Writing a Privacy Policy as a Private Practitioner
A Privacy Policy is a statement that tells your clients, customers, or service users how you collect their personal information and what you do with it. Privacy and confidentiality of client information is crucial in any industry, but particularly in health services due the nature of the information they collect. As a therapist, counsellor, or any other kind of private practitioner, you will know how important it is to keep your clients' personal information secure. Being open with your clients about how you use and store their data is a good way to show them that you care about their information, but it is also a requirement under the UK General Data Protection Regulation [1]. The Data Protection Act (2018) states that those who handle personal data are required to make sure the information is:
used fairly, lawfully, and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant, and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage [2]
A privacy policy should provide clients with an explanation that covers these points, so that they can understand how their data is being handled and why. Before writing your privacy policy, it may be useful to carry out an audit of your data management processes to ensure that you are fully GDPR compliant. This would involve going over how you collect, store and use different types of data in your practice. As you are doing this, consider each point you need to cover in the Privacy Policy so that you have all the correct information to include when it comes to writing it. The key information you need to include in your privacy policy is described below.
What data you are collecting – this may include name, contact information such as email address and/or phone number, as well as their medical or treatment history and details of psychological difficulties. It may be helpful to indicate whether this information is obtained from the client themselves or from a third party such as a GP, Psychiatrist or medical insurer on the client’s behalf.
Why you are collecting their data including the “lawful reason”, e.g., for providing safe, and professional mental health treatments such as psychological assessments and therapy. Also, for contacting clients about future appointments, treatment fees or in case of needing to refer them to a third party for further support.
How you collect their data, e.g., through online sign-up forms, or from communications via email, over the phone, or in writing, as well as in the notes you write about their treatment sessions.
How you store their data – if a physical copy of the information is kept in person, where this is stored, e.g., filing cabinet or locker. If the information is kept digitally, where it is stored, e.g., on a password protected device or on an encrypted cloud storage platform. This should include emails and texts.
How you use their data, e.g., to arrange and book assessments or therapy sessions, to help plan treatment, to create and send invoices and keep payment records, and/or to pass on information to third parties if necessary.
Who has access to their data, e.g., you as the therapist, any practice managers who may access the information where relevant. This also includes if it is shared with third parties – including the reasons why you may share their data, for example if there are concerns about a client’s wellbeing or for further referrals.
How long you will keep their data – It is a legal and professional requirement that health records must be kept securely for 7 years after treatment ends, or 7 years after the client turns 18 if they are a minor.
You should also mention any data collected through cookies on your website, if you have one. The reason for collecting them is likely to be for the purpose of website functioning but there may be other purposes, such as for the analysis of website use, that you should list. You may also want to let clients know about how they can manage the use of cookies on your website by using your cookies consent mechanism.
Your privacy policy should also provide clients with an explanation of their rights, which include:
- The right to be informed about how their data is being used
- The rights to access, update, erase, or restrict the processing of their data
- The right to object to how their data is processed in certain circumstances
In the context of mental health treatment, this means that clients can request to see their therapist’s notes. You should indicate how they can make this request and how long you are likely to take to fulfil it as you will need to remove any information about third parties. Clients can also make requests to update and erase data in some circumstances but therapists will need to make judgements about which circumstances will allow this and reflect with clients on the potential implications of doing so. Furthermore, clients can make requests about how their information is processed, but therapists may need to think about how this affects their ability to offer their services. It may be helpful to allude to some of these caveats.
Finally, your privacy policy must contain information about you, including your practice name and contact details, including your email address and the physical address of your workplace. This is so that your clients or customers can contact you in case they have any questions or concerns, or if they would like to make a complaint about a breach of their data. It is good practice to plan regular reviews of your policy alongside your reviews of your GDPR procedures. This will help to ensure that the information included in it is always up to date and as such that you are fully compliant with data protection regulations.
References and additional links: