top of page

Privacy Notice & the GDPR

In order to provide therapy to you I need to process and store certain information in my records.

I am happy to discuss any questions you might have about my data protection policy and you can contact me via email with any queries: coswaycbt@pm.me

 

Your privacy is very important to me and this privacy notice sets out how any personal data that I receive will be stored and processed, from our initial point of contact through to after your therapy has ended.

​

I adhere to current data protection legislation, including the General Data Protection Regulation (EU/2016/679) (the GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

​

As a fully accredited member of the British Association for Cognitive and Behavioural Therapists (BABCP), I adhere to their ethical guidelines regarding protecting client privacy and confidentiality to ensure that you receive a professional and high quality service.

 

I am registered with the Information Commissioner’s Office (ICO) and you can check their register here. My registration number is ZB108043.

​

I take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Personal data subject to this policy and where it is stored

  • Information that you provide by telephoning or messaging me on 07713 954847 when making your initial enquiry, and all subsequent contact via these means. The call history is cleared from the telephone immediately upon completion of the call. Any messages sent/received via SMS or WhatsApp are deleted immediately after receipt and acknowledgement.
     

  • Information that you provide by emailing me at coswaycbt@pm.me when making your initial enquiry, and all subsequent contact via these means. My email provider is Protonmail and has been chosen specifically for their robust privacy policy and safety profile.
     

  • Information that you provide via the contact form on my website when making your initial enquiry, and all subsequent contact via these means. My website is hosted by Wix. Any messages submitted via the contact form are deleted immediately after receipt and acknowledgement.
     

  • Information that you provide via completion of the ‘New Client Information form’ and the PHQ9/GAD7 questionnaires which is collected during the onboarding process. This information is collected via a secure link and stored securely within my electronic records management system (WriteUpp) which is ISO27001 certified and compliant with the GDPR (security).
     

  • Brief session notes that I will take during the course of our therapy sessions. These notes are temporarily stored locally on my computer, which is password protected, and held within secure files, which are themselves password protected. They are deleted at the end of treatment. Upon completion of each session the notes are transferred to my electronic records management system (WriteUpp) which is ISO27001 certified and compliant with the GDPR (security) for long-term storage (7 years) under the requirements of my professional indemnity insurance.
     

  • I use the video-call service Teams to deliver therapy. This platform is securely encrypted. It has the facility to record sessions - I will only use this facility with your express permission. Any chat transcripts that are created during the course of sessions will be destroyed when the session has finished. Therapeutic email exchanges will be destroyed when the course of therapy has finished.
     

  • From time to time, I may use Microsoft whiteboard in the course of our work together. All information is anonymised and the boards are deleted when treatment has completed.
     

Uses made of the information

  • I will use your contact details to facilitate the communication of any changes in our respective availabilities along with any other relevant administrative changes. I will also use your contact details to provide you with all information that is necessary to support the service that I provide, e.g. session resources.
     

  • I will use the brief session notes that I make, and any supplementary information that you provide, to support me in carrying out the obligations which arise from the therapy agreement entered into between the both of us (therapy agreement – separate to this policy).
     

  • In accordance with the requirements of my accrediting body (BABCP) and with my commitment to providing a professional service to you, I attend supervision regularly to review my work. My supervisor is also accredited by the BABCP and we are bound by a confidentiality contract (separate to this policy). In order to protect your privacy any identifying details are anonymised when any work that I have done with you is discussed.
     

How long I keep your information/notes for

  • Your contact details are not stored in my telephone and the call history is cleared immediately upon completion of a call. Any messages sent/received via SMS or WhatsApp are deleted immediately after receipt/acknowledgement.
     

  • All communications via email are deleted at the completion of treatment.
     

  • Messages submitted via the contact form on my website are deleted immediately after receipt/acknowledgement.
     

  • Information that you provide via completion of the ‘New Client Information form’ and the PHQ9/GAD7 questionnaires, along with the brief session notes, will be retained for the time that we are working together plus an additional seven years - this is required by my professional indemnity insurance. After this time the information will be permanently removed from my records and destroyed.
     

My lawful basis for holding and using your personal information

The GDPR states that I must have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which I am processing your data.
 

  • When you contact me to make an enquiry, and when you are currently in therapy, I will process your personal data as is necessary for the provision of my services and performance of the therapy agreement.
     

  • When your therapy has ended, I will use legitimate interest as my lawful basis for holding and using your personal information.
     

The GDPR also ensures that I look after appropriately any sensitive personal information that you may disclose to me. This type of information is called ‘special category personal information’.
 

  • The lawful basis for me processing any special categories of personal information is that it is for provision of health treatment (in this case therapy sessions) and necessary for a contract with a health professional (in this case, a contract between me and you).
     

Your rights

  • You are entitled to access to your personal information that I hold; you have the right to ask me to correct it, delete it, to limit how I use it, or to request me to stop processing it. You also have a right to ask for a copy of any information that I hold about you and to object to the use of your personal data in some circumstances. You can read more about your rights at ico.org.uk/your-data-matters.
     

  • Any requests to view, amend or delete you information must be made in writing to me at coswaycbt@pm.me and will be actioned within one month of receipt.
     

  • If you have a complaint about how I handle your personal data please do not hesitate to get in touch with me by writing to me at coswaycbt@pm.me.
     

  • If you want to make a formal complaint about the way I have processed your personal information you can contact the Information Commissioner’s Office (ICO) which is the statutory body that oversees data protection law in the UK.
     

In the event of a data breach

  • I have a legal obligation to report any data breach of your information both to yourself and to the Information Commissioner’s Office (ICO) within 72 hours of the breach occurring.

Disclosure of your personal information

  • In the event of my incapacity or death your personal contact information will be disclosed to the executor of my Professional Will so that they can notify you and support you in next steps. In the event of my death my executor, having first notified you of the fact, will then destroy all contact information and notes on my computer.
     

  • In the event that I have concerns that you may be a risk to yourself or to anyone else, I may need to break the confidentiality of our agreement. If this occurs I will discuss it with you and make the appropriate recommendations. These will be documented in the session notes. In the case of an emergency situation I will contact the relevant authorities in order to meet my duty of care for your safety and secure the appropriate support that you need.
     

  • There are certain circumstances under which I am under a duty to disclose or share your personal data in order to comply with legal obligations. For example, if I am subpoenaed to court, or as a legal requirement such as safeguarding children or vulnerable adults, terrorism or money laundering.
     

Consent to the GDPR agreement

  • Your use and undertaking of the services of Sarah Cosway, operating as CoswayCBT, constitutes your approval and acceptance of this agreement, and consent to my use and storage of your personal information as detailed above. You have the right to withdraw your consent at any time.

  • Facebook
  • Instagram
  • Threads
  • Linkedin
bottom of page