Enquire

On 25 May 2018 the law changed with regard to how organisations have to protect your ‘data’ (personal details and records) and this is called the General Data Protection Regulation or GDPR. The following summary highlights how GDPR is being implemented, by explaining why confidential information is held and how this is protected.

Derby EMDR Hub is a trading name of Evans Psychological Services LTD. In this privacy policy, references to ‘we’, ‘our’, ‘us’, or ‘Derby EMDR Hub’ refer to Evans Psychological Services LTD.

It is assumed that by engaging with the service you are consenting to records being kept

  • Keeping records is an essential component of healthcare, which helps in understanding how best to help and forms the basis of any reports needed
  • Confidentiality is maintained at all times (i.e. your information is not shared) unless there are exceptional circumstances such as risk to yourself or others, when other services such as your GP or police may be contacted without your consent as this is a professional obligation
  • Consultation notes and questionnaires will be held for varying lengths of time depending on the content (and then carefully disposed of)
  • Mental health records are subject to special legislation. Children’s records are kept until age 26 and adult records for 8 years after the last contact with the service.
  • All information recorded on paper will be securely stored in a locked filing cabinet
  • Confidential digital information and data will be stored on an encrypted device offering high levels of security
  • Confidential information sent by the psychologist via the internet will be encrypted and password protected, with this sent separately by text
  • Letters sent to professionals such as GP’s, by surface mail, will be clearly marked Confidential
  • All electronic devices (e.g. computer, laptop and phone) and used to access stored information will themselves be password protected
  • Right of access; a ‘subject access request’ or SAR can be made for copies of records but there may be an admin charge and these will be provided within 1 calendar month of the request being made.
  • In the event of death or incapacity of the therapist, arrangements have been made for records to be held by a named professional colleague who will continue with the above obligations

Privacy Policy for Derby EMDR Hub

Effective Date: 1st May 2025
Data Controller: Lydia Evans
Contact: info@derbyemdrhub.co.uk

1. Introduction

This Privacy Policy explains how Derby EMDR Hub collects, uses, and protects your personal data when you engage in psychological therapy with us. As a provider of mental health services, we are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By attending therapy sessions or communicating with us, you agree to the terms of this Privacy Policy.

2. What Information We Collect

We collect and process the following types of personal information:

Personal and Contact Information

  • Name, date of birth, address, phone number, and email address

Health and Therapy Information

  • Medical history, mental health history, GP details
  • Session notes, assessments, treatment plans, referral information

Administrative Information

  • Appointment history, payment details (if self-funded), insurance or third-party funding data

Online or Telehealth Services

  • IP address, device type, or browser data (only when you use our website or online platforms)

3. Lawful Basis for Processing

We process your personal data under the following lawful bases:

  • Consent: You have given clear consent to process your data (e.g., by signing the therapy agreement).
  • Contract: Processing is necessary for providing you with therapy services.
  • Legal Obligation: We are required to retain records or share information in line with UK law.
  • Vital Interests: In situations where your safety or someone else’s is at risk.
  • Legitimate Interests: For the proper administration of the therapy service (e.g., diary management, invoicing).

Special category (sensitive) data, including health information, is processed under Article 9(2)(h) of UK GDPR for the provision of health care.

4. How We Use Your Information

Your data is used to:

  • Provide effective psychological therapy
  • Maintain accurate clinical records
  • Contact you about appointments or changes to services
  • Coordinate care with other health professionals (only with your consent)
  • Manage billing and payments
  • Meet legal and professional obligations

5. Confidentiality and Sharing

All information shared in therapy is confidential. Information is only shared:

  • With your consent (e.g., with your GP or other healthcare providers)
  • If required by law or court order
  • If there is a serious risk of harm to you or others
  • If there is a safeguarding concern involving a child or vulnerable adult

If using third-party services (e.g. for video therapy, payments, or record keeping), we ensure they are compliant with data protection laws.

6. Data Storage and Retention

Your data is stored securely in encrypted electronic records or locked paper files. We retain your records in accordance with professional and legal requirements:

  • Adults: Typically for 7 years after the end of therapy
  • Children and young people: Until they turn 25 (or 26 if they were 17 at the end of treatment)

After this period, your data will be securely destroyed or deleted.

7. Your Rights Under UK GDPR

You have the following rights regarding your data:

  • Right to access – Request a copy of your personal data
  • Right to rectification – Request corrections to inaccurate or incomplete data
  • Right to erasure – Request deletion of your data in some circumstances
  • Right to restrict processing – Request a pause on data use under certain conditions
  • Right to data portability – Request your data be transferred to another provider
  • Right to object – Object to how your data is used

To exercise these rights, please contact us using the details provided above.

If you have concerns about how your data is handled, you can contact the Information Commissioner’s Office (ICO) at www.ico.org.uk.

8. Updates to This Privacy Policy

We may update this Privacy Policy occasionally. The most recent version will always be available on our website or upon request. Any significant changes will be communicated to you directly.

9. Contact

If you have any questions or concerns about your data or this Privacy Policy, please get in touch:

Derby EMDR Hub
01332 498 065
info@derbyemdrhub.co.uk
The Old Surgery, Derby, DE22 4DY