A quick introduction to my
Data Protection Policy

As a psychotherapist working in private practice, I am expected to comply with the General Data Protection Regulation (GDPR). This page aims to give you insight into how I adhere to this regulation, plus something of my thought processes around it.

Creating security facilitates good therapy

As a psychotherapist, I have always been acutely aware of the need for privacy, confidentiality and the sense of security in the work I do with clients.  GDPR doesn’t change this, but adds another layer.  Ultimately, GDPR is about security – something that is close to my heart as an attachment-based therapist.  If we don’t feel safe, all our energy goes into maintaining a vigilance of our environment, rather than exploring it (via play in children, and exploration, letting our mind wander and the freedom to engage with another human being in a new way within therapy).  Exploration facilitates optimal growth, development and, in therapy, healing. 

But feeling safe and secure is as important for me, the therapist, as it is for my clients.  If I don’t feel secure in my work, I don’t work optimally.  I am talking as much about feeling supported to manage the (sometimes) challenging work of therapy as much as physical safety.  It is for this reason that I require GP details of prospective clients before I agree to work with them.  I feel strongly that knowing I can contact a GP if the need arises helps me feel secure to fully enter into the work.  In the vast majority of cases, I never need to contact a client’s GP, and if I do, it is done with a client’s knowledge, involvement and consent (there are exceptions – see information on confidentiality). 

Requiring GP details is just one example of my rationale behind the data I ask for.  If you want to ask anything else about my rationale behind my data protection policy, please do not hesitate to ask.

Fort Knox at the front door…

GDPR has made me reflect on the ‘front door’ ways I communicate with clients.  Email, text message and video messaging are pretty much the sole way I communicate with clients (outside of sessions), and vice versa.  But the majority (perhaps all) of the standard email providers do not encrypt emails, meaning that they are not secure ways to communicate.  The same is true for text messages.  WhatsApp, while encrypted, is not secure because it’s WhatsApp who do the encrypting, and so could theoretically ‘unencrypt’ data (and let’s be clear, data = your and my messages, video calls and so on). 

So, I use encrypted forms of communication via a different email provider (ProtonMail) and video conferencing service (Zoom).  These satisfy my (and my more technically minded/aware colleagues) requirements for transferring data safely over the internet.  All these systems are free and easy to download – but require the message receiver to be using them for the system to be safe.  As a result, I will require clients to adopt these facilities too. 

…but the back door’s wide open!

I have covered the security of the direct ways people communicate, but there are different ‘back door’ ways data is shared, sometimes outside of our conscious awareness.  Think of how your phone might be set up to add engagements (including a session with Helen Cordery – a quick look at Google will tell anyone what I do) to your calendar without you asking it to, as a prime example. GDPR has compelled me to think about as many ways like this that your data is at risk of being compromised, and ways around this.  (By the way, I use an old-fashioned paper diary, listing clients by their initials, not names)

Some are pretty basic, such as not looking at my emails when crammed onto a busy train in the morning.  Other are a little less obvious.  For instance, whilst a passcode and fingerprint recognition make my phone very secure, I realised that notifications override these, showing the first line of a text (for example) as well as the sender, if my phone is at rest.  As a result, I have changed my notifications so that I only know that I have a new message, not its content, and again identify clients on my phone by initials, not by name.