John Foley
Psychotherapy and Counselling

Subtitle

Privacy

PRIVACY NOTICE

I am committed to protecting and respecting the privacy of my patients and clients. I comply with the Data Protection Act 2018 and the General Data Protection Regulations.


Overview

This policy explains when and why I collect personal information, how I use it and how I keep it secure.


I review this policy regularly and where necessary make updates to ensure it accurately reflects how I use your data. I will notify you if there are changes which affect how your data is processed.


I hope this policy helps you to understand how I use your data. If you have any questions you can contact me by email on [email protected]


About me

I work independently in private practice offering psychodynamic psychotherapy, counselling and supervision.


What information do I collect?


When you use this website

Cookies

VistaPrint hosts this site, and they make minimal use of cookies, which do not identify you as an individual. This site does not require cookies in order to function properly. Refer to the 'Website Cookies' link at the bottom of this page.


When you make enquiries

If you email or telephone me I will ask you to provide your name and information about your enquiry. I may also ask for alternate methods of contacting you. I will only use this information to respond to your enquiry.

- Email

I store personal data in email. 

- Telephone

I store personal information on my mobile telephone in the form of text messages and automated call logs. I don’t audio-record calls, and I don’t keep voicemail messages left on my phone. 

- Contacts

I store personal information using Apple’s iCloud contacts functionality. 


At our initial meetings

If you meet me for a clinical assessment, before agreeing to treat you I will discuss my psychotherapeutic working methods and my terms of service. 


This discussion includes, but is not limited to, my working practice, session duration, session rates, electronic billing and payment, holidays and missed sessions, potential therapy start-date and the personal data necessary for my delivery of psychotherapeutic services and for maintaining your safety and wellbeing. It may take us between one and seven clinical-assessment sessions to establish if there is a potential therapeutic alliance with your wellbeing and therapeutic need as a central factor. 


In addition to discussing my use of your personal data, I may need to discuss my use of your ‘special category’ data such as your General Practitioner (GP) or other healthcare professional’s details, your medication and associated medical information, as well as third-party assessments (eg psychiatric, social- or key-worker) where relevant. If you and I agree to work together, I will not intend to contact  your healthcare professionals on a regular basis, but under some circumstances it may be helpful for me to contact them to arrange better-coordinated care. (I would usually discuss this with you beforehand.)


If we both agree to these terms, they create a verbal contract between us. Without your personal and ‘special category’ data I am unable to fulfil my obligations under the terms of our contract. 


Children

Although I do not work with young children, I do work with late adolescents (aged 17 and above). Under these circumstances my contractual relationship is with my young patient’s parents or guardians, and this agreement includes permission for me to process their adolescent’s personal and ‘special category’ data. 


Couples’ therapy

If you see me as a couple, I would normally expect that information can be shared between you. 


At your therapy sessions

I adhere to a professional code of ethical standards which includes the principle of confidentiality. This is because the nature of therapy involves discussing personal and sensitive information, relating to relationships and family, with me during your ongoing sessions. If you have any questions about confidentiality please discuss them with me. 


When we correspond

Where applicable, I will usually retain correspondence between you and me.


Referrals

- If someone has referred you to me

If someone, including a mental health professional, has referred you to me, they may provide me with some of your personal data on your behalf. In some circumstances the referrer may also tell me why they are referring you, which may include sensitive personal data relating to your health. 

- If I refer you on to someone else

An analytic or psychotherapeutic society may ask you to meet me for a clinical assessment in order for me to refer you to another mental health practitioner. With your prior permission, when referring you on I may provide the analytic or psychotherapeutic society with some of your personal data on your behalf as part of this referral. In some circumstances, I may need to include ‘special category’ data relating to your health and wellbeing. 


How else may I obtain your personal data?

- My bank statements

Depositor’s names may appear on my bank statements. 

- Indirectly

I may also receive your personal information indirectly, for example in one of the following scenarios:

- With your permission I contact an organisation on your behalf and that organisation gives me your personal information in its responses.

- Personal information is contained in reports of breaches of data protection law (‘breach reports’) given to me by third-party organisations.


How long do I keep your data?

I keep personal and ‘special category’ data for the duration of each contracted therapeutic relationship, and thereafter as required by statutory, legal, regulatory, government (eg HMRC), contractual (eg insurance) and governing industry bodies (eg the BPC, BACP). 


I do not retain personal data for longer than is necessary for the purpose for which it was collected. 


Who do I share your information with?


Marketing

I will not share information with, or or sell your data to, any third parties for the purposes of direct marketing.


Third-party data processors

I use third-party data processors to provide elements of services for me. I do not share ‘special category’ data with them. These third-parties have their own GDPR privacy policies on how they handle personal data:


- Videotelephony and messenger products

If I conduct remote, online therapeutic, supervisory and consulting sessions I store personal contact information in the following third-party systems:

- Skype


- Professional third-parties

When necessary, I may need to communicate your personal data to a healthcare professional or, if you are a trainee, a psychotherapeutic training institution. Where it is feasible to do so, I will discuss with you before sharing the information. I will not disclose information about you to a third party without your agreement, except in situations where there was significant concern about harm to you or someone else and this would normally be discussed with you beforehand. Unless the requesting party has a basis in law for demanding disclosure, my duty of confidentiality and your rights as the data subject may outweigh the reason behind the disclosure request.

- Legal

Under some circumstances I am legally obliged to share information (eg a court order). I will always satisfy myself that I have a lawful basis on which to share the information, and document my decision-making.


Emergency-contact colleagues

In line with standard therapeutic practice and ethical requirements, I share patient names and contact information with two members of my analytic society, known as ‘case load managers’, in the event of an emergency. I provide these colleagues with either a hard copy or an emailed password-protected PDF. I do not share ‘special category’ data this way. The sharing of this list is within the ethical and practice framework of the BPC (the British Psychoanalytic Council). 


Supervision

- If you are my supervisee

I need to be able to process your personal data, as my supervisee, in order for me to be able to perform under our verbal contract of supervision agreed during our initial meetings. My privacy policy, as it relates to my patients, which is detailed in this document, applies equally to supervisees. When necessary, I may also need to communicate a supervisee’s personal data to a psychotherapeutic industry body. 

- Peer-group supervision

My participation in peer-group supervision is in line with standard therapeutic practice. I do not share personal or ‘special category’ data during supervision as per the ethical and practice framework of the BACP and BPC. 


Keeping your data secure

Access to your personal data is restricted so that it is only accessed by myself or my authorised clinical executors. 


Transferring your information outside Europe

In general I do not transfer your data outside the EU. Transfer does occur in the following circumstances:

- Online therapy or supervision

If you are an international client, based outside of the EU/EEA, there will be data transfer outside Europe in order for me to deliver your therapy or supervision. 

- Third-party providers

Some of my third-party data processors may use data storage locations outside of the EU using approved data-transfer mechanisms. The GDPR does not preclude EU personal data being stored (or otherwise processed) outside the EU, as long as there is a data transfer mechanism in place approved by the European Commission. 


Links to other websites

My website may contain links to other third-party websites. My privacy policy applies only to my website, and I would ask you to read the privacy policy and notices of any other websites you visit via links from my website. 


Your rights

The GDPR gives you certain rights in relation to the data I hold about you. You can exercise these rights by contacting me on [email protected]


Under the GDPR you can:

- Find out what information I hold about you

- Access a copy of the information I hold about you

- Rectify any inaccurate or incomplete personal data

- Have the right to object to my processing of your personal information

- Ask me to delete or restrict how I use your personal information, but this right is determined by applicable law

- Have your contact information sent to another provider

- Have the right to appropriate decision making (I do not use automated profiling or decision making)

- Complain to a regulator if you think I have not complied with data protection laws. You can lodge a complaint with the Information Commissioners Office.


Review of this policy

I keep this policy under regular review. This policy was last updated on 14 September 2018.