Caitlin Buon
Registered Psychotherapist
& Psychodramatist
UKCP, MBACP

​

1. Introduction

​

Your privacy is a top priority. I am committed to always being a good custodian of your personal information, handling it in a responsible manner, and securing it with industry standard administrative, technical and physical safeguards and in accordance with the General Data Protection Regulation (GDPR) 2016.

​

I follow two guiding principles when it comes to your privacy:

• transparency - I work hard to be transparent about what personal information I collect and process

• simplicity - I try to use easy-to-understand language to describe my privacy practices to help you make informed choices

 

About Becomings

​

Becomings is registered as a data controller with the Information Commissioner’s Office (ICO) (ICO registered number ZA345165).

​

It is the sole trader business of Caitlin Buon.

​

If you have any queries about this privacy notice or about any aspect of my data management, please contact me.

​

I'll update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was published on the website www.becomings on 25 May 2018.

​

2. How I use your information

​

a) Storage and management of personal information

​

As a client using my services, you grant me permission to process personal data which you have provided to me as follows:

I will keep records of payments for financial accountability reasons for six years.

​

Basic records of a client’s name and contact details will be kept for the period that the client is in therapy with me and then for six years following the completion of therapy in order to respond to any complaints or legal actions.

​

This information is kept separate from client notes.

​

Client notes do not identify clients by their first name or surname. Rather a code is used on these notes to identify the client. No other identifying information is recorded in the notes.

​

I'll also keep client session notes for six years (following the completion of therapy) in order to respond to any complaints or legal actions that may arise.  

​

b) Visitors to my website

​

No user-specific data is collected by me or any third party. If you fill in a form on my website, that data will be temporarily stored on the web host before being sent to me.

​

I do not use Google Analytics.

​

c) Clients and enquiries

​

The legal basis I use for processing the personal information of clients and those making enquiries is a combination of contract and legitimate interest.

​

I carefully safeguard the information I hold about clients. This information comes from the way clients engage with me, information provided through enquiry and booking forms, or details completed over the phone or in person when exploring your needs or session notes.

​

The information may also come from clients’ interactions with me, for example, through social media, Website usage or surveys. It may include, for example, contact details, interests or guidance documents downloaded from my Website.

What the information is used for?

​

I collect this information to provide my services to clients and to inform my development of new and improved services to continue to meet my clients’ needs.

​

Specifically, I may use client information to:

• develop and improve my services through assessment and analysis of the information

• improve the relevance of marketing messages I may send you

• personalise my Website for you

• protect my systems

 

I send messages by post, telephone, text, email or other digital methods. These messages may be:

• to help meet your needs

• to meet my obligations

• to keep you informed about the services I provide that may be of interest

• I will never pass on your information to a third party

 

Sharing your information

​

During your contact with me, I’ll tell you how your information will be used and that it may be necessary to share it with other services and organisations

​

I will not share your information with any third parties unless:

​

you have consented to this (for example by providing information to me after I’ve told you that I will supply the information to a third party)

• it is as part of my duty to protect a child, a vulnerable adult, yourself or the public

• for the prevention and detection of a crime or the assessment of any tax or duty

• I am required to do so by any court or law or any relevant regulatory authority

• to protect the rights, property or safety of myself or any third parties (for example for the purposes of fraud protection)

 

d) Members of the public who make enquiries

​

I do not usually record or process any data from members of the public who ring me with general enquiries. If a query does require me to take personal data I will explain this at the time. I do not record phone calls.

​

I retain emailed queries from the general public for a maximum of three months.

​

e) Clients and non-clients who attend my events

​

If you apply to attend an event I will hold the information I need in order to deliver this event. My legal basis for holding your data will be a combination of contract and legitimate interest.

​

All event attendees will be listed on the delegate list that is shared with other delegates, exhibitors and sponsors. Event information including video and still images, is stored on my PC. I keep information about event attendees, presenters and actors for 25 years. Information about exhibitors and sponsors is kept for five years. I use SurveyMonkey to gather event evaluation.

​

Photography and filming

​

If you attend an event or take part in a promotional activity, I may ask to take your photograph or film you. Any images I hold, whether in still photographs or video, may be covered by the definition of personal data in the GDPR. I will need your consent in order to take and use these images fairly and lawfully. I will ask you to complete the form below.

​

Photography and filming consent form

​

Filming

​

I may record events for use in an online video library, publicity and marketing materials, including use on my Website. This filming will primarily focus on the speakers and their presentations, however, it may include some shots of the audience. By attending these events you are deemed to have consented to your inclusion in these recordings. If you don't want to be included in any recording it is your responsibility to tell the cameraman at the event before filming starts.

​

I may use third party processors to help me deliver successful events. I use a wide range of venues, mostly hotels, around the UK to host events. I ensure that I have appropriate data protection agreements with all of them.

​

f) People who take part in my surveys and consultations

​

I use third party processors for both my internal and external surveys.  I collect minimal personal data in surveys - generally only email addresses so that I can keep in touch with participants. I keep information only for the duration of the survey campaign.

​

g) People who sign up to my newsletter

​

If you sign up to my newsletter I will only keep your email and name and I will renew your consent every two years.

 

3. Accounting and accreditation requirements

​

I may share data about aspects of the delivery of my services and business with:

• my Accountants

• HMRC - see HMRC personal information charter

• the Information Commissioner’s Office - see ICO privacy notice

• and other regulatory bodies such as the UKCP, BACP, BPA and CMC  , should this be necessary to comply with my accreditation requirements – see the privacy notices for UKCP, BACP, BPA and CMC

 

I may from time to time use different law firms to provide advice and guidance on a range of topics and I may share personal data with them at times. All third parties will have contracts with me which includes a third-party processor agreement.

​

4. Your rights

​

Under the General Data Protection Regulation (GDPR) you have rights as an individual data subject which you can exercise in relation to the information I hold about you. You can read more about these rights on the ICO's Website.

​

5. Complaints and queries

​

I try to meet the highest standards when collecting and using personal information, and I take any complaints about this very seriously. I encourage you to let me know if you think that my collection or use of information is unfair, misleading or inappropriate. I also welcome any suggestions for improving my procedures.

​

This privacy notice does not provide exhaustive details of all aspects of my collection and use of personal information. However I’m happy to provide any additional information or explanation needed. Please send any requests for this to me.

​

If you want to make a complaint about the way I've processed your personal information, you can contact the ICO as the statutory body which oversees data protection law - see ICO concerns.

​

6. Access to your personal information

​

I try to be as open as I can in terms of giving people access to their personal information. You can find out if I hold any personal information about you by making a ‘subject access request’ under GDPR.

​

If I do hold information about you I will:

• give you a description of it

• tell you why I am holding it

• tell you who it could be disclosed to

• let you have a copy of the information in an intelligible form

 

To request any personal information I may hold, you must put your request in writing to me.

If you agree, I'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

​

You can ask me to correct any mistakes in any information I hold.

​

7. Disclosure of personal information

​

In almost all circumstances I will not disclose personal data without consent. However, for example if a client makes a complaint about my practice which is then investigated by one of my Accrediting Bodies (UKCP, BACP, BPA or CMC) I'll need to share personal information with the organisation concerned or with other relevant bodies.

​

I may also need to share personal data if I have a duty of care concern which is set out and agreed with clients when we contract at the commencement of therapy.

​

8. Data security

​

I recognise that the information you provide may be sensitive and I will respect your privacy. I keep information about you confidential. This means I store it securely and control who has access to it.

​

I’m committed to holding all personal data on secure systems.

​

Paper-based personal data are kept in locked cabinets, to which only I have access. These records are then archived in a secure locked storage area in my home office and shredded six years after completion of therapy.

​

Notes may also be held on my computer which are stored in password protected Kaspersky Vault files for six years and then deleted using Kaspersky File Shredder.

​

I have fully secure email and use my own domain (buon.net). I also have facility to send fully encrypted email if required. I have Kaspersky anti-virus on all of my computers and phones that is updated daily and have a firewall on my computers as well. I use Windows 10 Professional with all patches installed daily.

 

​

​