GDPR Data Protection Policy
For Private Clinical Psychology Practice (UK)
HW Psychology LTD.
1. Introduction
This GDPR Data Protection Policy outlines how this clinical psychology practice collects, processes, stores, and protects personal data in accordance with: - UK General Data Protection Regulation (UK GDPR) - Data Protection Act 2018 - ICO (Information Commissioner’s Office) guidance
This policy applies to all personal data handled within the practice, including digital and paper records.
2. Purpose of the Policy
The purpose of this policy is to ensure that the practice: - Processes personal data lawfully, fairly, and transparently - Protects the rights of clients and other individuals - Demonstrates accountability and compliance with data protection law - Maintains confidentiality and security appropriate to clinical work
3. Data Controller
The practice acts as the Data Controller, determining the purposes and means of processing personal data. The Data Controller is responsible for ensuring compliance with UK GDPR.
Contact details: (Dr Helena Widdrington, HW Psychology LTD, Helenawid@hwpsychology.com, 0191 743 4252)
4. Types of Data Processed
4.1 Personal Data
Name, address, date of birth
Email address and telephone number
GP/contact medical information
Payment and invoicing information
Appointment history
4.2 Special Category Data
Special category data processed relates to: - Mental health information - Clinical notes and reports - Assessment information - Sensitive personal history relevant to therapy
Special category data is subject to enhanced protection.
5. Lawful Basis for Processing
5.1 Personal Data (Article 6 UK GDPR)
Data is processed under: - Contract (6(1)(b)) – necessary for the provision of psychological therapy services - Legitimate Interests (6(1)(f)) – administrative functions, appointment management - Legal Obligation (6(1)(c)) – safeguarding duties or court orders
5.2 Special Category Data (Article 9 UK GDPR)
Processed under: - Provision of Health or Social Care (9(2)(h))Supported by a Schedule 1 policy as required by the Data Protection Act 2018.
5.7.3 Practice Management Tools
This practice uses WriteUpp, a clinical practice management system, for storing clinical notes and administrative information.
WriteUpp acts as a Data Processor. The system provides:
Encrypted storage of clinical notes and documents
Secure user authentication
UK/EU-compliant data hosting
Regular backups and data redundancy
A Data Processing Agreement (DPA) outlining responsibilities
Only authorised users have access, and access is password protected.
5. Lawful Basis for Processing
5.1 Personal Data (Article 6 UK GDPR)
Data is processed under: - Contract (6(1)(b)) – necessary for the provision of psychological therapy services - Legitimate Interests (6(1)(f)) – administrative functions, appointment management - Legal Obligation (6(1)(c)) – safeguarding duties or court orders
5.2 Special Category Data (Article 9 UK GDPR)
Processed under: - Provision of Health or Social Care (9(2)(h))Supported by a Schedule 1 policy as required by the Data Protection Act 2018.
7. Data Storage and Security
7.1 Physical Security
Paper notes stored in locked filing cabinets
Restricted access to practice premises
7.2 Digital Security
Encrypted devices and secure password-protected systems
Two-factor authentication where available
Encrypted backup storage
Up-to-date antivirus and software
8. Data Sharing
Client data is only shared when necessary and lawful.
8.1 Situations where sharing may occur:
With GPs or health professionals (typically with consent)
Safeguarding concerns where there is legal or ethical obligation
Court orders requiring disclosure
Professional supervision (minimal or anonymised information)
Data processors (e.g., practice management software)
No data is sold or shared for marketing.
9. Data Retention
Data is retained only as long as necessary.
Standard retention periods:
Adult clinical records: 7 years after the last appointment
Child clinical records: until age 25 (or 26 if last seen at age 17)
Financial records: 7 years (HMRC)
At the end of these periods, data is securely deleted or destroyed.
10. Clients’ Rights Under UK GDPR
Clients have the following rights: - Right to be informed – via privacy notices - Right of access – to request copies of their data - Right to rectification – to correct inaccuracies - Right to erasure – limited for clinical records - Right to restrict processing - Right to object - Right to data portability (not usually applicable to clinical services)
Requests must be responded to within one month.
11. Data Breaches
A data breach may include loss, damage, or unauthorised access to personal data.
11.1 Procedure:
Assess and contain the breach
Record details in the breach log
Notify the ICO within 72 hours if there is any risk to individuals
Inform clients if the breach poses high risk
12. International Data Transfers
If data is transferred outside the UK (e.g., through software providers): - Appropriate safeguards such as UK IDTA must be in place - Providers must demonstrate adequate data protection standards
13. Accountability and Documentation
To demonstrate compliance, the following documents are maintained: - Privacy Notice - Special Category Data Policy - Record of Processing Activities (ROPA) - Retention Policy - Data Breach Policy and Log - Data Sharing Agreements and Processor Contracts
14. Review of This Policy
This policy will be reviewed annually or sooner if: - There are changes in legislation - New systems or processes are introduced - Any data breach indicates a need for revision