject access request’ or ‘Right of Access’ under the Data Protection Act and the General Data Protection Regulation. I will then supply to you: 

  • A description of all data I hold about you 
  • Inform you how it was obtained (if not supplied by you) 
  • Inform you why, what purposes, I am holding it 
  • What categories of personal data is concerned 
  • Inform you who it could be disclosed to 
  • Inform you of the retention periods of the data 
  • Inform you around any automated decision making including profiling 
  • Let you have a copy of the information in an intelligible electronic form unless otherwise requested. 

 

To make a request to me for any personal information I may hold you need to put the request in writing. I want to make sure that your personal information is accurate and up to date. You may ask me to correct or remove information you think is inaccurate, please address these changes to me via “How to contact me”. 

 

Clients involved in Legal proceedings / Court Reports 

If your concern is related to a case with a solicitor that I am working for, please refer the queries through them. I may not be able to comply with a request to correct information I hold about you where it pertains to a litigation claim – this would need to be discussed with your solicitor. 

 

  1. Complaints or queries 

 

I try to meet the highest standards when collecting and using personal information. For this reason, I take any complaints I receive about this very seriously. I encourage people to bring it to my attention if they think that my collection or use of information is unfair, misleading or inappropriate. I would also welcome any suggestions for improving my procedures. If you do have a complaint, contact the Data Protection Officer who will investigate the matter on your behalf. 

 

If you are not satisfied with the response from me or believe I am not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO) 

Contact information ICO:
Website: https://ico.org.uk/concerns/
Email: casework@ico.org.uk
Telephone: +44 (0) 303 123 1113 

 

  1. Who I am and how to contact me 

 

Pelican Psychology is the company that you are supplying your personal information to. The company Chief Information Security Officer (Sophie Thomas) is the Data Protection Officer for Pelican Psychology and can be contacted by: 

Email:sophie@pelicanpsychology.co.uk  

Post:
Dr Sophie Thomas
40 Palace Chambers
London Road
Stroud
GL5 2AJ

 

Security Policy 

  1. This security policy is designed to ensure that Pelican Psychology complies with the security requirements of the General Data Protection Regulation, and the rights to privacy of data subjects are protected.
  2. In compliance with Article 32 Pelican Psychology implemented appropriate physical, organisational and technical measures to ensure a level of security appropriate to the risk.
  3. Pelican Psychology is based at Office 117116, PO Box 92, Cardiff, CF11 1NB. The address is a virtual office where post is received. Clinics are run online. Post is received at Shere Surgery. 

Security measures 

The following security measures have been taken:  

  1. Physical 

The home of Dr Sophie Thomas is locked. 

Mail sent to the the virtual office is kept in a secure manner, compliant with GDPR.  

Computer screens are arranged so they cannot be viewed by casual passers by, particularly visitors. 

Hard copy material is stored in a locked filing cabinet in a locked building.

When stored electronically, all information including special category data is encrypted.
 

Mobile equipment such as mobiles are password protected and encrypted and locked away when not in use.  

Computers and other electronic equipment are disposed of in a safe manner by an outsourced and certificated provider. 

Paper files are shredded in a safe manner generally by an outsourced and certificated provider. When this does not occur a minimum of a crosscut shredder is used. 

  1. Managerial 

This policy is regularly reviewed and Dr Sophie Thomas is committed to ensuring it is implemented. 

Dr Sophie Thomas is responsible for data protection and has powers to discipline for breaches of this and other data protection policies. 

Dr Sophie Thomas has sufficient resources to carry out its role effectively as data protection lead. 

 

  1. Technical measures 

Anti-virus and anti-spyware tools are installed on all computers; 

All computers, including laptops and mobile phones are encrypted and password protected; 

USB Sticks used are FIPS 197 certified with 256-bit encryption.

Computers are programmed to download patches automatically; 

Computers have automatic locking mechanisms when not in use; 

Sensitive personal data shared by email are sent from an encrypted mail address and password protected as appropriate.  

  1. Security measures are tested and evaluated once a year.
  2. Whenever a new project, process or procedure is introduced which carries a high risk to data subjects, a Data Protection Impact Assessment is carried out, at the instigation of Sophie Thomas.