Appropriate policy

 

Dr Sue Cotton, Chartered Clinical Psychologist

Data Protection Act 2018, Schedule 1 Part 2 Paragraph (18)

Introduction

As your therapist I will always aim to work collaboratively with you.  The content of the session is confidential between us, although I will discuss our work with my supervisor but will not reveal your name.  In extreme circumstances where I believed there was a significant risk to you (e.g. suicide) or to someone else (e.g. child protection) I may have to contact other professionals (e.g. your GP) without your consent, but I will always try to inform your first if I needed to do this.  This document provides you with information about the legal context under the GDPR for the processing of your personal information in these circumstances.

1.    Definitions

“Normal Data” Also referred to as ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’). By reference to an identifier such as name, a telephone number, home address and date of birth.

“Special Category Data (SCD)(SC)” is any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation.

“Criminal Offence (CO)” personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when there is an exception listed under the GDPR.

“Processing” any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available.

“Controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  In the case of a contract between a therapist and client in private practice, the therapist is the "data controller."

“Data Concerning Health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2.    Appropriate Policy Document

The Data Protection Act 2018 (DPA 2018) outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category (SC) and criminal offence (CO) data under certain specified conditions.

This document is intended to demonstrate that my processing of SC and CO data based on these specific Schedule 1 conditions is compliant with the requirements of the General Data Protection Regulation (GDPR) Article 5 Principles

Reliance on one of these conditions, requires a documented general record of processing activities under GDPR Article 30 and must include:

(a)    The condition which is relied upon.

(b)    How the processing satisfies Article 6 of the GDPR (lawfulness of processing)

(c)   Whether the personal data is retained and erased in accordance with the retention policies outlined in this APD, and if not, the reasons why these policies have not been followed.

The APD therefore complements the general record of processing under Article 30 of the GDPR and provides SC and CO data with further protection and accountability. This is in accordance with Schedule 1 Part 4 paragraph 41.

The APD will be kept under review and will need to be retained for six months after the date at which the relevant processing ends. If the Commissioner asks to see this policy, it will be provided free of charge in accordance with Schedule 1 Part 4 paragraph 40.

3.          Accountability and the principles of data protection law

I am required to process your data in accordance with the principles of the law. These principles include:

3.1       Ensuring lawfulness, fairness and transparency.

3.2       The purpose for processing is limited to the reason for initially collecting the data.

3.3       The extent of the data to be processed is minimized.

3.4       To the best of my knowledge, the data is accurate.

3.5       Data is only retained for as long as I have a legal obligation or there is a necessity to keep it.

3.6       As far as is possible, I secure the data with adequate safeguards and procedures.

3.7       I am accountable for the data and have instigated the following measures to ensure I can demonstrate this:

3.7.1     Wherever possible, I take a data protection ‘by Design and default’ approach to my          work.

3.7.2     I maintain records of data processing activities.

3.7.3     Where necessary I have appropriate arrangements in place with those that I may share information with, such as my supervisor.

3.7.4     My physical and cyber security arrangements are regularly reviewed and updated            where necessary.

3.7.5     I regularly review my accountability requirements.

4.          Description of Processing Activity

When I deliver services to you, I process normal data and Special Category (SC) data as defined in the GDPR Article 9. In order to deliver services to you it may be necessary to process a broad range of categories of data including information about your physical and psychological health. My processing activities may also include personal information identifying other important people in your life such as your partner, family members or friends.

5.          Upholding Rights and Principles

In some circumstances, I will be unable to uphold nor acknowledge some of the rights listed in and in accordance with Data Protection Act 2018 such as:

  • The right to be informed.

  • The right to be forgotten.

  • The right of access.

  • The right to restrict processing.

  • The right to object.

  • Complying with the principles.

DPA 2018 Schedule One, Part 2; Section 18 – Safeguarding of children and of individuals at risk

When working with you where possible I seek to process data with your Explicit Consent in accordance with the GDPR Article 7. However, when this is not possible and I have a professional or legal obligation to protect you or someone else from harm, I can apply a condition known as the DPA 2018 Schedule One Part 2 Section 18 to safeguard either children or adults at risk.

6.          Justification for processing data using an exemption

There are two situations in which I can apply the DPA 2018 Schedule One Part 2 Section 18.

Reason 1:

Section 18(1)(b)(i)(ii) sates that I can use your personal information without your consent when either: 

  • In the circumstances consent to the processing cannot be given by the data subject.

  • The controller i.e. therapist, cannot reasonably be expected to obtain the consent of the data subject to the processing, and the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection being provided.

  • The processing is necessary for reasons of substantial public interest.

 Reason 2:

When the controller i.e. therapist, has reasonable cause to suspect that the individual or a third party is experiencing, or at risk of, neglect or physical, mental or emotional harm, and as a result is unable to protect himself or herself against the neglect or harm or the risk of it.

Review Date:  July 2024