Privacy Policy
Privacy Policy
Updated August 2024
Matthew Barnard’s business activities – therapy, counselling and training are conducted through Reflectivity Ltd (company number 13091503). Matthew Barnard is the data processor and data controller for the company. The company is a registered member of the Information Commissioning Office (https://ico.org.uk/) and as such abides by the General Data Protection Regulation (GDPR) and The Data Protection Act, 2018 (DPA). Reflectivity Ltd reference number is ZB385788.
I have a duty to make my clients aware of the following:
Reason for collecting Personal Data/Information
I collect relevant personal information from clients to enable a working record of contact information, in case of emergencies (explained below) and for the ongoing work in the therapeutic relationship.
Confidentiality
I am bound by the BACP Ethical Framework for the Counselling Professions, BACP Ethical Framework for the Counselling Professions Supplementary Guidance: Working Online (GPiA 047), UKCP Ethical Framework , ACTO Ethics and Professional Conduct, EMDR Association UK which comes under the EMDR Europe Association Ethical Framework.
Our sessions are strictly confidential, and the contents will not be disclosed beyond good practice guidelines.
(Please read my separate document – Confidentiality and Its Limits)
· Under the GDPR I am legally obliged to disclose data if you are involved in money laundering, planning terrorist’s offences or if a Court Order has been made a request.
· Where there is suspicion of illegal or terrorist activities disclosed in counselling/therapy, the police and other authorities can ask for access to an individual’s e-mail account or synchronous messaging account. They can also ask me for access to stored records. I am unable therefore to maintain confidentiality in these circumstances.
How will my personal data be stored and for how long?
· Retention and storage of personal data will be as minimal as is possible and will only be relevant to the provision of counselling or supervision.
Your rights
Under the Data Protection Act 2018, you have the right to find out what information I store about you. This includes the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
- object to how your data is processed in certain circumstances.
What Information do I collect?
I collect and process, in different ways, the following information:
- Your name and address;
- Your phone number and e-mail address;
- Dates and times of our meetings;
- The name and contact details of someone you know & trust who knows that you are in therapy with me (a ‘Emergency Contact’);
- The name and contact details of your GP (or primary doctor);
- Brief notes of our sessions;
- E-mails and texts;
- Details of our financial transactions (invoices, receipts, BACS transfers etc.).
Why do I keep this information?
- Your name and address:
- I am required to keep this by my professional body (UKCP, BACP, ACTO, EMDR Association UK).
- Your phone number and e-mail address;
- I need this if I need to contact you between sessions, which is usually for arranging appointments. Unless you are accessing e-mail therapy or you have registered to a receive monthly newsletter.
- Dates and times of our meetings:
- This is needed for my own organising of time
- It is a requirement of my professional body and insurance company.
- Emergency Contact:
- This is a matter of safety and part of my responsibility for your welfare;
- Contact with this person (who should be an adult) would only take place in an emergency – almost always only after discussion with you.
- The name and contact details of your GP (or primary doctor);
- This is a matter of safety and part of my responsibility for your welfare;
- Contact with your doctor would only take place
- At your request, or
- in an emergency, to protect your safety – and almost always only after discussion with you.
- Brief notes of our sessions:
- I need to keep notes in order to refresh my memory about our work;
- I need to keep notes in order to inform my clinical supervision;
- It is a requirement of my professional bodies and my insurance company.
- E-mails and texts:
- E-mails and texts are part of the record of our out-of-session contacts, which often frame the work.
- Details of our financial transactions (invoices, receipts, BACS transfers etc.):
- I am required to keep this for tax (HMRC) and accountancy purposes.
- We also need an accurate record of our transactions to keep our financial agreements transparent and accurate.
- It is technically possible for my Accountant to see your name, address and financial details. Although typically the accountant only needs to access reports, and not individual invoices. I use Quickbooks Online to handle the finances and Boffix Ltd for accountancy.
How do I keep this information?
I keep all information in a password protected electronic format on an encrypted hard drive which is locked away when not in use. Paper documents are scanned, and then password protected as a PDF. Wherever possible, I use a coding system to identity which documents refer to which clients.
The list below details what I store electronically, and who has access to what material. All paperwork, if printed is scanned electronically and the original paperwork is shredded securely. Rarely if at all, is paperwork printed or kept.
Your name and address:
- Only seen by me, with the exception detailed in ‘Details of our financial transactions (invoices, receipts, BACS transfers etc.)’
- This provided by you and is kept electronically in accordance with GDPR.
- This information is also stored in my Power Diary account an online Quickbooks account. See the section below entitled ‘Details of our financial transactions (invoices, receipts, BACS transfers etc.)’
Your phone number and e-mail address:
· Only seen by me, with the exception detailed in ‘Details of our financial transactions (invoices, receipts, BACS transfers etc above.)’
· This is provided by you and is kept electronically. I use Microsoft Outlook and Power Diary for appointment communication. I use Protonmail for e-mail therapy sessions which offers enhanced encryption.
- Your contact details are stored on my phone as initials. The phone is password protected and is only used by Matthew Barnard.
- My phone is locked and protected with Apple’s face I.D.
- I delete your phone number from my phone after you have made the final payment.
Dates and times of our meetings:
· Only seen by me.
· Recorded electronically in my Power Diary calendar
Emergency Contact:
· Only seen by me.
· This provided by you and is kept electronically on Power Diary.
The name and contact details of your GP (or primary doctor):
· Only seen by me.
· This provided by you and is kept electronically on Power Diary.
Brief notes of our sessions:
- Typically, only seen by me. I may share the content of the notes in Clinical Supervision. My supervisor only has a first name, generalised, non-identifiable information about my clients.
- Please note that in certain circumstances, therapists have the right to withhold notes or parts of notes, subject to a court order.
- Initial notes may be hand written, but then scribed on electronically on Power Diary. The original hand written notes are shredded securely once this has happened. The handwritten notes are kept securely until this transfer has taken place.
E-mails and Text Messages:
· Only seen by me.
· E-mails for appointment times are managed through Proton Mail and Power Diary which are systems that are GDPR compliant.
- E-mails and Text Messages are accessed through a personal laptop and mobile phone that is only used by Matthew Barnard. It is password/Face-ID protected.
Details of our financial transactions (invoices, receipts, BACS transfers etc.):
- Invoices/receipts are kept in securely through the Quickbooks Online Service.
- Bank statements from the Reflectivity Ltd Business Bank Account held at Starling Bank are not typically downloaded or printed as they are synchronised with Quickbooks to match transactions.
- An accountant at Boffix Ltd, has access to the online Quickbooks account. Does not tend to look at individual invoices, uses report data but it’s worth making you aware that an accountant does have the capacity to do so. A journal logs what has been accessed. The accountant typically accesses the Quickbooks account once a year to prepare paperwork for Companies House and the HMRC for tax purposes.
Please note:
I have formulated a ‘Professional Will’ and appointed a ‘Therapeutic Executor” in which comes into effect should I be incapacitated and unable to manage my affairs, temporarily or permanently. This ensures that responsible people will manage the informing of clients and advising on future care.
How long is this information kept and how will it be destroyed?
Your name and address:
- My professional body and insurance company recommend that this information is kept for seven years from the end of therapy;
- At that point the information will be securely deleted.
- Your phone number and e-mail address:
- My professional body and insurance company recommend that this information is kept for seven years from the end of therapy;
- At that point the information will be securely deleted.
· Dates and times of our meetings:
- My professional body and insurance company recommend that this information is kept for seven years from the end of therapy;
- Emergency Contact:
- This is deleted after seven years.
- The name and contact details of your GP (or primary doctor):
- My professional body and insurance company recommend that this information is kept for seven years from the end of therapy.
- Brief notes of our sessions:
- My professional body and insurance company recommend that this information is kept for seven years from the end of therapy.
- E-mails and texts:
- My professional body and insurance company recommend that this information is kept for seven years from the end of therapy;
- At that point e-mails will be securely deleted;
- Computers to be disposed of will be securely cleared and ‘returned to factory settings’;
- Phones no longer used will be securely cleared and ‘returned to factory settings’.
- Details of our financial transactions (invoices, receipts, BACS transfers etc.)
- It is recommend that this information is kept for seven years from the end of therapy.
Should you wish for further information, please do speak with me.
Data stored electronically:
E-mail address – Stored in contacts as initials on my phone. Stored on Quickbooks Online and Power Diary.
Contact phone number – Stored in contacts as initials on my phone. Stored on Quickbooks Online and Power Diary.
Text messages – Please be aware that if you chose to contact me by text, these messages will be deleted unless they contain significant information.
Significant e-mails signed agreements and contact details are stored within Power Diary.
Personal data/records of our sessions will be kept for up to 7 years after our work together has ended.
Your personal data will be disposed of by wiping any electronic files and shredding any handwritten information. You can also request (in writing) that all data is destroyed during our contact, once our work together ends, or at any time thereafter.
Your rights under GDPR
· You have the right to request access to your client record and receive an explanation of what is held within it. You have the right to withdraw consent, to request erasure or correction of your client record, to request portability, or to object to or restrict collection and processing of your data.
· You have the right to know the source/s of personal data not originating from yourself, and the right to not receive unsolicited marketing.
· You will be made aware of any data breaches within 72 hours.
· You have the right to complain to the ICO (Information Commissioners Office) if you are unhappy with the data processing arrangements, and to engage representation from a not-for-profit body in doing so.
To summarise:
· I collect, store and process personal information about you to enable me to run my practice. This information can include contact information, as well as information about your age, health (mental and physical), and financial arrangements and other special category data. I am able to collect this information upon the legal basis of "Legitimate Interests", as per GDPR regulations.
· Your information is stored anonymously electronically, password and encryption protected. I may use this information to track the progress of our work together or to receive reflection and guidance from my supervisor.
· I will keep this information for up to 7 years. When deleted it will be by wiping electronic files and shredding any handwritten information.
· With regards to how this information is used, you have the right to have information about you deleted, have inaccuracies corrected, the right to access information about you - free of charge - within 1 month, the right not to receive any unsolicited marketing, the right to determine how information about you is processed and the right to complain if you are unhappy about any of the above by contacting the Information Commissioners Office here: https://ico.org.uk/concerns/, I will trust that you will try to discuss this with me in the first instance.
· Should anything happen to me that prevents me from attending a session and from communicating with you directly - such as illness or death - then I have appointed a Therapeutic Executor who would be able to access your contact details to inform you should this situation arise.
Further Information
If you’d like to understand more about how Quickbooks Online, Proton Mail and Power Diary handle data, please visit their respective websites.
Announcement
Welcome!
Please be aware that parts of this site are still under construction.