Privacy Policy

1. Introduction

Welcome to Dr Khyati Rawal (Dr Rawal) (a trading name of KR Psychological Consulting Limited) and her team’s privacy policy (this policy).

Dr Rawal and her team respect your privacy and the importance of protecting your personal data. This policy sets out how we collect, store and use your personal data when you use any of our services, visit our website or social media and tells you about your privacy rights and legal protections. This policy addresses the requirements of the General Data Protection Regulation and Data Protection Act 2018, which gives you certain rights regarding access to and how your personal data is stored and used by businesses and other organisations in the United Kingdom (UK).

Please read this policy so that you are aware of how and why we use your data. By using any of our services, products or website or engaging with our social media you are agreeing to this policy.

2. About us

Controller:

KR Psychological Consulting Limited (referred to as “we”, “us” or “our” in this policy) is the data controller and is responsible for your personal data. We have appointed a data protection officer (DPO) who is the individual responsible for overseeing this policy and how we apply it. Any questions about this policy or requests to exercise your rights should be directed to our DPO.

DPO:

Name: Dr Khyati Rawal
Address: 6a Royal Parade, Kew Gardens TW9 3QD, London, United Kingdom
E-mail: info@dr-rawal.com

Our website or social media may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We have no relationship with and are not responsible for these third-party websites or how they handle your personal data. When you leave our website we encourage you to read the privacy policy of every website that you visit.

3. What personal data do we collect?

Personal data means any information about you from which you can be identified. We collect, store, use and deal with several types of your personal data which we have grouped into five categories:

  • Identity data includes first name, last name, former name(s), usernames or other identifiers, gender or gender identity, date of birth, current and former marital status.
  • Contact data includes residential address, postal address, billing address, e-mail address and telephone numbers together with contact details of other medical professionals involved with your care.
  • Financial data includes health insurance details, payment details and current and past employment details.
  • Health data includes the fact that you are our client, therapeutic and other notes from any sessions you attend, the name and address of health professionals with whom you are involved, health history and current health condition.
  • Usage data includes records of services or products provided by us to you, your interests, how you interact with our website or social media, preferences and feedback.

Due to the nature of our services, on occasion we may collect sensitive personal data about you including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data.

If you are a child or any other person whose treatment is funded or overseen by a parent, guardian, carer or third party, we will likely hold some of the above personal data or sensitive personal data in respect of that parent, guardian, carer or third party.

We require your specific consent for processing personal data, so you are required to sign an agreement before we provide services to you (Client Agreement). We will not collect any personal information from you that we do not need in order to provide our services or products to you.

Where we need to collect personal data by law, or under the terms of our Client Agreement or (where relevant) under the terms of your health or another insurance policy, and you do not provide or provide incorrect data, we are unlikely to be able to perform our services. In this case, we may have to cancel our Client Agreement and notify any referrer.

4. How do we collect your personal data?

We use different methods to collect data from and about you including through:

  • Direct interactions, including face to face sessions in person or by video conferencing, information provided in a paper or electronic form or by post, phone, e-mail or otherwise. This includes personal data you provide when you book our services or give us feedback or contact us.
  • Third parties, where we receive personal data about you from various third parties such as health professionals, a parent, guardian or other carer (where relevant), insurance providers (where relevant), your employer (where relevant) and providers of payment services.

5. How we use your personal data

We only use your personal data when the law and our professional standards bodies allow us to, which most commonly will be in the following circumstances:

  • Where we need to perform the Client Agreement we plan to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or professional standards obligation.

The ways we are likely to use your personal data and which legal or legitimate interest basis allows us to do so is as follows:

A. To register you as a new client
We will likely use your identity data and contact data for this purpose.

This is required to perform the Client Agreement with you.

B. To deliver our services to you, including managing payments and collecting arrears
We will likely use your identity data, contact data and financial data for this purpose.

This is required to perform the Client Agreement with you and protect our legitimate interest in recovering debts owed to us.

C. To manage our relationship with you, including notifying you of changes to the Client Agreement or this policy and requesting feedback
We will likely use your identity data, contact data and usage data for this purpose.

This is required to perform the Client Agreement with you, required to comply with legal and professional standards obligations and protect our legitimate interest in keeping our records up to date.

D. To administer and protect our business and its website
We will likely use your identity data, contact data and usage data for this purpose.

This is required to comply with our legal obligations and protect our legitimate interest in running and maintaining our business (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

E. To maintain therapeutic notes
We will likely use your identity data, contact data and usage data.

This is required to perform the Client Agreement with you and comply with legal and professional standards obligations.

F. To liaise with other health professionals and your insurer
We will likely use your identity data, health data and usage data.

This is required to perform the Client Agreement with you and comply with legal and professional standards obligations.

We do not use your information for any promotional or marketing purposes without your consent, and will not share your information with third parties for those purposes.

We will only use your personal data for the specific purposes for which we collected it or other purposes reasonably related to those specific purposes. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law or pursuant to the terms of our Client Agreement.

6. Disclosures of your personal data

We may share your personal data with the parties set out below for the purposes set out in the table above:

  • Service providers who provide information technology, financial and system administration services.
  • Professional advisers including lawyers, bankers, accountants and insurers which provide consultancy, banking, legal, insurance and accounting services.
  • His Majesty’s Revenue & Customs, regulators and other authorities based in the UK and other relevant jurisdictions.

We require all third parties to whom we transfer your information to respect the security of your personal information and to treat it in accordance with the law. We only allow third parties to process your personal information for specified purposes and in accordance with our instructions. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Your therapist will receive regular supervision, which may be with other psychologists. The supervision is to ensure high quality clinical practice and is a standard part of being a psychologist. In order to protect your privacy, the supervisor will not know you personally or professionally and you will be referred to in an anonymised form. Your information may be discussed verbally when it is helpful for professional purposes.

Where you participate in any group therapy sessions, depending on the nature of those sessions, it is possible that aspects of your personal data including identity and health data will be confidentially shared within the group. In order to protect your privacy, the therapist will discuss this aspect of group therapy with you beforehand and take certain measures during these sessions to protect your privacy, for example by referring to you by your first name only.

If we think you are at risk in any way, your information may be shared with an emergency healthcare service or with a social worker to safeguard you. If we become aware of any intent by you to cause harm to another person or organisation, we may be required to inform an authority without seeking your permission by law and may share your personal information without your knowledge.

7. International aspects

Many of our external service providers are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK. Whenever we transfer your personal data out of the UK we endeavour to ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to counties that have been deemed by the Information Commissioner’s Office to provide an adequate level of protection for personal data.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Dr Rawal and her team have an international client base and regularly provide services to clients based in the European Union and other countries or jurisdictions. The Client Agreement and this policy is governed by and subject to the laws of the UK to the maximum extent possible. However the provisions of this policy are compatible where reasonably possible and permissible (by UK law) with the European General Data Protection Regulation (Regulation (EU) 2016/679) and other local privacy regimes.

8. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. Data storage

We will only store your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to services or products provided to you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

The retention periods for different types of your personal data are as follows:

A. Identity data

  • Adult
    • 8 years after the end of our work together.
  • Child
    • (a) Until you are aged 25 or 26, depending on your age at the end of our work together; or
    • (b) 8 years after your death, if you were aged under 18 when you die.

Required for our regulatory, professional standards and insurance purposes.

B. Contact data

  • Adult
    • 8 years after the end of our work together.
  • Child
    • (a) Until you are aged 25 or 26, depending on your age at the end of our work together; or
    • (b) 8 years after your death, if you were aged under 18 when you die.

Required for our regulatory, professional standards and insurance purposes.

C. Financial data

  • Adult
    • (a) 6 years after the end of our work together; or
    • (b) 1 year after the end of our work together for payment data
  • Child
    • (a) 6 years after the end of our work together; or
    • (b) 1 year after the end of our work together for payment data

Required for our regulatory, professional standards and insurance purposes; to comply with UK tax law; to ensure full payment of services provided.

D. Health data

  • Adult
    • 8 years after the end of our work together
  • Child
    • (a) Until you are aged 25 or 26, depending on your age at the end of our work together; or
    • (b) 8 years after your death, if you were aged under 18 when you die

Required for our regulatory, professional standards and insurance purposes.

E. Usage data

  • Adult
    • 8 years after the end of our work together
  • Child
    • (a) Until you are aged 25 or 26, depending on your age at the end of our work together; or
    • (b) 8 years after your death, if you were aged under 18 when you die

Required for our regulatory, professional standards and insurance purposes.

10. Your data protection rights

Under certain circumstances and subject to our legal and professional data retention and disclosure obligations, you have rights under data protection laws in relation to your personal data, including a right to:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request transfer of your personal data

If you want to exercise any of these rights please contact our DPO. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee or refuse to comply with your request if it is clearly unfounded, repetitive or excessive.

We may request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of the other rights). This is a security measure to ensure disclosure of personal data only to those with a right to receive it.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests.