Skip to content

Privacy/Data Protection Policy

Duprey Psychology Ltd. is committed to using your data in a responsible and secure way, complying with the terms of the General Data Protection Regulation (GDPR).

Duprey Psychology Ltd. provides psychological services, including psychological assessments, therapy, consultation and supervision. We respect the privacy of our clients and will only collect and retain personal and sensitive information that enables us to perform our services.

The purpose of this data protection policy is to let you know what personal information we collect, why we collect this data, how long it is retained, why it might be shared with another party and what your rights are regarding this data.

If your questions are not fully answered by this policy, please contact Dr Jennie Duprey. If you are not satisfied with the answers from Dr Duprey, you can contact the Information Commissioner’s Office at www.ico.org.uk.

What personal information we collect

In order for us to be able to provide you with our services, we need to collect the following information:

  • Your name
  • Your contact details, including a postal address, phone number and email address
  • Personal information relevant to your health assessment / therapeutic plan

This information will either be collected directly from you or from a third party professional, such as a Social Worker or solicitor. We may also need to gather information from another health care professional (such as your Doctor) to provide a complete health assessment.

Why we collect your personal information

  • We collect your personal information so that we know who you are and can communicate with you in a personal way.
  • We need to be able to verify your identity so that we can be sure we are dealing with the correct person.
  • We need your personal information so that we can deliver a service to you.

How we use the information you provide

  • To communicate with you about appointments. All emails we send will contain a privacy statement.
  • To deliver our services to you we need to use your name, contact details and any personal information that is relevant to your health assessment / therapeutic plan..
  • To create an invoice for our services we will use your name and contact details.

Where we keep the information

  • In our database, stored in Dropbox Plus (a secure cloud-based storage service).
    We use Dropbox Plus to store your personal data and to share it with a third party if necessary, such as an Associate. Dropbox Plus is a GDPR-compliant service.

    We keep your personal data stored in an individual Dropbox folder. It includes information from third parties, such as Social Workers or solicitors, notes from our assessment or therapeutic sessions, as well as standardised assessments or questionnaires we might complete together, and audio/video recordings from appointments. It also includes any written reports, containing all the information that we gather, our findings and conclusions.

    We use personal computers, located on private premises. The computers are password-protected. Your personal data will not be stored directly on these computers, but on the cloud-based service.

  • In a locked cabinet on private premises
    We need to write notes when we meet with you. Some assessments and forms are also hand written. These notes, assessments and forms are a necessary part of our assessment and therapeutic services and help us to create our report or therapeutic plan. The paperwork is stored in a locked cabinet.

How long we keep the information

  • Video and audio recordings for assessments will be deleted at the conclusion of the care proceedings/case to which they relate or, if related to therapeutic services, retained for a maximum of six months following the conclusion of the therapy.
  • Other documentation related to assessments (including court bundles and medical records) will be retained until the end of the final hearing/conclusion of the case. Paper documents will be destroyed by a confidential waste destruction service.
  • We keep your Patient Record (which includes any reports, notes and assessments written by us) for seven years (or seven years after the age of 18). This is the guideline given by the British Psychological Society (BPS). After this it will be deleted. Paper documents will be destroyed by a confidential waste destruction service.
  • We keep your electronic invoice for seven years, as this is the required duration to comply with HMRC requirements. After this it is deleted.
  • In accordance with this data retention schedule there may be occasions when data is not destroyed due to ongoing investigation, ligation or enquiry. In these instances, the data will be deleted upon confirmation that it is no longer required.
  • On some occasions anonymised personal data will be retained whereby a client has provided a testimonial for use on the organisation’s website. When data is non-identifiable, GDPR law is no longer applicable. Non-identifiable means that if this data was left on a bus, no one, including the data subject would be able to identify that this data was relating to them.

Who we send the information to

Duprey Psychology will only share information about you with other organisations or people in the following circumstances:

  • Consent: We may share information with relevant medical professionals or others whom you have requested or agreed we need to contact.
  • Serious harm: We may share your information with the relevant authorities if we have reason to believe that this may prevent serious harm being caused to you or another person.
  • Compliance with law: We may share information when the law requires us to, for example, safeguarding, terrorism, or serious crime.
  • In the event of Dr Duprey's death: A named colleague would be able to access the contact details to notify clients. Further information about this is provided below.
  • Supervision: It is an ethical requirement for any clinician offering psychological services to have regular supervision. Any supervisor used is an accredited member of the relevant professional body and works within their ethical framework and in a GDPR-compliant way.
  • Video and audio recordings may be shared with an Associate Psychologist for coding or transcribing interviews, with a Supervisor or with the Lead Solicitor if requested by Court. Videos and audio recordings are sent via WeTransfer. WeTransfer is GDPR compliant, which means the content of videos is encrypted user to user i.e. from us to the lead solicitor. Once the files are safely stored, they can only be accessed using the unique links sent to sender and recipient.
  • If a Solicitor, Agency or Social Worker has instructed the work, we will communicate with them via email. Court Reports are sent to the Lead Solicitor electronically as password-protected email attachments.

Website visitors

When an individual visits www.dupreypsychology.com, Google analytics are used. Google Analytics are considered a third party service and collect information about what visitors do when they visit the website, e.g. which page they visit the most. Google analytics only collect non-identifiable data which means neither Google nor Duprey Psychology Ltd. can identify who is visiting.

www.dupreypsychology.com is hosted by Name Cheap. Name Cheap is GDPR-compliant and their privacy policy can be found at https://www.namecheap.com/blog/namecheaps-new-privacy-policy/

Data Breach

In the case of a data breach, Duprey Psychology Ltd. shall comply with the regulations set out under Article 33 of the GDPR as stated below;

  1. In the case of a personal data breach, the data controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the individual. Where the notification to the ICO is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The notification referred to in paragraph 1 shall at least:
    1. describe the nature of the personal data breach including where possible, the approximate number of data subjects concerned and the categories (e.g. session notes, phone numbers)
    2. communicate the name and contact details of the data controller where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  3. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  4. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
  5. In the event that a data breach will likely cause a risk to the rights and freedoms of client data, the data controller must communicate the nature of the breach in clear, concise and plain language, to the client/s involved, without delay.
  6. If a breach occurs but the data controller has gone to appropriate lengths to protect the data held on the client (e.g. password encryption of electronic files), or if the data controller has taken subsequent action to prevent the risk (e.g. immediately blocking a mobile device) then notifying the client will not be required.

Subject Access Request

A Subject Access Request (SAR) permits individuals to request a copy of their personal information.

A SAR must be acted upon within one month, at the most within two months; any longer and reasonable reason must be provided. There are no fees unless there is a disproportionate fee to the organisation for sending out the information. Application for a SAR should be held alongside session records, unless application was made after eight years of the end of treatment. In which case the SAR will be held for a further two years after closure of SAR.

A SAR request will include information we hold about you. Duprey Psychology Ltd. will:

  • give you a description of the information;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

SAR requests should be put in writing to Duprey Psychology Ltd. A response may be provided informally over the telephone with your agreement, or formally by letter or email. If any information held is noted to be incorrect an individual can request a correction be made to their own personal information. If you wish for your data to be provided to another service provider, you may also request this in writing. We may have a legal basis to continue to hold your data and will notify you of this if that is the case.

Right to Erasure

Any person may put in a request for their personal data to be removed (the ‘right to be forgotten’ or the ‘right to erasure’). In this instance hard copy data will be shredded using a confidential shredding company and any electronic data will be permanently deleted. The client will be notified of the completion. The request for deletion of data and the confirmation of completion will be held securely until eight years after the request was made. In some instances our supervisory body, insurance company or HMRC may require us to lawfully hold your files until the end of their retention period.

Safeguarding your privacy

In the event of my death or sudden illness, a named colleague will contact existing clients and archive any client files in accordance with GDPR. This may mean shredding any hardcopy documents, deleting electronic files, or retaining the files in a GDPR-compliant way for the duration of the retention period, as detailed in this document.

Complaints

Duprey Psychology Ltd. aims to the meet the highest quality standards when processing personal and sensitive data. Complaints can help identify areas for improvement and therefore we would welcome you raising any concerns you have.

If you feel you would like to make a complaint about how your personal and sensitive data is handled by Duprey Psychology Ltd. you can contact us directly. In the event that we cannot resolve the complaint to your satisfaction you can contact the ICO.

This is a live document and may be updated at any time to reflect changes in law or growth of the business and therefore should be revisited regularly to check for any updates. We are fully committed to ensuring client privacy and data protection rights.

For the purpose of this policy Dr Jennie Duprey is the named Data Protection Officer/Controller and Head of Organisation.

Updated: July 2024