Data Protection Policy | Severnside Institute for Psychotherapy

Severnside Institute for Psychotherapy (SIP) will ensure that it complies with both the law and ethical practice in all its dealings with personal data which it holds on individuals. In particular, SIP will respect the rights of individuals and be open and honest with those whose data is held, provide appropriate training and support for staff and members who handle personal data and follow the data protection principles of good information handling which are set out in the General Data Protection Regulation (GDPR) (EU) regulation on data protection and privacy.

Definitions

SIP	means Severnside Initiative for Psychotherapy, a registered charity (1079390) and Severnside Institute for Psychotherapy, a limited company (03799698).
GDPR	means the General Data Protection Regulation.
Register of Systems	means a register of all systems or contexts in which personal data is processed by SIP.

Data protection principles

SIP is committed to processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

General provisions

This policy applies to all personal data processed by SIP.
This policy shall be reviewed at least annually.
SIP shall register with the Information Commissioner’s Office as an organisation that processes personal data; our ICO Registration number is ZA065119.

Lawful, fair and transparent processing

To ensure its processing of data is lawful, fair and transparent, SIP shall maintain a Register of Systems.
The Register of Systems shall be reviewed at least annually.
Individuals have the right to access their personal data and any such requests made to SIP shall be dealt with in a timely manner.

Lawful purposes

All data processed by SIP must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
SIP shall note the appropriate lawful basis in the Register of Systems.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in SIP’s systems.

Data minimisation

SIP shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

SIP shall take reasonable steps to ensure personal data is accurate.
Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

Archiving / removal

To ensure that personal data is kept for no longer than necessary, SIP shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
The archiving policy shall consider what data should/must be retained, for how long, and why.

Security

SIP shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
When personal data is deleted this should be done safely such that the data is irrecoverable.
Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, SIP shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).

Why we keep data

Members and Associates

SIP keeps personal data, including names, addresses, and contact details, in order to process members’ professional accreditation and academic journal subscriptions, as well as contacting members and associates with professional development opportunities and opportunities within SIP. We also keep information on insurance details and clinical trustees for purposes of good governance.

This data is stored in a secure CRM, Insightly, as well as a secure Microsoft SharePoint site, both of which are accessible only to staff members and officers of SIP.

If membership of SIP ceases, we retain this information for a minimum of seven years in case of a professional complaint.

The legal base for processing this information is Contractual. That is, processing is necessary in order to meet the contractual obligations to our membership.

Trainees

SIP keeps personal data, including names, addresses, and other contact details, in order to meet training commitments, invoicing for training as necessary, processing academic journal subscriptions, and circulating professional development opportunities and opportunities within SIP.

This data is stored in a secure CRM, Insightly, as well as a secure Microsoft SharePoint site, both of which are accessible only to staff members and officers of SIP.

Entries to the online ‘Fundamentals of Psychoanalytic Thought and Practice Application’ form will be saved on our WordPress website for a maximum of 12 months in order to process payments safely and securely. Entries will only be accessible to SIP staff.

When trainees graduate and become members of SIP, we will retain personal contact information to meet our new obligations under membership as in the previous section. Student Associates (that is, trainees who undertake clinical work as part of their training) who do not become members of SIP for any reason, will have their personal data retained for a minimum of seven years (including name and dates of training) in case of a professional complaint.

The legal base for processing this information is Contractual. That is, it is necessary in order to meet SIP’s contractual obligations to each trainee.

Friends of Severnside Mailing List

This is made up of previous attendees at events, former members and trainees who have expressed an interest in SIP’s work, as well as selected staff members at relevant partner organisations. It is used to publicise events run by SIP.

Mailing list data is stored in a secure email marketing platform (accessible only to SIP staff members and officer), MailerLite, with an option for recipients to unsubscribe at any point included in all communications.

The legal base for processing this data is Legitimate Interests.

Prospective training patients referred through SIP’s CRS

Trainee psychotherapists work with patients, assessed for suitability, who have agreed to see a therapy in training, often at a reduced fee – these are often referred to as ‘Training Patients’. SIP requires prospective training patients to provide personal information including names, address, and details relating to their requests for consultation. This information is passed on to an Area Representative (a fully qualified therapist and Member of SIP), who may use it in referring the patient to a therapist for ongoing sessions.

This information is stored by SIP for a minimum of six months and maximum of twelve months (from the first date of contact) on a secure Microsoft SharePoint site, accessible only to staff members and officers of SIP. SIP’s Area Representatives will immediately destroy any identifying data, including any notes taken during a consultation, following a referral to a therapist in training for ongoing sessions.

Once a patient has been referred to a therapist in training for ongoing sessions, the protection of any information and/or details shared with a therapist would be addressed by the therapists’ own Data Protection, Confidentiality and GDPR policies as a self-employed practitioner.

The legal base for processing Training Patients’ data is by consent; Training patients who have come through SIP’s Consultation & Referral Service (CRS) provide consent to the above use of their information when the Training Patient completes SIP’s referral request form.

Please note: Trainee therapists make anonymised clinical notes which will be shared with their supervisor, and occasionally other clinical trainees during a supervision meeting. Trainees also write anonymised clinical reports for the purposes of continuous assessment and final qualification. Training patients’ personal data will also be held by the Clinical Trustees of the trainee for purposes of ensuring continuity of care and responsible governance in cases where a trainee is unable to carry out their duties.

Prospective patients referred through SIP’s CRS

SIP requires prospective patients to provide personal information including names, address, and details relating to their requests for consultation. This information is passed on to an Area Representative (a fully qualified therapist and Member of SIP), who may use it in referring the patient to a therapist for ongoing sessions.

This information is stored by SIP on a secure Microsoft SharePoint site for a minimum of six months and a maximum of twelve months (from the first date of contact), accessible only to staff members and officers of SIP. SIP’s Area Representatives will immediately destroy any identifying data, including any notes taken during a consultation, following a referral to a therapist for ongoing sessions.

Once a patient has been referred to a therapist for ongoing sessions, the protection of any information and/or details shared with a therapist would be addressed by the therapists’ own Data Protection, Confidentiality and GDPR policies as a self-employed practitioner.

The legal base for processing prospective patients’ data is by consent; which is obtained when the prospective patient completes SIP’s referral request form.

Prospective patients referred through Orchard Therapy

SIP requires prospective Orchard Therapy patients to provide personal information including names, addresses, and details relating to their application to access therapy through the scheme.

This information is stored by SIP for a minimum of six months and a maximum of twelve months (from the first date of contact) on a secure Microsoft SharePoint site, accessible only to staff members and officers of SIP. Area Representatives will immediately destroy any identifying data, including any notes taken during a consultation, following a referral to a therapist for ongoing sessions.

Once a patient has been referred to a participating Orchard Therapy therapist for ongoing sessions, the protection of any information and/or details shared with a therapist would be addressed by the therapists’ own Data Protection, Confidentiality and GDPR policies as a self-employed practitioner.

The legal base for processing prospective patients’ data is by consent; which is obtained when the prospective patient completes Orchard Therapy application form.

Employees

SIP keeps data including tax and salary records, as well as contracts, training, performance appraisals, disciplinary, and grievance records on emoloyees. Employee records are held for a minimum of three years and a maximum of six years from the termination of their employment.

This information is stored in a secure online HR platform, Citrus HR, and on a secure Microsoft SharePoint site, both of which are accessible only to staff members and officers of SIP.

The legal base for processing this information is Contractual.

Trustees

SIP keeps data including names and address and other relevant information of its trustees and other officers and may pass this information to legal bodies such as the Charity Commission and Companies House. This information may be held in the official company records while the company is still active and operating.

The legal base for processing this information is Public Tasks.

Your data protection rights

Under data protection laws, you have rights over any personal information stored on you. You may wish to request copies, request that it be changed ir corrected, ask us to change the way we handle it or have it destroyed from our records entirely.

If you want to do any of the above, please contact our office via the details below, and we will respond to you as soon as possible.

Use of cookies

Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved.

Some cookies may last for a defined period of time, such as one day or until you close your browser. Others last indefinitely. When you first visit our website, we ask you whether you wish us to use cookies. If you choose not to accept them, we shall not use them for your visit except to record that you have not consented to their use for any other purpose. If you choose not to use cookies or you prevent their use through your browser settings, you will not be able to use all the functionality of our website.

The table below explains the types of cookies we use on our website and why we use them.

Category of cookies	Why we use these cookies
Strictly Necessary	These cookies are essential for websites on our services to perform their basic functions. These include those required to allow registered users to authenticate and perform account related functions.
Functionality	These cookies are used to store preferences set by users such as account name, language, and location.
Security	We use these cookies to help identify and prevent potential security risks.
Analytics and Performance	Performance cookies collect information on how users interact with our websites, including what pages are visited most, as well as other analytical data. We use these details to improve how our websites function and to understand how users interact with them.

Links to other websites and third party content

Please note that SIP does not endorse, or hold any responsibility for, the content (or information contained within) any linked website.

How to contact us

We are registered with the UK Information Commissioners Office (ICO) – our registration number is ZA065119.

If you have questions or concerns about our privacy practices, your personal information, or if you wish to file a complaint, you can contact us; by email administrator@sipsychotherapy.org, by calling us on 0117 9273898, or by writing to us at the address below:

FAO: SIP Executive Committee
11 Orchard Street
Bristol, BS1 5EH
United Kingdom