Who am I?
My name is Marla Stromberg and I am a cognitive-behavioural psychotherapist and manager/director of my own CBT practice, CBT Canary Wharf. For all intents and purposes, I am also a data controller and data processor at CBT Canary Wharf-I decide how your personal data is to be processed and shared.
I take your privacy seriously and am committed to ensuring that your privacy is protected.
Any information collected by me, by which you can be identified when using this website, will only be used in accordance with this privacy statement.
I will never share your information with a third party for marketing purposes.
If you have any questions or concerns about how your data is processed or shared, you can contact me on (020) 7531-1220 or by email.
The lawful basis for processing your data
A lawful basis for processing is how I justify the processing of your personal data.
I process your personal data in line with GDPR legislation (General Data Protection Regulation) (EU) 2016/679.
The lawful basis for processing your data is legitimate interests.
In order for me to fulfil my role as a CBT therapist, I take notes in each session and store these notes in your file. My notes allow me to reflect on our sessions, and make good clinical judgment about your treatment and care, including developing a treatment plan and adhering to the treatment plan throughout the duration of your psychotherapy journey. I only use your data in ways you would reasonably expect, and which have a minimal privacy impact.
How do I collect information about you?
I obtain information about you in the following ways:
When you visit my website
When you enquire about my services via email and I reply to you via email, I cannot guarantee that your email, or my reply is 100% secure. It is important that you understand that no data transmission over the Internet can be guaranteed to be 100% secure. If you wish to send me any documents via email and have any concerns about confidentiality and the data contained within your documents, I am happy for you to password protect your documents before sending them to me. You can either provide me with your password in a separate email, or phone me and provide me with your password over the phone.
Over the phone
If you choose to make contact with me over the phone, I may collect information from you as a prerequisite for inviting you in for an assessment (see below “What type of information is collected from you”)?
Face to face
When you attend for CBT sessions, I collect and record data from you in order to get to know you, understand you, and help you overcome your difficulties.
Once we agree on a day/time for you to attend an assessment session, I will ask you to complete a Client Details form-this form will ask you to provide me with personal information, including your name, date of birth and address.
I may receive information about you from third parties I work closely with, including other health professionals and your health insurance company. Third parties including analytics providers provide me with information that helps me ensure my website is user-friendly and provides my website visitors with the information they seek. The only third parties who I will have reason to obtain information from in relation to your treatment are your insurance company and/or referring GP or psychiatrist. Your insurance company may refer you directly to me, and if they do, they will often provide me with your personal information. If your GP or consultant psychiatrist refers you to me for CBT, they may also write a referral letter which may contain both personal and sensitive information. If you have any concerns about whether the above third parties are GDPR compliant, please contact them directly. I will never knowingly obtain data about you from any third party without your knowledge or consent.
What type of information is collected?
I may collect some or all of the following personal information from you, either at the pre-assessment stage (on the phone/via email/via my website), or face to face, throughout the course of therapy:
- Contact details including email address
- IP address and webpages visited on my website
- Date of birth
- Insurance Details (if you are paying through your health insurance policy)
- GP name and contact details
Special Category Data (Sensitive Data)
Given the nature of healthcare related data, some of the information I may collect from you will be classified as sensitive, either at the pre-assessment stage (on the phone/via email/via my website), or face to face, throughout the course of therapy:
- Ethnic background
- Sexual orientation
- Sexual behaviour and history
- Relationship history
- Physical and mental health history (including history of alcohol consumption, drug use and any medication previously prescribed)
- Current physical and mental health symptoms including suicide risk, alcohol and drug use, and any medication you are currently taking
- Offences and alleged offences
- Questionnaire scores (questionnaires that assess the severity of your symptoms)
I collect the above personal and sensitive data from you to ensure that the service I provide to you is adequate, and for monitoring and evaluation purposes.
What do I use your information for?
I process personal information to enable myself to provide cognitive-behavioural therapy to my clients, which may include:
- making appropriate referrals
- coordinating your care when working with other health professionals who may be involved in your care
- communicating with you regarding your treatment/ appointments
- informing you of any new services I offer
- account for my clinical decisions and/or respond to complaints
I will never sell or provide your details to any third party for marketing purposes.
Who your information may be shared with
There may be occasions when I need to share the personal information I process about you with third parties, specifically, your insurance company or other health professionals involved in your care (see below). When I do so, I comply with all aspects of the Data Protection Act 1998 (DPA).
Your insurance company
If you are claiming the cost of your sessions through your insurance company, your insurance company may request details of your treatment and progress from me in order to authorize further funding for your treatment. Under these circumstances, I will share the minimum amount of information necessary with your insurance company.
Your referring psychiatrist
When you are referred to me by a consultant psychiatrist, I normally write to them at the beginning and end of treatment as part of good practice.
There are three situations where I would share your information with third parties, without your consent:
If I am required to disclose data about you under a Court Order
If I am concerned about the welfare of a child, i.e., where there are child protection issues
Risk to self or others
Where there is an imminent risk of harm to yourself or others, i.e., you have expressed an intent to kill yourself, or to kill someone else, imminently.
As per the BABCP Standards of Conduct, Performance and Ethics, I must take appropriate action to protect the rights of children and vulnerable adults if I believe they are at risk, including following national and local policies.
Retention period-how long do I store your data?
My retention period is seven years, and I use two main criteria for determining my retention period.
Criteria 1: According to the Limitation Act 1980, you, as my client, have six years within which to bring against me a complaint of breach of contract, breach of trust or a claim in relation to negligence. It is therefore in both our interests that I store your data for this period of time.
Criteria 2: The second criteria that I use in deciding how long to store your data is the likelihood of you returning to me for further therapy at some point in the future. In my experience if a client returns to me for further therapy in future, they normally do so within seven years. Once you are discharged from my service, your file is stored securely in a locked, secure storage facility off site for seven years, after which your file is shredded.
Security of information shared over the internet
I process your personal data in line with GDPR legislation (EU) 2016/679, and take all appropriate measures to keep it secure. You can find out more about this legislation here.
I make every effort to ensure that your personal information is held securely and to safeguard against unauthorised access to your personal information. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure.
I strive to protect your personal information after I have received it, however:
1. You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.
2. You acknowledge and agree that you share and transmit the information at your own risk.
Your Individual Rights
You have a number of rights (including Right to be informed, Right to access, and Right to lodge a formal complaint) when it comes to your personal data. Please refer to the ICO’s website for full details of your rights.
Right of Access
You may request details of personal information which we hold about you under the Data Protection Act 1998 and in line with GDPR legislation (EU) 2016/679. Depending on the volume of information requested and the administrative costs involved in providing you with this information, there may be a charge for this information. You will be informed of the costs at the time the request is made. Requests for information must be put in writing. If you would like to request access to the information held on you, please email me.
Requests that are considered excessive or unreasonable may be refused. In the event your request to obtain details of information held about you is refused, you will be provided with an explanation as to why that is.
Right to rectification
If you believe that any information I am holding on you is incorrect or incomplete, please email me with details and I will promptly correct any information found to be incorrect.
Right to lodge a formal complaint with a supervisory authority
If you believe that your rights under the GDPR regulation have been infringed, or that the processing of personal data relating to you does not comply with this Regulation, you can inform the ICO (Information Commissioner’s Office) or by phoning their helpline on 0303 123 1113.