Privacy Policy

Jessica Wey and The CBT Clinic Tunbridge Wells respect your privacy and are strongly committed to protecting your personal data.

The CBT Clinic Tunbridge Wells is run by Jessica Wey, who is responsible for the management of personal data collected through the clinic.

Jessica Wey aims to be as clear as possible about how and why she uses information about you so that you can be confident that your privacy is protected.

This policy describes the information that is collected when you use the services of The CBT Clinic Tunbridge Wells. This includes personal data as defined in the General Data Protection Regulation (GDPR) 2016 and the UK Data Protection Act 2018.

If your questions are not fully answered by this policy, please contact Jessica Wey. If you are not satisfied with the response, you can contact the Information Commissioner’s Office (ICO)

Questions you may have about your personal data

Who keeps my data?

Jessica Wey is the data controller. This means she is legally responsible for the personal data held by The CBT Clinic Tunbridge Wells and for ensuring it is stored and used safely and lawfully.

What personal data is collected?

Personal data may include:

•⁠ ⁠Name

•⁠ ⁠Address

•⁠ ⁠Date of birth

•⁠ ⁠Email address

•⁠ ⁠Telephone number

•⁠ ⁠Emergency contact / next of kin name and contact details

•⁠ ⁠GP contact details

Special category (sensitive) personal data may include:

•⁠ ⁠Signed therapy or service agreements

•⁠ ⁠Therapy records, including clinical notes, correspondence, reports, and outcome measures

If you complete a web-based contact or enquiry form, the personal information you provide and your Internet Protocol (IP) address may be collected automatically by the website software used. All web services used by The CBT Clinic Tunbridge Wells are GDPR compliant.

If you are referred by a health insurance provider, personal data supplied by that organisation may also be processed. This may include basic contact details, referral information, insurance policy numbers, and authorisation details for psychological treatment.

Why do you keep personal data?

Jessica Wey has a legitimate interest in collecting and retaining personal data. This information is necessary in order to provide cognitive behavioural therapy services safely, ethically, and effectively, in accordance with BABCP Standards of Conduct, Performance and Ethics.

No personal data is shared without your consent, except where there is a legal or ethical obligation to do so. Your personal data is never sold or used for marketing purposes.

What do you do with my personal information?

Your personal data is used solely to:

•⁠ ⁠Provide cognitive behavioural therapy services

•⁠ ⁠Communicate with you regarding appointments and therapy

•⁠ ⁠Process payments and manage accounts

If the required personal information is not provided, it may not be possible for therapy services to be offered.

How long will you store my personal information?

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected and to meet legal and professional obligations.

•⁠ ⁠Basic contact information stored on electronic devices is deleted at the end of therapy.

•⁠ ⁠Therapy records and other sensitive personal data are retained for 7 years after the end of therapy, after which they are securely deleted.

By law, basic client information (including identity, contact, and financial records) must be retained for 7 years for HMRC tax purposes.

In some circumstances, personal data may be anonymised so that it can no longer be linked to you. Anonymised data may be retained indefinitely for research or statistical purposes.

Who will your personal information be shared with?

All client information is treated as confidential and is not routinely shared. Exceptions include:

•⁠ ⁠Health insurance providers: Appointment schedules and limited treatment information may be shared for billing purposes or to request authorisation for continued treatment.

•⁠ ⁠Referrers (such as GPs or psychiatrists): With your consent, brief treatment updates may be provided.

•⁠ ⁠Legal instruction: Where therapy is instructed by a solicitor, relevant clinical information may be shared with your written consent.

In exceptional circumstances, information may be shared without consent:

•⁠ ⁠Where there is a risk of serious harm to you or another person

•⁠ ⁠Where disclosure is required by law (e.g. court order)

•⁠ ⁠Where disclosure is in the public interest

Any such disclosure will be discussed with you wherever possible, unless doing so would increase risk.

The CBT Clinic Tunbridge Wells will never share your personal data for marketing purposes.

Where is my data stored?

Your data is stored securely using a combination of:

•⁠ ⁠Encrypted cloud-based systems

•⁠ ⁠Password-protected email systems

•⁠ ⁠Secure mobile devices

All software and systems used to support the clinic are GDPR compliant.

Paper records, where used, are kept in locked storage and securely shredded when no longer required.

All devices are password protected and encrypted, with up-to-date antivirus and malware protection.

What are my rights?

You have the right to:

•⁠ ⁠Request access to your personal data

•⁠ ⁠Request correction of inaccurate data

•⁠ ⁠Raise concerns about how your data is handled

A Subject Access Request (SAR) can be made by contacting Jessica Wey. Proof of identity may be required. Requests are usually responded to within 30 days. An administrative fee may apply where permitted by law.

In some circumstances, information may be withheld if disclosure could cause serious harm to you or another person.

Requests to delete therapy records may be refused where retention is required by law or professional guidelines.

Clinical records are retained for 7 years in line with professional guidance from relevant regulatory and professional bodies.

If you believe your data has been mishandled, you may contact the Information Commissioner’s Office (ICO)