Denise Lyall

Psychotherapy and EMDR therapy

For adult individuals and couples

Privacy Notice

Your privacy is very important to me.  You can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to me.  

This Privacy Notice refers to the website for Denise Lyall Counselling: www.deniselyall.co.uk. By using this website, you are accepting and consenting to this Privacy Notice.

It has been created to comply with the current data protecton legislation, including the General Data Protection Regulation (EU/2016/679) (the GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

‘Data controller’ is the term used to describe the person/organisation that collects and stores and has responsibility for people’s personal data. In this instance, the data controller is me. I am registered with the Information Commissioner’s Office (ICO), which is the statutory body that oversees data protection law in the UK, my registration no. ZA151754 (www.ico.org.uk).  

Any enquiry should be directed to myself either in person, by phone (07984015280) or email (info@deniselyall.co.uk.)

This Privacy Notice tells you what I will do with your personal information from your initial point of contact, through to after your therapy has ended, including:

• What permits me to request and process your information, and what purpose I am processing it for. 
• Whether you are required to provide it to me, in other words, your data rights.
• How long I store it for, why and how.
• Whether there are other third-party recipients of your personal information.

My Lawful basis for holding and using your personal information

The GDPR states that I must have a lawful basis for holding and processing your personal data. There are different lawful bases depending on the stage at which I am processing your data. The GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is that it is for the provision of health treatment (in this case counselling/psychotherapy) and, therefore necessary for a contract with a health professional (in this case, a therapeutic contract between me and you). I have explained lawful bases in more detail below:

If you are currently having therapy, or are considering having therapy with me, I will process your personal data where it is necessary to maintain and execute my responsibilities as your contracted counsellor/psychotherapist.  This includes:

• To respond to requests for information pertaining to my practice, organising meetings and contracting matters, including payments or invoices/receipts.
• To notify you about any changes to the service I provide that may impact on you and the delivery of this service.  This typically includes notice of annual leave, ill health or changes to my practice delivery or my privacy notice.
• To maintain client records of attendance for internal financial accounting reasons and external taxation requirements; including Her Majesty’s Revenues and Customs (HMRC).
• If you have had therapy with me and it has now ended, I will use legitimate business interest as my lawful basis for holding your personal information for a limited time period; based on current ethical therapeutic standards and recommendations.

How I use your information:

Initial contact.

When you contact me with an enquiry about my counselling services, I will collect information to help me to satisfy your enquiry. This may include your name, phone number or email address. Alternatively, your EAP service may send me your details when making a referral, or a parent or trusted individual may give me your details when making an enquiry on your behalf. If you decide not to proceed with therapy, I will ensure all your personal data is deleted within one year. If you would like me to delete this information sooner, just let me know.

I may collect information in several ways: via mobile phone call or text, the email address on my website, the British Association of Counselling and Psychotherapy (BACP) directory, or direct from you by email or phone call. Thereafter, only if provided by you.  All of which implies consent to collect.

The third-party internet service provider I use for my website, IONOS by 1&1, uses standard analytical and statistical tools that monitor behavioural patterns of visits to my website.  This comprises the resources that you access including, but not limited to, traffic data, location data and other communication data.  This data will not identify you personally. I do not make, nor do I allow, IONOS by 1&1 to make any attempt to find out the identities of those visiting my website. I use legitimate business interests as my lawful basis for holding and using your personal information in this way when you visit my website.

Additional information collected while you are accessing therapy:

Additional information will only be collected and stored to enable me to provide counselling/psychotherapy and therefore to honour my contractual obligation to you.

I will keep a record of your personal details to help my counselling service run smoothly. These details are kept securely and are not shared with any third party unless there is a legitimate business reason to do so. More detailed contact details will only be requested by me when we meet and agree to begin therapy.  I will ask you to provide them on paper and these will include: your full name, phone number, postal and email address, Doctor’s name, phone number and address. I will also ask you to sign a Therapeutic Contract. These are stored in a locked filing cabinet in my office.

Maintaining therapeutic notes after a counselling session has ended is an ordinary requirement for any counsellor/psychotherapist and is a foundation of good ethical practice. I type these notes; these are anonymised and are kept on my laptop which is password protected and has other up-to-date security measures in place. I may, on rare occasions request additional background information via email regarding the issue you are requesting therapy for. This information can either be provided by email, in writing or in person.

For security reasons I do not retain text messages for longer than is necessary.  If there is relevant information contained in a text message I will cut and paste it anonymously into your notes.  Any email correspondence from potential clients making enquiries is deleted after one year, and any email correspondence from clients, is deleted three years after counselling has finished.

After counselling has ended.

Once counselling has ended your records will be kept for three years from the end of our contact with each other, thereafter they are then securely destroyed.

Disclosure of information to third parties:

I may sometimes need to share personal data with third parties where there is an ethical or legal requirement to do so.  This would include extreme circumstances such as a risk to life or illegal activities.  Ordinarily I would not disclose information without consent, but there may be legitimate safety concerns that prevents consent from being sought or given. This includes where there is a serious risk of harm to anyone, a court order, terrorism, money laundering and radicalisation. 

If my accounts are inspected by an accountant or the HMRC they will require access to financial records which will include your payment details – no therapeutic information would be passed on. HMRC is itself bound by strict GDPR and confidentiality regulations.

In the unlikely event that I am incapacitated in some way and therefore unable to contact you to cancel appointments, I will arrange for a trusted professional to contact you on my behalf.  This person would only be given contact details: no therapeutic notes would be passed on.

Storage and security information:

I take the security of the data I hold about you very seriously and as such I take every effort to ensure it is kept secure. I will take all reasonable precautions to prevent the loss, misuse or alteration of information you give me.  Details on how this is achieved at each stage is described in relevant sections of this policy. 

Security of transmission of information via the internet cannot be guaranteed, but once I have received it, I will use strict security protocols to protect it. Records of details of meetings are collected and stored digitally and anonymously.  This is to meet core business delivery requirements as contracted.

Any paper or digital information is securely destroyed after three years unless there is an ongoing business needs to retain them. Communications in connection with my practice are usually sent by e-mail. For ease of use and compatibility, communications will not be sent in an encrypted form unless specifically required by you, and you give me permission to communicate with you in that way. E-mail, unless encrypted, is not a fully secure means of communication. Whilst I endeavour to keep our systems and communications protected against viruses and other harmful effects, I cannot bear responsibility for all communications being virus-free.

Your rights to access information held:

I try to be as open as I can be in terms of giving people access to their personal information. You have a right to ask me to delete your personal information, to limit how I use your personal information, or to stop processing your personal information. You also have a right to ask for a copy of any information that I hold about you and to object to the use of your personal data in some circumstances. You can read more about your rights at: www.ico.org.uk/your-data-matters.

If you would like to see information I hold then please put in a request in writing to: info@deniselyall.co.uk. I will do my utmost to resolve any concerns or complaints you have within one month of confirmed receipt, but if these are not resolved to your satisfaction, you may choose to contact the ICO (www.ico.org.uk).  You may request amendments to the personal information I hold about you that is inaccurate or out of date.  If you request that I delete your personal information I will do so unless I need to keep it for legal or legitimate business purposes. Please note that any withdrawal of consent to keep records all together whilst we are in a therapeutic relationship would necessitate termination of therapy. 

If you have any complaint about how I handle your personal data, please do not hesitate to get in touch with me by writing or emailing to the contact details given. I would welcome any suggestions for improving my data protection procedures. If however you want to make a formal complaint about the way I have processed your personal information you can contact the ICO direct: www.ico.org.uk/make-a-complaint.

Links to other websites

My website contains links to other websites that we think may be helpful to you. You should note that once you have clicked these links, I have no control over these sites and cannot be held responsible for any data that may be collected from you while on them.