The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for data management, and the rights of the individual regarding the collection and processing of their personal information within the European Union (EU). The following privacy notice outlines how Phil Marriott as the Data Controller for Achieve CBT manages your data and your rights in relation to this.

What information we hold and why:

Achieve CBT only collects basic data at the point of initial contact that you or your referrer supply such as your contact details and if appropriate insurance policy number and the details of formal (e.g. GP, parent/guardian) and informal support persons.  You are required to inform Achieve CBT where updates to these are necessary. Written notes (including images of diagrams) are made in sessions (via paper and electronic based systems) and these combined with your previously mentioned contact details, signed Therapy Agreement and this signed Privacy Notice are either stored in a locked filing cabinet or on a secure password protected electronic device, associated cloud based storage or external hard drive.  Email communication is also stored.  These details together enable Achieve CBT to communicate with you and provide efficient and effective services and bill for services as required.

If you complete a web-based enquiry form, I will also collect any information you provide to me as well as your internet protocol (IP) address. This is automatically supplied by the website software used to offer the form. All web services used by Achieve CBT are verified by themselves as GDPR compliant.

What we do with your information:

Your personal data is used solely for providing an efficient and effective service and continuity of care.  Only persons working Achieve CBT (or in support of Achieve CBT such as admin/accountancy support) have access to your basic data, where your case detail may be discussed in clinical supervision no identifying details are shared.  Your data is not shared with any third parties unless there is a concern regarding severe and imminent risk and then appropriate persons, most likely your GP or nominated informal support person. 
In exceptional circumstances personal data may be shared with relevant authorities when disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a court order. Where possible all proposed instances of disclosure will be discussed with you, unless it is believed that to do so could increase the level of risk to you or someone else.

If an insurance company or other third party referrer (typically through legal claims) funds your sessions invoices are submitted through secure portals to the company themselves.  Where clinical updates are required by such companies (such as requested if asking for further funded sessions), these will be discussed with you before being shared with the relevant organisation.  These reports are then submitted as securely as possible, typically directly to the insurance company’s website.

Non-identifiable data such as your G.P. surgery, how you heard about Achieve CBT and the number of sessions undertaken are collected and collated to audit referral and intervention patterns to enable service development.

Where and how long your information is stored:

Your data is either stored in a locked filing cabinet or on a password protected computer, cloud based storage, external hard drive, iPad or iPhone.  All electronic devices have antivirus software; in addition mobile devices are protected with a passcode/ thumbprint/facial recognition.

The British Psychological Society (BPS) recommend the storage of clinical notes for 7 years and for children until they reach the age of 25, after this time your notes will to shredded and all electronic communication deleted. The practice guardian will ensure these guidelines are adhered to in the event that the Data Controller for Achieve CBT is unable to.

Electronic Communication and Online Session:

Security Routine emails such as arranging appointments and sending links/worksheets are sent through standard Gmail, which carries a level of encryption, but not through separate password login.  Individuals can choose if they would like password protected emails in the first session when reviewing this privacy notice (see and sign below).

For online therapy sessions the recommended secure platform is Zoom. In addition, sessions can also be offered through other means such as Skype and Face Time. Please state at the end of the document if you have a preferred platform for such sessions.

Your rights:

You may ask to see your notes for example to explore and address perceived inaccuracies, it is recommended that reviewing your notes is completed in collaboration to discuss and explore issues arising.  If you would like to access your notes, please submit a written request to Achieve CBT who will respond within 30 days.  You can also submit a written request to Achieve CBT for your data to be deleted prior to 7/25 years. Each case will be discussed on an individual basis and advice sought from professional bodies, current liability insurers and The Information Commission Office (ICO).

Achieve CBT is registered with the ICO. If you have concerns about the practices of Achieve CBT in relation to GDPR compliance these can be taken to the ICO, details of which can be found at ico.org.uk.