Independent Clinical Psychology Services in Surrey

Data Protection Policy

The purpose is of this policy is to help me achieve my data protection and data security aims in line with the General Data Protection Regulations (GDPR) 2018 by:

  • Setting out how I collect, use and store your personal information (this means any information that identifies or could identify you).

  • Clarifying the rules and the legal standards for handling personal information.

  • Clarifying the responsibilities and duties of staff in respect of data protection and data security.

  • Explaining how principles of data protection outlined below are being implemented and adhered to.

Data Protection Principles

All professionals whose work involves using personal data must comply with this policy and with the eight legal data protection principles which require that personal information is:

  • Processed fairly and lawfully. We must always have a lawful basis to process personal information. The lawful basis by which Dr. Jade Redfern processes data is for “Legitimate Interests” based on the assessment conducted by the Data Controller. In some (but not all) cases, the person to whom the information relates must have given consent. You must be told who controls the information, the purpose(s) for which we are processing the information and to whom it may be disclosed.

  • Processed for limited purposes and in an appropriate way. Personal information must not be collected for one purpose and then used for another. If we want to change the way we use personal information we must first inform you.

  • Adequate, relevant and not excessive for the purpose.

  • Accurate. Regular checks must be made to correct or destroy inaccurate information.

  • Not kept longer than necessary for the purpose. Information must be destroyed or deleted when we no longer need it. For guidance on how long particular information should be kept, contact Dr. Jade Redfern for information on the policy regarding medical patient records.

  • Processed in line with an Individual's rights. You have a right to request access to your personal information, prevent your personal information being used for direct-marketing, and request the correction of inaccurate data and to prevent your personal information being used in a way likely to cause you or another person damage or distress.

  • Secure. Please see data security policy for details.

  • Not transferred to people or organisations situated in countries without adequate protection.

The Policy may change, and you are welcome to contact me at any time to request the most recent version. This version was last updated on the 21st May 2018.

1)     Who am I? 


I am an HCPC registered Clinical Psychologist running a small private practice. I am committed to protecting your personal information and making every effort to ensure that your personal information is processed in a fair, open and transparent manner.


I am a "data controller" for the purposes of the Data Protection Act 1998 and (from 25 May 2018) the EU General Data Protection Regulation 2016/679 ("Data Protection Law").  This means that I am responsible for, and control the processing of, your personal information. 

For further information about privacy practices, please contact me by:

2)     How I collect information about you;


My work is focussed on the assessment and treatment of mental health problems, emotional and behavioural issues and difficulties in family relationships. I will only ever collect information about you or contact you in relation to your clinical care.

I collect information in the following ways:

  • When you contact me directly to enquire or book assessment or treatment sessions. This includes when you telephone or e-mail me.

  • When you complete your registration and consent forms prior to treatment.

  • When you complete questionnaires as part of your clinical care, before, during and after treatment.

  • In the form of clinical process notes which facilitate me in planning your treatment. Process notes are taken during sessions, during telephone consultations and/ or when I am involved with discussions with third parties about you/ or your child (always with your express permission).

  • When you decide to share letters or reports with me about you/ your child written by third parties.

  • When you contact me by letter / e-mail / telephone during or after assessment/ treatment.



3)     Information I collect and why I use it;

     Personal Information

Personal information I collect includes:

  • Name, date of birth, email address, postal address, telephone number (for young people under age 18 years contact details for parent/guardian).

  • Family living situation.

  • Emergency contact details.

  • School or workplace name.

  • Your family doctor (GP).

  • Name and contact details for other relevant professionals involved in your care.

  • Details of any physical/ mental health conditions, including medication.

  • Details of your health insurance. 

  • Completed questionnaires.

  • Correspondence from or to you about your care.

  • Correspondence from or to other healthcare professionals about your care.

  • Correspondence from third parties about possible referrals.

  • Mobile communications (including text and voicemail messages) from you or others, or to you about your care.

  • Writing or drawing or objects that you have produced as part of the therapeutic work.

  • Diagrams produced collaboratively in sessions.

  • Completed consent forms.

  • Session/ process notes.

You will have given me this information while registering for treatment with me or in any other communication between us.


     Payment Information

We are required to hold information on payments received for our financial records. This information may include:

  • Your full name and title.

  • The date and amount of the transaction, and;

  • If payment is made on your behalf, we will need to record the details of the payee.

I will mainly use this information;

  • To facilitate your clinical care and ensure you receive the highest standard of service.

  • To keep a record of your relationship with me.

If you do not provide this information I may be unable to offer a psychological assessment and intervention.

I may also use your personal information:

  • To invite you to participate in surveys or research.

     Sensitive Personal Information

In the course of psychological assessment and intervention it is common for patients to share sensitive personal information about themselves and/ or the experiences of a friend or family member, I may also collect this health information. If you provide me with any Sensitive Personal Information by telephone, email or by other means, I will always treat that information in accordance with this Privacy Policy. 

     A special note about the Sensitive Personal Information I hold

General Data Protection Regulation (2018) recognises that some types of personal information are more sensitive and need additional protection. Sensitive Personal Information can include information about a person’s health, race, ethnic origin, political opinions, religious beliefs, genetics, sex life or sexual orientation.

     I will only use this information:

  • For the purposes of your clinical care, quality monitoring or evaluating the services I provide.

  • I will not pass on your details to anyone else without your express permission except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others or sharing serious issues such as physical abuse or exploitation.

     Legal basis for using your information

There are lawful reasons that allow data controllers to process your personal information and one of those is called 'legitimate interests'. This means that the reason that I am processing information is because there is a legitimate interest for me to process your information in order to provide psychological assessment and treatment.

I make sure that I take into account your rights and interests whenever I process your Personal Information under the lawful basis of ‘legitimate interest'.


The additional legal condition required for processing special category data (or sensitive personal information) is that processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis and / or the provision of health care.

4)     Sharing your information;


The personal information I collect about you will only be used by me or my staff so that we can support you.

I will never sell or share your personal information with organisations so that they can contact you for any marketing activities.

     Legal disclosure

I may disclose your information if required to do so by law (for example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority).

5)     Keeping your information safe;

I take looking after your information very seriously. In order to prevent unauthorised access, alteration, destruction or disclosure I have put in place appropriate physical, electronic and organisational measures to protect the personal information I have under my control.


Unfortunately the transmission of information using the internet is not completely secure. Although I do my best to protect your personal information sent to me this way, I cannot guarantee the security of data transmitted by e-mail.  If you wish to send an email containing personal information please use a password protected document.

6)     How long I hold your information for


Information is held for as long as is reasonable and necessary for your clinical care and in line with current guidance from relevant professional bodies.  The British Psychological Society Professional Practice Guidelines  (3rd Edition) on Managing Data sand Confidentiality currently recommends that information is held for 7 years after the end of treatment.  For young people seen when they were under the age of 18 years information is held until they are 25 years old in line with NHS code of practice for records management

7)     Your Rights

You have various rights in relation to the personal information I hold about you – please see below.  If you wish to exercise any of these rights or make a complaint, you can do so by contacting me by email at and by phone on 07426356326.

  • Access to your personal information: You have the right to request access to a copy of the personal information that I hold about you.  You can make a request for access free of charge.  Please contact me for an access request form.  In some circumstances it may not be possible to release the information about the individual to them, for example, if it contains personal data about another person.

  • Right to object: You can object to my processing of your personal information when I am doing so on the basis of legitimate interest if there is something about your particular situation which makes you want to object to processing on this ground. Please contact me to discuss any objections you may have.

  • Consent: I do not ask for consent to hold your personal information because this is not the legal basis on which I collect and store information. You are therefore not able to withdraw your consent, however you can object to the legitimate basis for holding your information as outlined above.

  • Rectification: You can ask me to change or correct any inaccurate or incomplete personal information held about you.

  • Erasure: You have the right to ask me to delete your personal information where I have no lawful basis for keeping it.

  • Portability: You can ask me to provide you or a third party with some of the personal information that I hold about you in a structured, commonly used, electronic form, so it can be easily transferred.

  • Restriction: You can ask me to restrict the processing of the personal information I have about you where you have asked for it to be erased or where you have objected to my use of it.

  • No automated-decision making:  Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.  You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law.  You also have certain rights to challenge decisions made about you.  We do not currently carry out any automated decision-making.


Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.


If you have any concerns about the way your data is being processed you can make a complaint to the data protection supervisory authority, the Information Commissioner's Office,

Data Security Policy

Data Protection Principles

We must all protect personal information in our possession from being accessed, lost, deleted or damaged unlawfully or without proper authorisation through the use of data security measures.  This includes breaches that are the result of both accidental and deliberate causes

1.   Maintaining data security means making sure that:

  • Only people who are authorised to use the information can access it;

  • Information is accurate and suitable for the purpose for which it is processed; and

  • Only authorised persons can access information if they need it for authorised purposes. Personal information will not be stored on individual computers.

2.   By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.

3.   Personal information must not be transferred to any person to process (eg. while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.

Security procedures include:

Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers/ tablets should be locked with a password or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.

Telephone precautions. Particular care must be taken when dealing with telephone enquiries to avoid inappropriate disclosures. In particular;

  • The identity of any telephone caller must be verified before any personal information is disclosed.

  • If the caller's identity cannot be verified satisfactorily then they should be asked to put their query in writing.

Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, will be physically destroyed when they are no longer needed. Paper documents will be shredded and CDs or memory sticks or similar will be rendered permanently unreadable.

Additional measures to ensure data security include phone messages recorded are shredded at the end of the day or locked away, email enquiries are deleted every 3 months, paper forms with patient data are scanned and shredded, other paper documentation is securely locked away or scanned.

Data breach;


A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data.  Examples of a data breach include;

  • Access by an unauthorised third party;

  • Deliberate or accidental action (or inaction) by a controller or processor;

  • Sending personal data to an incorrect recipient;

  • Computing devices containing personal data being lost or stolen;

  • Alteration of personal data without permission; and

  • Loss of availability of personal data.

If there is any risk to people’s rights and freedoms the individual affected and the ICO must be informed within 72 hours of the breach.


The ICO and individual concerned (where relevant) must be given the following information;

  • A description of the nature of the personal data breach;

  • The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;

  • A description of the likely consequences of the personal data breach; and

  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

All personal data breaches must be recorded, regardless of whether or there is a need to notify the ICO.  If the breach is not reported a justification for why not must be recorded.

If you rights under GDPR or any of the above information is unclear, please don't hesitate to contact me or discuss with me in your next session. 

Tel: 07426 356326

  • White Facebook Icon
  • White Twitter Icon
  • White Pinterest Icon
  • White Instagram Icon

8 Carlton Yard, Victoria Road, Farnham GU9 7RD

​© 2016 Dr Jade Redfern