On 25 May 2018, the law changed with regard to how organisations have to protect your ‘data’ (personal details and records) and this is called the General Data Protection Regulation or GDPR. The following summary highlights how GDPR is being implemented by Linda Shattock by explaining why confidential information is held and how this is protected. I recommend you read through this carefully and get back to me if you have any questions


Clinical psychologists provide psychological services, including psychological assessments and therapy. I will ask for personal and sensitive information. It is assumed that by engaging with this service you are consenting to records being kept. These activities require me to act as a ‘Data Controller’ for clients, and by law I am required to be registered with the Information Commissioners Office (ICO). This register is an online public register of Data Controllers and visible for anyone to check. https://ico.org.uk. My ICO reference, if you wish to check, is ZB029345.


As a clinical psychologist and independent practitioner I am registered with the Health and Care Professions Council (HPCP), the British Psychological Society (BPS) and as a cognitive behaviour psychotherapist with the British Association for Behavioural and Cognitive Psychotherapies (BABCP) and bound by their Codes of Ethics and Practice.


What personal data is processed?
In addition to the data you provided within the web enquiry form, I will collect and process the following personal data from clients at the initial contact on a registration form. This will include:
-Personal data: Basic contact information including name, address, email, contact numbers, video conference ID (if online therapy), GP contact details, your child’s school, other agencies, such as health and social care professionals who are involved with your child, and a description about the nature of the difficulties experienced. This is to liaise around your child’s safety and is following the duty of care within my professional guidelines.

-Sensitive personal data during therapy: A signed therapy contract agreement, mental health therapy records (notes of sessions, letters, reports, drawings, outcome measures).

If you do not provide the personal information requested, then I may be unable to provide a service to you and your family.

-If you are referred by your health insurance provider, solicitor, rehabilitation company or other health-related agency, then I will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment.

-I may also ask for information on how you found the service for the purpose of marketing research.


What is the lawful basis for collecting your personal data?
As your therapist I have a legitimate interest in using your personal data to provide psychological assessment and therapy in accordance with the guidelines of my governing bodies.


What is done with your personal information?
I will use the information collected to provide psychological assessment and therapy services to you and your family.


Your personal information may also be required to process payment for such services.

I take your privacy seriously, and will only use your personal information to provide the services you have requested. I am committed to protecting and respecting your privacy. No information you provide is passed on without your consent. I will never sell your information to others or use your personal data for marketing purposes or send you marketing materials without your explicit consent.


Data storage

Keeping records is an essential component of healthcare, which helps in understanding how best to help and forms the basis of any therapy offered. I will only collect and retain your personal information that enables me to perform my services. If you provide a paper copy of registration forms, these will be stored in a locked cabinet. If an electronic copy is provided, these will be password protected and stored on a password protected, encrypted laptop/folder.


When you submit an enquiry through the website lindashattock.co.uk it will be read by Linda Shattock only. The email server used is GDPR compliant. Any emails which come through on my mobile phone are secured with a password/mobile thumb print/facial identification software. Letters and reports will be password protected when sent via email. I will avoid sending personal information in the body of the email and subject heading of emails.


Data retention                                                                                                                           

I will only store your personal information for as long as it is required. Basic contact information held on my mobile phone and the website enquiry forms will be deleted within 6 months of the end of therapy.


Session notes, registration forms and identifiable information will be kept for 7 years after the last date of service delivery, or until the client reaches the age of 21 (whichever comes sooner). After this period this data will be carefully disposed of at the end of each calendar year. Some records may be held indefinitely if there were any issues of concern that could lead to police investigation in the future.  This is in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000) [1] and The Health and Care Professions Council (HCPC; 2017)[2]. 


Who might I share your information with ?

No information you provide is passed on without your consent. However, there may be circumstances where I gain consent to share your information for payment reasons (e.g. such as with your health insurance provider for the purpose of billing) or linked to your claim/assessment (e.g. a solicitor where an assessment/treatment has been instructed).


I may also request consent to share information with other agencies/people where I think it would be beneficial to you/your child’s treatment (e.g. with parents or school). However, I would not do so unless you give me consent for this, except in the exceptional circumstances listed below.


Therapy sessions are confidential. Young people aged 13 or over are able to consent to the sharing/not sharing of therapeutic information as long as they are deemed to be competent to make this decision. I will abide by their wishes except in cases of serious risk where I may have to override this to protect the young person/others. In exceptional circumstances, I may need to pass information on to other agencies/parties without consent. This would be in cases of risk where there is a need to keep you/your child safe, such as serious self harm. For example, if I was seriously worried about a child’s safety I would generally pass this information to a parent/caregiver (unless I thought this would put the young person at further risk of harm) even if consent was withheld.


This also applies when a disclosure is in the public interest (e.g. the safety of others) or where there is a legal duty (e.g. a serious crime has been committed/miscarriage of justice). I am duty bound to do this by my professional guidelines. Whilst I am not obliged to gain your consent for this, I will always discuss this with your first (unless doing so would increase the risk to you or another person).


To ensure good practice, all psychologists also maintain professional registration via supervision with another qualified professional. Not all cases/clients would be discussed with a supervisor, though if you/your child were discussed, full names would not be used and the supervisor would also be compliant with GDPR. Only ‘need to know’ information would be shared, for the purposes of advice and consultation and to ensure you are receiving optimal treatment.


Your right to make a complaint                                                                                             

If you wish to raise a complaint about my practice you can contact the Health Care Professions Council.


  • If you think I have not complied with data protection laws you can also complain to the Information Commissioner’s Office. Any known data breaches will be reported to the ICO within 72 hours.
  • If you would like to see your personal data/session notes then a request needs to be made through a data subject request and will be supplied within one month. Please discuss this with me as I may need to discuss this with the governing body (HCPC) and British Psychological Society (BPS) depending on the nature of the request.


Your right to get your personal information changed if it is inaccurate
If factual errors or omissions have been made in either the registration forms you have provided, or in reports/correspondence I have provided to you about you/your child, then you can request that these be amended. If this information has been shared with another agency (e.g. school) I will contact the recipients to inform of the amendments.


If you wish to retract your registration forms and thereby retract your consent for me to hold your records you can notify me. I will terminate sessions as I am unable to practice without this information.


Your right to erasure 

If you would like your registration forms and data to be erased, I would need to contact the governing body (the HCPC) to ascertain whether they are legally able to do this on a case by case basis (e.g. dependent on the age and circumstances of the young person). Psychologists keep notes of sessions in order to support them to provide you with the best care and it is a requirement of the governing body. We are bound by rules as to how long we have to keep this information, therefore we would need permission from our governing body for these to be deleted, which may not be provided.


Your right to restrict processing 

If you put sessions on hold/terminate sessions, I will no longer take session notes/liaise with professionals about your case (except where there is serious risk).


Your right to data portability

Should you wish to move to another practitioner and you would like your notes to be transferred over, I can provide them with your background information and a summary of works completed/a phone discussion, with your consent. Should you want a more in depth report, there may be a charge associated with this.


If your rights under GDPR or any of the above information is unclear, please do not hesitate to discuss with me.


[1]The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.
[2]Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.