Privacy Policy 

I aim to be as clear as possible about how and why I use information about you so that you can be confident that your privacy is protected. This policy describes the information that I collect about you when you consult me. This information includes personal data as defined in the UK General Data Protection Regulation (GDPR). 

I will routinely make use of artificial intelligence (AI) transcription software to record my consultations, whether they are online or in person. I do this to ensure that an accurate transcript of each session is maintained, and for operational effectiveness and ease of generating notes after each session. I will only ever use AI software that is ISO 27001 compliant, meaning that the software has been certified as upholding the standards of data security and privacy required by GDPR. 

During your assessment a full personal and medical history will be taken. This will consist of your personal data and is known as a ‘special category’ of data under the GDPR. It is protected by the GDPR and is also protected by my duty of confidentiality to you. 

To provide my services to you, and in particular to make a diagnosis and plan treatment, I will need to process your personal data in various ways. I might need to communicate findings and a treatment plan, including your personal data, to healthcare and other professionals (and may also need to receive medical or other relevant information from these professionals). When you come to your first appointment, I will tell you with whom I would expect to share your data and will seek your agreement. 

Your clinic letters or reports and all correspondence will be saved in an ultra-secure encrypted cloud. Cloud services are provided by Amazon Web Services, which is certified as GDPR compliant (for specific security details see https://aws.amazon.com/compliance/gdpr-center/). Letters and reports sent by e-mail will be encrypted and password protected. 

The current standard for mental health records is that they be retained for 20 years after the date of the last contact between the patient and any healthcare professional or eight years after the death of the patient, if that is sooner. After this date, all data will be securely deleted unless requested otherwise. 

Under the GDPR, Aljem must identify a lawful basis for processing your personal data, which may vary according to the type of personal data processed and the individual to whom it relates. The following bases, singly or in combination, apply.

1. Consent, including explicit consent.
2. The processing is necessary to perform Aljem’s contract with you.
3. The processing is necessary for compliance with legal obligations to which Aljem or I are subject. 
4. The processing is necessary for the provision of health or social care or treatment.

Finally, under the GDPR I am obliged to inform you of a few other details about your data and the way it will be managed: 

1. The Data Controller is Aljem Limited. The organisation can be contacted on admin@aljem.co.uk. 
2. You have the right to access any medical data about you that is authored by me, to correct any inaccuracies that may be contained within it, to have the data erased or to have me cease processing it, subject to certain exceptions. 
3. In addition to sharing data with other healthcare professionals, as set out above I may need to share data with your insurer to obtain approval to see you and for invoicing. In these cases, I will discuss this directly with you and will agree with you what can be disclosed. I may also need to share your data with the relevant local authority or other government bodies, or my regulator, if required to do so by law. 
4. If you are not satisfied with the way your data has been handled or the response from the Data Protection Compliance Manager, you can lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk.