background image
21st October 2018 

    Privacy Notice

About Me
I am Peter Bryan and I am a qualified Cognitive Behaviour Therapist and EMDR Therapist. I am the owner of “Surrey CBT Therapist” and as a sole trader, I am both the data controller and data processor. I am registered with the Information Commissioner’s Office (ICO) and have been since starting my private practice in 2007.

The Purpose of this notice
On 25th May 2018, the Data Protection Act in the UK is being replaced by the General Data Protection Regulation (GDPR). This new legislation makes clear how your personal data can be collected, processed and stored.

How is Data Collected?
Data can be collected in the following ways:
Contact made via the online contact form on this website, hosted by PHD Interactive T/A Webhealer.
Emails sent directly to me
Contact made by telephone or text
Face to face contact
Video calls via VSee or Zoom

What Personal Information do I Collect?
As a healthcare professional, I keep records about your health and any treatment you receive but only record the information I deem to be necessary to fulfill my clinical practice duties. This may include:
Name, address, date of birth, phone number and email address,
GP name, address and telephone number,
Written notes I take during and make after any appointment with you with regard to your psychological and physical wellbeing
Outcome / assessment questionnaires to help monitor progress and treatment outcomes
End of treatment feedback questionnaires

Why do I need to collect personal data?
I collect the minimum amount of data required to assist me in providing a high-quality standard of care in line with the requirements of the BABCP, AREBT and the EMDR Association.

Who do I share my personal information with?
If you have been referred by a GP, Psychiatrist, or other Health Care Professional, Healthcare Insurance Company or an Employment Assistance Programme (EAP) then there is an expectation that I will communicate with them by letter or securely by email to keep them updated with your progress during treatment.
If you are contacting me entirely independently then I will not share this information with anyone.
Exceptions to the above:
I have a duty of care to seek additional help / support / advice if I view you or someone else are at risk of harm to themselves or to others and will under such circumstances contact other agencies as required. Under such circumstances, it is preferable but not essential that this contact be made with your agreement.
It is a requirement of any CBT or EMDR Therapist to engage in the supervision of his or her clinical practice. I have a CBT supervisor and an EMDR supervisor whom I meet with regularly. This can be seen as a form of quality control to ensure I am providing the best care I can provide for my patients. Your treatment may therefore be discussed in supervision but would be done so in an anonymised way to ensure you will not be identifiable.

How is my data stored?
Paper records are stored in a locked filing cabinet that only I have access to.
Electronic records are stored on password protected encrypted devices that only I have access to.
Cloud based storage is provided by Box. This is supported by two factor verification. Again, only I have access to any records stored with this cloud based service.
My preference when emailing sensitive information is to use Hushmail, a fully encrypted and password protected email service.
Sometimes I ask to audio record or video therapy sessions solely for the purpose of facilitating my own clinical supervision. Recordings are stored on a separate password protected encrypted device (BlackBerry). Recordings will only be made with your written permission to do this. You will be asked to give your verbal consent each time. You are free to refuse the recording of your therapy sessions or ask me to delete the recording at any time.

How long do I retain your personal data?
To comply with the requirements of my Indemnity Insurance arrangements, your data will be kept for a period of ten years.
Where collected, audio recordings and video recordings are kept for a maximum of two months. They are deleted following clinical supervision.