Privacy Policy Statement for Butterfly Being (trading as Dr. Julie Meehan, Clinical Psychologist).
When you use Butterfly Being (trading as Dr. Julie Meehan, Clinical Psychologist) you trust us with your information. This privacy policy is meant to help you understand what data we collect, why we collect it, and what we do with it. We have tried to make it as simple as possible but if you have any questions, please contact us.
Julie Meehan assumes the function of data controller and Data Protection Officer (DPO) and supervises the compliance with General Data Protection Regulation (GDPR) within the business.
1. Information we collect
2. Where we get our information
3. How we use the information we collect
4. Information we share
5. How and when consent is obtained
6. How we protect your data
7. Protecting your rights to data
8. Security of your personal data
1 Information we collect
Butterfly Being holds personal data as part of conducting a professional service. The data follows under the following headings: healthcare records, educational records, clinical records, general administrative records, and financial records.
This privacy notice provides you with details of how we collect and process your personal data through your use of our site: https://www.juliemeehan.co
By providing us with your data, you warrant to us that you are over 18 years of age.
Contact Details
Our full details are:
Full name of legal entity: Julie Meehan
Name or title of Data Protection Officer: Julie Meehan
Email address: [email protected]
Postal address: Millennium House, Stephen Street, Sligo F91 E7KH
It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us [email protected]
1.1 Healthcare records
A healthcare record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. Psychological difficulties can be complex, and a wide range of information may be collected in order to best meet the needs of the client, and to maintain a high- quality service which meets best practice requirements. In order to provide a high-quality service, a range of information may be collected.
Examples of data collected and held on all current and active clients include the following:
· Name
· Date of birth
· Parent/guardian details, including contact number and e-mail address
· Description of family
· Educational placements.
· Pre- and post-natal history: This can include information relating to mother’s pregnancy, and child’s birth.
· Developmental data: developmental milestones, feeding history etc.
· Work related details (if client is an adult).
· Medical details: such as any relevant illnesses, medications, and relevant family history. Reports from other relevant allied health professionals such as: Speech and Language Therapy, Psychology, CAMHS (Child & Adolescent Mental Health Services), Occupational therapy, Physiotherapy.
1.2 Educational records
Relevant Individual Educational Plans (IEPs), progress notes from educational staff and school reports may be held.
1.3 Clinical records
Specific data in relation to psychological difficulties/presentations may be collected and held, such as assessment forms, reports, case notes, e-mails, text messages and transcripts of phone. Audio and video files may also be collected and stored.
1.4 General administrative records
Butterfly Being may hold information regarding attendance reports and accident report forms.
Should a prospective service user register their interest online for a specific event, their email address and name may be held, and they may be contacted regarding future relevant events.
1.5 Financial records
A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts, information for Revenue. Butterfly Being may hold data in relation to: on-line purchasing history, card payments, receipts and invoices. Information will include name of bill payer, client name, address and record of invoices and payments made.
Butterfly Being does not record and keep Credit card information. Any data given is processed directly via the card payment processor’s own secure portal.
2 Where we get our information
Personal data will be provided by the client, or in the case of a child (under 16 years), their parent(s)/guardian(s). This information will be collected as part of a case history form prior to, or on the date of first contact, or via an online platform where a client has registered their interest in being contacted regarding events offered by Butterfly Being.
Information may also be provided directly from relevant third parties such as schools, medical professionals and allied health professionals, with prior consent from the parent(s)/guardian(s).
3 How we use the information that we collect
We use the information we collect to provide assessment and therapy as per the relevant professional guidelines, as well as to maintain the general running of the business, such as running our electronic booking system, keeping our accounts and updating you of any changes in policies or fees.
Information may also be used for research purposes, with the written consent of the client or parent/guardian.
We may also use clients’ contact details to contact them about upcoming events.
3.1 Data retention periods
The retention periods are the suggested time periods for which the records should be held based on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.
3.2 Client Records
3.2.1 CLINICAL RECORDS
Butterfly Being keeps both physical and electronic records of clinical data in order to provide a service.
· The preferred format for clinical data is physical.
· In the case of adult clients, clinical data is deleted/confidentially destroyed after 7 years from last invoiced session. (Usually post discharge). In the case of a minor (under 18 years), clinical data is deleted/confidentially destroyed after 7 years from their reaching their 18th birthday.
· Video records/ voice recordings relating to client care/videoconferencing records may be recorded upon request from one or both parents/guardians. Consent will be provided on the Zoom recording and the recording will be kept in cloud storage for a maximum of 7 days upon which it will be deleted and wont be available to be accessed. Julie Meehan does not give permission for the recordings to be shared outside of the parental/guardianship role. These deletions will take place automatically upon the 7th day post recording and no warning will be provided of their eminent deletion.
3.2.2 FINANCIAL RECORDS
Butterfly Being keeps electronic/paper records of financial data from those who use our services.
Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally.
· Financial Data is kept for 6 years to adhere to Revenue guidelines.
· Financial Data (including non-payment of bills) can be given to Revenue at Revenue’s request.
3.2.3 CONTACT DATA
Contact Data is kept for 7 years (from a minor’s 18th birthday) to allow processing of Financial Data if required. (This may be retained for longer for safety, legal request, or child protection reasons.)
3.3 Exceptions
If under investigation or if litigation is likely, or for clients who are under the care of Tusla, the Child and Family Agency, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.
4 Information we share
We do not share personal information with companies, organisations and individuals outside Butterfly Being unless one of the following circumstances apply:
4.1 With your consent:
We will only share your Personal Identifying Information (PII) to third parties when we have express written permission by letter or email to do so. We require opt-in consent for the sharing of any sensitive information.
Third parties may include: hospitals, GPs, other allied health professionals, educational facilities.
4.2 For legal reasons:
We will share personal information with companies or organisations outside of Butterfly Being if disclosure of the information is reasonably necessary to:
§ Meet any applicable law, regulation, legal process or enforceable governmental request.
§ Meet the requirements of the Children First Act 2015.
§ To protect against harm to the rights, property or safely of Butterfly Being, our service users or the public as required or permitted by law.
4.3 To meet financial requirements:
Butterfly Being also is required to share financial data with John Byrne, TaxPlus Accountants in order to comply with local tax laws. Butterfly Being has a copy of John Byrne, TaxPlus Accountants’ own Data protection policy should we be required to provide copies of invoices or receipt books.
4.4 For processing by third parties/external processing
The following third parties are engaged for processing data:
Who: John Byrne, TaxPlus Accountants
Type of data: Financial
Purpose: Processing financial accounts
Who: PowerDiary
Type of data: Administrative: client name, phone number, email address
Purpose: On-line calendar and payment system
Who: Facebook
Type of data: Administrative: client name and email address
Purpose: On-line registration for interest in events
Who: Kajabi
Type of Data: Administrative, name of client, address, phone number, payment details
Purpose: online booking and payment system for events
Who: Stripe
Type of Data: Administrative, name of client, address, phone number, payment details
Purpose: online booking and payment system for events
4.4.1 TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA):
In certain instances, personal data may be transferred outside the EEA, e.g. to the US or other countries. This would be for specific purposes such as web-based event platforms. In such instances, Butterfly Being will use third parties which meet the privacy standards of GDPR.
Companies which Butterfly Being uses are:
Name: Kajabi; Powerdiary
Type of Data: Administrative, Client name and address
Purpose: Event booking
Name: Facebook
Type of Data: Administrative, Client name and address
Purpose: Registration to be notified of upcoming events held by Butterfly Being
5 How and when we obtain consent
Prior to initial assessment or consultation, a copy of the data protection policy will be provided to clients along with a client contract. A consent form will need to be signed by the client prior to commencing the service. Copies of the signed consent forms will be given to both parties.
A consent form may also be attached to any digital bookings via our on-line booking system. Users will be directed to read the privacy statement and tick to agree to the terms. Service cannot be initiated without ticked consent to our set privacy policy.
Should a client wish to withdraw their consent for data to be processed, they can do so by contacting Butterfly Being through: [email protected]
6 How we protect your data
In accordance with the General Data Protection Regulation (GDPR), we will endeavour to protect your personal data in a number of ways:
6.1 By limiting the data that we collect in the first instance
All data collected by us will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes. The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected which include, the assessment, diagnosis and treatment of psychological difficulties.
6.2 By transmitting the data in certain specified circumstances only
Data will only be shared and transmitted, be it on paper, electronically or via phone, only as is required, and as set out in section 3.
6.3 By keeping only the data that is required
When it is required and by limiting its accessibility to any other third parties.
6.4 By disposing of/destroying the data once the individual has ceased receiving treatment
Within 7 years (or in the case of a minor, 7 years following their 18th birthday) of the completion of this treatment apart from the special categories of personal data as set out at 1.1 above. Where data is required to be held by us for longer than this specified period, we will put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These may include measures such as the encryption of electronic devices, pseudonymisation of personal data, and/or safe and secure storage facilities for paper/electronic records.
6.5 By retaining the data for only as long as is required
Which in this case is 7 years (or in the case of a minor, 7 years following their turning 18 years old) except for circumstances in which retention of data is required in circumstances set out at part 1.1 above or in certain specific circumstances as set out at Article 23(1) of the GDPR.
6.6 By destroying the data securely and confidentially after the period of retention has elapsed.
This could include the use of confidential shredding facilities or, if requested by the individual, the return of personal records to the individual. All deletions will be recorded on the ‘Data Minimisation Log’ but specifics of each deletion will not be recorded or stored.
6.7 By ensuring that any personal data collected and retained is both accurate and up-to-date.
All case notes will be dated and signed. Where edits are made, these will also be dated and signed. Julie Meehan can only retain the information that has been provided to her through contact- we can only retain accurate records and case notes based on the information that has been provided- if a client changes address, contact details or information that was initially shared in their Intake Form then the onus is on the client to make sure Julie Meehan is aware of these changes.
7 Protecting your Rights to
Data
7.1 Adult clients
Adults have the right to request data held on them as per article 15 of GDPR. A request must be made in writing. Further information regarding accessing your personal data is available in the document ‘Rights of Individuals under the General Data Protection Regulation’, downloadable from: www.gdprandyou.ie
7.2 Children
For children under the age of 16, data access requests are made by their guardians. When a child turns 16, then they may make a request for their personal data. However, this is subject to adherence with the Children First Act.
8 Security
Butterfly Being, as with most providers of healthcare services is aware of the need for privacy. As such, we aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.
All persons working in, and with Butterfly Being in a professional capacity are briefed on the proper management, storage and safekeeping of data.
All data used by Butterfly Being, including personal data may be retained in any of the following formats:
1. Electronic Data
2. Physical Files
The type of format for storing the data is decided based on the format the data exists in.
Where applicable, Butterfly Being may convert physical files to electronic records to allow us to provide a better service to clients.
8.1 Data Security
Butterfly Being understands that the personal data used in order to provide a service belongs to the individuals involved. The following outlines the steps which Butterfly Being uses to ensure that the data is kept safe. 8.1.1 ELECTRONIC DATA All electronic data is contained in the following systems: PowerDiary This system is physically located in Australia This system provider is aware of their requirements for GDPR compliance. Dropbox - This system provider is aware of their requirements for GDPR compliance. Kajabi - This system is physically located in the United States of America. - This system provider is aware of their requirements for GDPR compliance. This website uses Kajabi as the platform for their website. Their servers are based in USA and are covered under the Privacy Shield and also the California Consumer Privacy Act. The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List. The decision of Schrems II case does not affect the Privacy Shield requirements. All personal data transferred through the USA is protected by the Privacy Shield and constantly monitored for any breaches or changes in data processing law. Please review Kajabi’s Privacy policy if you require any more information https://kajabi.com/policies/privacy Blacknight Internet Solutions Ltd This system is used to provide hosting for Butterfly Being and they have servers based in Ireland. G-Suite - This system is physically located in the United States of America. - This system provider is aware of their requirements for GDPR compliance. Microsoft One Drive This system is physically located in the United States of America. - This system provider is aware of their requirements for GDPR compliance. Laptop Letters, reports are saved as PDF files on Butterfly Being’s laptop. This laptop is password protected and is kept in locked filing cabinets when not in use. 8.1.2 PHYSICAL FILES All physical data is located in, Butterfly Being’s clinic room, Unit one, First Floor, Millennium House, Stephen Street, Sligo Only Julie Meehan has access to these records. These records are kept in a filing cabinet secured with a lock and key. 8.2 Security Policy 8.2.1 Butterfly Being understands that requirements for electronic and physical storage may change with time and the state of the art. As such, the data controller ( Julie Meehan) in Butterfly Being reviews the electronic and physical storage options available to Butterfly Being every year. 8.2.2 All persons working in Butterfly Being are aware and briefed on and refresh the requirements for good data hygiene every year. This briefing compliance is monitored by Julie Meehan and includes, but is not limited to: § Awareness of client conversations in unsecure locations. § Enabling auto-lock on devices when leaving them unattended, even within Butterfly Being locations. § Use of non-identifiable note taking options. (initials, not names). § The awareness of Butterfly Being’s procedure should a possible data breach occur, either through malicious (theft) or accident (loss) of devices or physical files. Date of document: 27/03/2022 Review Date: 27/03/2023
- This system is physically located in the United States of America.