CTC Psychological Services General Data Protection Regulation (GDPR)


CTC Psychological Services aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that CTC Psychological Services collects when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 (and the subsequent UK Data Protection Bill that is expected to be enacted in 2018).

The policy describes how we manage your information when you use our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Twitter). In respect of cookies the policy includes information about the type of cookies that we use and how you may disable those cookies.

CTC Psychological Services uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, CTC Psychological Services is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.

If your questions are not fully answered by this policy, please contact Admin at CTC Psychological Services. If you are not satisfied with the answers from CTC Psychological Services, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.

Registration reference: ZA021953

1. Why do we need to collect your personal data?

The nature of work at CTC Psychological services include psychological assessment, therapy, training and consultancy. The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.

We need to collect information about you so that we can:

  • Know who you are so that we can communicate with you in a personal way. The legal

basis for this is a legitimate interest.

  • Deliver services to you. The legal basis for this is the contract with you.
  • Process your payment for the services. The legal basis for this is the contract

with you, or via our contract with a Local Authority.

  • Verify your identity so that we can be sure we are dealing with right person. The legal

basis for this is a legitimate interest.

  • Contact you in case there is an issue with the service we offer you. The legal basis for this is a legitimate interest.
  • Optimise your experience on our website. The legal basis for this is a legitimate interest.
  • Send you information about offers and sales. The legal basis for this is your consent.
  • Provide you with a useful and relevant website. The legal basis for this is legitimate


2. What personal information do we collect and when do we collect it?

For us to provide you with your services, we need to collect the following information:

  • Personal details, family details, lifestyle and social circumstances, employment and education details
  • Your contact details including a postal address, telephone number(s) and electronic

contact such as email address

  • Your payment card details – if you are self-funding
  • Details about how you access our website such as the IP address, the browser you use, and which pages you access

We collect this information directly from you. We may also collect information about you from third parties; for example, if we need to gather information from another health professional (such as your Doctor, Solicitor or Local Authority) to provide a complete psychological assessment.

To make sure that you are assessed and/or treated safely, we record your personal information, such as that mentioned above, as well as all contacts you have with the service such as appointments and the results of assessments and letters relating to your care/report. Your health record is kept confidential within the service at all times and is only shared with staff when they need it to carry out their job.

2.1 Patients/Clients (Therapy or private assessment)

When you are a client of CTCPS we record all your treatment and details of your appointment so that your clinician can plan your treatment correctly. In addition to the personal information above, we may also collect information regarding:

  • Medical conditions (if relevant)
  • Prescribed medication
  • Psychological history and current difficulties
  • Sexuality
  • Offences (including alleged offences)
  • Financial information, including bank account details (if you are a private patient/client of CTCPS)
2.2 Clients undertaking Assessment for the purpose of Court Reports

In the case of a court report we retain the information as required by the courts or your solicitor.

In addition to the personal information above, we may also collect information regarding:

  • Medical conditions (if relevant)
  • Prescribed medication.
  • Psychological history and current difficulties.
  • Sexuality
  • Offences (including alleged offences)
2.3 Job applicants, current and former CTCPS employees and associates

When individuals apply to work at CTCPS, we will only use the information you supply to us to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service we will not do so without informing you beforehand unless the disclosure is required by law.

3. How do we use the information that we collect?

We use the data we collect from you in the following ways:

  • To communicate with you so that we can inform you about your appointments with us we

use your name, your contact details such as your telephone number, email address or

postal address

  • To deliver the correct service to you we use your name, your contact details and the

details about the service you are using

  • To create your invoice using our accounting package we use your name and address
  • To process your payment (through Bacs Payment Schemes Limited (Bacs), cheque or cash)
  • To optimise our website so that users can find the information they need
4. Who do we share your personal information with?

Your information is kept confidential within the service at all times and is only shared with staff when they need it to carry out their job. All staff are required to work to strict professional and contractual codes of confidentiality and where possible we will anonymise information so that individual patients cannot be identified.

If we become aware of your intent to cause harm to another person/organisation (e.g. terrorism), the law may require that we inform an authority without seeking your permission. In such a situation, the law may require that I share your personal information without your knowledge.

4.1 Patients/Clients (Therapy or private assessment)

In most circumstances we will not disclose personal data without consent. Your information may be shared with outside organisations if they are directly involved in your care/case, for instance, your social worker or insurer if they are funding your treatment, your GP, or other healthcare professionals involved in your care. We will discuss with you who we would discuss your care with, and what details we would share with them. If your health is in jeopardy (with your agreement) we may share your contact information with an emergency healthcare service (e.g. Mental Health Crisis Team). In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint we may need to share personal information with other relevant bodies. If we do need to share your information, we will always try and ask for your permission for this. We may not be able to ask your permission under special circumstances where we are legally required to do so.

4.2 Clients undertaking Assessment for the purpose of Court Reports

Your information is likely to be shared with organisations directly involved in your care/case, for instance, your solicitor, the defendant’s solicitor, a guardian and the court. You should contact your solicitor to find out with whom they might share information collected at your psychology assessment.

4.3 Undertaking Research

Personal information is also processed in order to undertake research. For this reason, the information processed may include sensitive types of information such as physical or mental health details, racial or ethnic origin and religious or other beliefs. We endeavour to make a contribution to scientific research and publication, to advance knowledge and skills in working with adults and children.  For some of the continuing professional development of our staff this is an essential requirement for achieving further qualifications.  In order to do this, we would like your permission to make use of artwork and other clinical material arising in the course of our work.  We abide by the ethical standards of The British Psychological Society; The British Association for Counselling and Psychotherapy; the United Kingdom Council for Psychotherapy and the Health and Care Professionals Council.  Any material would be used anonymously.  Often material is disguised or embedded in other material so that it illustrates a particular concept, rather than the person.  If any material or information provided by you or your family were used in a book or article, it would be done in a way that would prevent identification.

5. Where do we keep the information?

We keep your information in the stores described below.

5.1. On our company Servers

Data stored electronically is encrypted with restricted access in line with the GDPR.

5.1.1 Your Case Record

We use a server which processes requests and delivers data over a secured network connection. The anonymized case record includes a brief description of your sessions and any correspondence between us and third parties regarding your case.

5.1.2 Your psychological report

We create a report that contains a summary of all the information that we gather and our findings and conclusions. This includes information that we may have used from third parties (such as solicitors and medical records).

5.2. As a paper copy

We take hand written notes during your sessions. These notes are used to create reports that we provide to you, or for session notes with a therapist. The anonymized client notes are used for clinical supervision (to comply with the professional body and good ethical practice). Shared details include case specifics, but not the client’s personal details unless a legal or safeguarding requirement requires me to do so.

6. How long do we keep the information?

We will keep the personal information you provide for as long as it is reasonable and necessary for the purpose of the processing. On request, or at seven years after our last contact, we delete by electronic means and destroy paper records by shredding. (for clients under the age of eighteen, notes are kept until your 26th birthday or seven years after last contact whichever is the later). For adoption cases the records are stored for 100 years.

6.1 Clients undertaking Assessment for the purpose of Court Reports

If your case is for a court report for litigation purposes, we will keep your information until the end of your case, unless instructed otherwise by your solicitor. We do rely on solicitors informing us when your case has ended, but we will contact them every 12 months in order to ascertain whether your case is ongoing and whether we are at liberty to destroy some of your records. We will retain data that forms the basis of our report or the required number of years.

 6.2 Job applicants, current and former CTCPS employees and associates

Personal information about unsuccessful job candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. Once a person has taken up employment with CTCPS, we will compile a file relating to their employment. The information contained in this will be kept securely and will only be used for purposes directly relevant to that person’s employment. Once their employment with CTCPS has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

7. Who do we send the information to?

If you require a psychological report, we send your report to you, or the referring agency and also anyone we are required by law to inform. All reports that are sent electronically are sent as attachments that are encrypted and password protected. We send the paper copy of our invoices to our accountant. The accountant is based in the UK and all their computer systems are in the UK.

8. How can I see all the information you have about me?

You can make a subject access request (SAR) by contacting the Data Controller. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests. However, there may be a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. There may also be a reasonable fee to comply with requests for further copies of the same information. The fee may be based on the administrative cost of providing the information.

9. How you can access your information and correct it, if necessary?

CTCPS tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘Subject Access Request’ or ‘Right of Access’ under the Data Protection Act and the General Data Protection Regulation. We will then supply to you:

  • A description of all data we hold about you
  • Inform you how it was obtained (if not supplied by you)
  • Inform you why, what purposes, we are holding it
  • What categories of personal data is concerned
  • Inform you who it could be disclosed to
  • Inform you of the retention periods of the data
  • Inform you around any automated decision making including profiling
  • Let you have a copy of the information in an intelligible electronic form unless otherwise requested.

To make a request to CTCPS for any personal information we may hold you need to put the request in writing. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate, please address these changes to the Data Controller, via ‘How to contact us’.

9.1 Clients undertaking Assessment for the purpose of Court Reports

If your concern is related to a case with a solicitor that we are working for, please refer the queries through them. We may not be able to comply with a request to correct information we hold about you where it pertains to a litigation claim – this would need to be discussed with your solicitor.

10. How can I have my information removed?

If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records, or in legal cases that are not yet closed. If we decide that we should delete the data, we will do so without undue delay. Please see further guidance on: https://ico.org.uk/for-the-public/personal-information/

11. Are my emails secure?

As part of providing our service to you we will send your report, where appropriate to you via email. The report will be encrypted, and password protected. Also, as part of this service, we need to send details of your appointments to you. To protect your information, we prefer to use an end-to-end encrypted messaging service. This means you will log on to a specific service using a password (which we will let you know in advance) in order to view your emails from us. You can reply via the service once you are logged in.

12. Website Security

CTCPS Psychological services website has an SSL certificate. An SSL certificate shows that the data connection to an Internet page is secured with a Secure Sockets Layer (SSL). This ensures that the transferred data cannot be read or modified by third parties. You can recognize the encrypted connection to the lock icon in the address bar of the browser.

13. Complaints or queries

CTCPS tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. If you do have a complaint, contact Admins at CTC Psychological Services.

If you are not satisfied with the response from CTCPS or believe we are not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO).

 Contact information ICO:

Website: https://ico.org.uk/concerns/

Email: casework@ico.org.uk

Telephone: +44 (0) 303 123 1113

14. Who we are and how to contact us

CTCPS is the company that you are supplying your personal information to.  CTCPS can be contacted by:

Email: admin@ctcps.co.uk

Post: CTC Psychological Services, 20 Walpole Street, Chester, CH1 4HG

Telephone: 01244 390121