Privacy Notice & how I protect your data
Sarah Hickman, trading as Sarah Hickman Therapy, is committed to the protection of the privacy of all who come into contact with her. Your personal data is really important to me and I understand how important it is to you. My aim is to be as clear and open as possible about what I do with your personal data and why I do it.
The General Data Protection Regulation (GDPR) - which came into force on May 25th, 2018 - aims to protect the fundamental right to privacy and the protection of the personal data of European Union (EU) citizens. This regulation affects any entity (including websites) that processes EU citizens' personal data.
“Processing” means anything that I do with your personal data – obtaining it, holding it, using it, or passing it on. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
“You” means you as an individual. You are known as the data subject within the context of the GDPR and UK data protection law.
“I” means me, Sarah Hickman. I am the data controller as defined within the context of the General Data Protection Regulation (GDPR) and UK data protection law. This means that I decide how your personal data is processed and for what purposes and am legally responsible for making sure your information is processed correctly and lawfully.
“Data processors” refers to individuals who handle your data, in this instance that is me, Sarah Hickman.
“Third party” means any individual or organisation outside of Sarah Hickman Therapy.
Who am I?
My website address is www.sarahhickmantherapy.co.uk
I am a sole trader, trading as Sarah Hickman Therapy. I am registered with the Information Commissioner’s Office (ICO).
My contact information can be found at the end of this statement.
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.
It is important that your personal data is kept accurate and up-to-date. If any of the personal data I hold about you changes, please keep me informed as long as I have that data.
What personal data do I process?
I process different personal information depending on how you come into contact with me:
When you come for an initial session: I will record information such as your name, age, occupation, medications and treatments, mental health history, previous counselling experience and other sensitive information which will help me to work safely and effectively with you. I will keep a record of what day and time you will meet with me. I will send you a feedback form to complete at the end of your therapy, however this is optional.
When you undertake therapy with me: I will record information such as your name, age, GP details, emergency contact information, medications and treatments, mental health history, previous counselling experience and other sensitive information. I also have an obligation to keep brief notes after every session which can be subpoenaed by a court of law.
What do I use your personal data for?
I use your personal data for the following purposes:
To administer my website;
For client consultations;
To seek client feedback;
To deliver therapy services;
To partake in supervision;
To maintain financial records, invoices and payments made;
To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time;
To maintain my own accounts and records;
For personal, administrative and management purposes and to enable me to meet my legal obligations;
To seek your views or comments.
If I wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then I will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, I will seek your prior consent to the new processing.
What is my lawful basis for using your information?
The lawful basis for processing your information falls under 6 main categories; under each, I have given an example.
For compliance with a legal obligation
I have a legal obligation to keep assessment and session notes for clients attending therapy. I also have a legal obligation to keep financial records for HMRC.
To protect the vital interests of you or another person
If you are physically or legally incapable of giving consent, but I need to protect your vital interests, in an emergency, I may use your personal information. For example, if you are taken seriously unwell whilst at Sarah Hickman Therapy, I may pass on next of kin details or medical information to emergency services.
In the exercise of official authority or in the public interest
For example, if I felt there was a safeguarding issue, I would be required by law to inform the appropriate authorities/bodies.
On the basis of legitimate interest
For example, when you have decided to come to therapy, I will use your information to communicate with you about session times, cancellations etc.
On the basis of Consent
For most communications, I will only process your information if you have given me explicit consent.
Special Category data (highly sensitive personal data such as mental health history, sexual orientation or ethnic origin)
This data needs more protection. I will only process such data if it meets one of the above categories and one of the conditions below:
the data subject has given explicit consent to the processing of their personal data for one or more specified purposes (for example in a client consultation)
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
processing relates to personal data which is manifestly made public by the data subject
How secure is your information?
Sarah Hickman and Sarah Hickman Therapy comply with their obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
Printed documents are stored securely in a locked filing cabinet and electronic files are kept encrypted. Highly sensitive documents, such as consultation reports, are coded so that they are anonymous. I will store all the personal information you provide for my website on secure password- and firewall-protected servers. However, I must remind you that the transmission of information over the internet is inherently insecure and I cannot guarantee the security of data sent over the internet.
Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared outside Sarah Hickman Therapy if it is absolutely essential. In the following cases I will share information with others:
I will only share your data with other third parties (for example your GP) with your prior consent, or unless required to do so by law.
How long do we keep your personal data?
I endeavour to maintain only data that is relevant, accurate and up to date. I will periodically review the data that I hold and delete data that is no longer relevant to my purpose for processing. I may keep your therapy records for an extended period of time and others permanently if required to do so. For example, I will keep contracts only until the contract ends but I will keep session notes for 7 years from the date therapy concluded as per guidance from my legal and professional bodies.
Your rights and your personal data
1. The right to access information that I hold on you
• At any point you can contact me to request the information that I hold on you as well as why I have that information, who has access to the information and where I obtained the information from. Once I have received your subject access request in writing and proof of your identity, I will respond within one month.
• There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.
2. The right to correct and update the information that I hold on you
• If the data that I hold on you is out of date, incomplete or incorrect, you can inform me and your data will be updated.
3. The right to have your information erased
• If you feel that I should no longer be using your data or that I am illegally using your data, you can request that I erase the data that I hold.
• When I receive your request, I will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because I need it for my legitimate interests or regulatory purpose(s)).
4. The right to object to the processing of your data
• You have the right to request that I stop processing your data. Upon receiving the request, I will contact you and let you know if I am able to comply or if I have legitimate grounds to continue to process your data. Even after you exercise your right to object, I may continue to hold your data to comply with your other rights or to bring or defend legal claims.
5. The right to data portability
• You have the right to request that I transfer some of your data to another controller. I will comply with your request, where it is feasible to do so, within one month of receiving your request in writing.
6. The right to withdraw your consent at any time for any processing of data to which consent was sought
• You can withdraw your consent easily by telephone, email, or by post (see Contact Details).
7. The right to object to the processing of personal data where applicable
• Where I use your personal information to perform tasks carried out in the public interest then, if you ask me to, I will stop using that personal information unless there are overriding legitimate grounds to continue.
8. The right to lodge a complaint with the Information Commissioner’s Office
• If you feel that I have used your information incorrectly or without lawful basis, or you dispute my lawful basis, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
• Please contact me if you wish to exercise any of these rights.
If you have any questions regarding how I process your data, or you would like to make a subject access request, please contact me:
By post: Sarah Hickman, Garden Suite, The Old Mill House, Mill Lane, Uckfield TN22 5AA.
Mobile: 07538 100513 (Monday-Friday 8am-6pm).
I am registered with the Information Commissioners Office (registration number ZA772591). You can contact the ICO on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Changes to this notice:
I keep this Privacy Notice under regular review and I will place any updates on my website: www.sarahhickmantherapy.co.uk