top of page

Privacy Policy

There are two privacy policies shared below. The first is for this website. The second is GDPR privacy policy in therapy.

Website Privacy Policy:

 

This privacy policy explains how we make use of and protect any personal data collected by us or provided by you in relation to your use of the Website. It applies to you, the User of this Website and Cognitive Analytic Therapy Hub, the owner and provider of this Website. We take privacy very seriously and suggest you read this policy carefully.

​

Our website address is: www.cognitiveanalytictherapy.co.uk

​

What personal data we collect and why we collect it:

​

Contact forms

We use contact forms to process bookings, or so that users can get in touch with us. By submitting contact forms, we will process the information you submit in order that we can reply to your message. Form submissions and subsequent replies may be retained in our email archives.

​

Analytics

We make use of analytics services to evaluate and improve our website’s performance, and to make sure it is working properly for our users. Our Analytics solution does not store cookies on your device and is fully compliant with GDPR.​​

​

Appointment bookings

We use WIX – a third-party appointment booking service – so that you can easily confirm appointments directly in our diary, for available time slots.

To book an appointment, enter the requested data and the desired date in the screen provided. The data entered will be used for planning, executing and, if necessary, for the follow-up of the appointment. The appointment data is stored via WIX.

The data you have entered will remain with us until you ask us to delete it, revoke your consent for storage or the purpose for which the data was stored ceases to apply. Mandatory legal provisions, in particular retention periods, remain unaffected.

​

​​Who we share your data with

​We don’t share personal data with third parties unless it is provided for a function described above. Visitor submissions may be checked through an automated spam detecting service.

​

How long we retain your data

​If you fill in a contact form, the information you submit is retained only as long as is necessary for the purpose it is gathered (mainly to respond to your enquiry), or one year, whichever is shorter.

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

​

What rights you have over your data

If you filled in a contact form on this website, have an account on the site, or have left comments you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

​

Contact information

You can contact us using this website if you want to query anything regarding this policy, or how it relates to your data.

Therapy Privacy Policy:

 

Appropriate Policy Document as required by the General Data Protection Regulation (GDPR).

​

Data Protection Act 2018, Schedule 1 Part 2 Paragraph (18)

​

Introduction

As therapists we will always aim to work collaboratively with you. As

explained in the therapy agreement, the content of the session is confidential

between client and therapist, apart from anonymous discussions in supervision sessions.

In extreme circumstances where it is believed there was a significant risk

to self (e.g. suicide) or to others (e.g. child protection) the therapist may have to contact

other professionals (e.g. your GP) without your consent, but we will always try to inform

your first if I needed to do this. This document provides you with information about

the legal context under the GDPR for the processing of your personal information in

these circumstances.

​

1. Definitions

“Normal Data” Also referred to as ‘Personal Data’ means any information relating to

an identified or identifiable natural person (‘Data Subject’). By reference to an

identifier such as name, a telephone number, home address and date of birth.

“Special Category Data (SCD)(SC)” is any information revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs or trade-union membership,

and the processing of genetic data, biometric data for the purpose of uniquely

identifying a natural person, data concerning health, sex life or sexual orientation.

“Criminal Offence (CO)” personal data relating to criminal convictions and offences

or related security measures based on Article 6(1) shall be carried out only under the

control of official authority or when there is an exception listed under the GDPR.

“Processing” any operation or set of operations which is performed on personal

data or on sets of personal data, whether or not by automated means, such as

collection, recording, organisation, structuring, storage, adaptation or alteration,

retrieval, consultation, use, disclosure by transmission, dissemination or otherwise

making available.

“Controller” is the natural or legal person, public authority, agency or other body

which, alone or jointly with others, determines the purposes and means of the

processing of personal data. In the case of a contract between a therapist and client

in private practice, the therapist is the "data controller."

“Data Concerning Health” means personal data related to the physical or mental

health of a natural person, including the provision of health care services, which

reveal information about his or her health status.

 

“Consent” of the data subject means any freely given, specific, informed and

unambiguous indication of the data subject’s wishes by which he or she, by a

statement or by a clear affirmative action, signifies agreement to the processing of

personal data relating to him or her.

​

2. Appropriate Policy Document.

The Data Protection Act 2018 (DPA 2018) outlines the requirement for an

Appropriate Policy Document (APD) to be in place when processing special category

(SC) and criminal offence (CO) data under certain specified conditions.

This document is intended to demonstrate that my processing of SC and CO data

based on these specific Schedule 1 conditions is compliant with the requirements of

the General Data Protection Regulation (GDPR) Article 5 Principles

Reliance on one of these conditions, requires a documented general record of

processing activities under GDPR Article 30 and must include:

(a) The condition which is relied upon;

(b) How the processing satisfies Article 6 of the GDPR (lawfulness of processing);

and

(c) Whether the personal data is retained and erased in accordance with the

retention policies outlined in this APD, and if not, the reasons why these policies

have not been followed.

 

The APD therefore complements the general record of processing under Article 30 of

the GDPR and provides SC and CO data with further protection and accountability.

This is in accordance with Schedule 1 Part 4 paragraph 41.

The APD will be kept under review and will need to be retained for six months after

the date at which the relevant processing ends. If the Commissioner asks to see this

policy, it will be provided free of charge in accordance with Schedule 1 Part 4

paragraph 40.

​

3. Accountability and the principles of data protection law.

I am required to process your data in accordance with the principles of the law.

These principles include;

3.1 Ensuring lawfulness, fairness and transparency;

3.2 The purpose for processing is limited to the reason for initially collecting the

data;

3.3 The extent of the data to be processed is minimized;

3.4 To the best of my knowledge, the data is accurate;

3.5 Data is only retained for as long as I have a legal obligation or there is a

necessity to keep it;

3.6 As far as is possible, I secure the data with adequate safeguards and

procedures;

3.7 I am accountable for the data and have instigated the following measures to

ensure I can demonstrate this;

3.7.1 Wherever possible, I take a data protection ‘by Design and default’

approach to my work;

3.7.2 I maintain records of data processing activities;

 

3.7.3 Where necessary I have appropriate arrangements in place with those

that I may share information with, such as my supervisor;

3.7.4 My physical and cyber security arrangements are regularly reviewed

and updated where necessary;

3.7.5 I regularly review my accountability requirements.

​

4. Description of Processing Activity.

When I deliver services to you, I process normal data and Special Category (SC)

data as defined in the GDPR Article 9. In order to deliver services to you it may be

necessary to process a broad range of categories of data including information about

your physical and psychological health. My processing activities may also include

personal information identifying other important people in your life such as your

partner, family members or friends.

​

5. Upholding Rights and Principles.

In some circumstances, I will be unable to uphold nor acknowledge some of the

rights listed in and in accordance with Data Protection Act 2018 such as;

The right to be informed;

The right to be forgotten

The right of access

The right to restrict processing;

The right to object; and

Complying with the principles.

​

DPA 2018 Schedule One, Part 2; Section 18 – Safeguarding of children and of

individuals at risk.

When working with you where possible I seek to process data with your Explicit

Consent in accordance with the GDPR Article 7. However, when this is not possible

and I have a professional or legal obligation to protect you or someone else from

harm, I can apply a condition known as the DPA 2018 Schedule One Part 2 Section

18 to safeguard either children or adults at risk.

​

6. Justification for processing data using an exemption.

There are two situations in which I can apply the DPA 2018 Schedule One Part 2

Section 18.

​

Reason 1:

Section 18(1)(b)(i)(ii) sates that I can use your personal information without your

consent when either:

In the circumstances consent to the processing cannot be given by the data subject.

The controller i.e. therapist, cannot reasonably be expected to obtain the consent of

the data subject to the processing, and the processing must be carried out without

the consent of the data subject because obtaining the consent of the data subject

would prejudice the provision of the protection being provided.

The processing is necessary for reasons of substantial public interest.

 

Reason 2:

When the controller i.e. therapist, has reasonable cause to suspect that the

individual or a third party is experiencing, or at risk of, neglect or physical, mental or

emotional harm, and as a result is unable to protect himself or herself against the

neglect or harm or the risk of it.

​

bottom of page