GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation) is the most significant piece of privacy and data protection in twenty years. It came into effect on 25th May 2018 and from that date I am required to ensure that I gain a new data protection and privacy consent from all clients. In it (amongst other things) I confirm what information I will hold about you and how I am permitted to use it. 

Who am I?
Dr. Nicola McCaffrey Psychological Services AS, is a private therapy practice registered in Stavanger, Norway. I therefore keep and hold confidential records and statistics about my clients. As a company processing your personal data, I am regulated by the General Data Protection Regulation (GDPR). Some of the information that I may collect is classified as sensitive personal data and I can only use such data where I have your explicit consent. Other data is not sensitive in nature but it can identify you, this includes things such as our name, date of birth, e-mail address, address, and telephone number. Both your personal and sensitive personal data will only be used in order to provide a service to yourself, as well as for managing and quality assuring the service. I would like to assure you that I am committed to protecting the privacy of all of my clients. I will endeavour to ensure that the information you provide me with is kept secure and managed within the General Data Protection Regulations.

1.   What information will I collect about you? 
I collect information about you when you initially book an appointment with me as well as throughout the course of our therapeutic contact. I also collect information when you provide feedback or supply me with information during the course of our relationship. I may process certain types of personal data about you as follows:

  • Identity Data may include your first name, last name, title, date of birth and gender.
  • Contact Data may include your address, email address and telephone numbers. As well as the contact details for relevant third parties such as you doctor. 
  • Financial Data may include your bank account and payment details.
  • Transaction Data may include details about payments between us.

Sensitive Data
As well as personal data I may request to collect sensitive data about you in order to provide therapeutic services. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and information about your health. If you do not provide me with that data when requested, I may not be able to perform the contract (for example, to provide therapeutic services to you). I may collect and hold on file certain types of sensitive data about you as follows:

  • Session notes
  • Assessment information and psychological formulations
  • Background information
  • Diagnoses, both previous and current
  • Treatment plans
  • Relapse prevention plans

2.  How I Collect Your Personal Information
You may provide data by filling in forms on my website or in our sessions, or by communicating with me by post, phone, text, email or otherwise. I also take notes during our therapy sessions.

3. How I Use Your Personal Information
I will only use your personal data when legally permitted to do so. The most common uses of your personal data are:

  • To deliver the services that you have requested. 
  • To contact you, or any relevant third parties as previously agreed, as necessary in accordance with the services that you have requested.
  • To maintain my own accounts and records.

If any recorded data is used for my own supervision all such data will be sufficiently anonymised to the extent that individual clients cannot be identified. 

Individual client data will never be passed to anyone else without your consent as the client. However, confidentiality may be broken if my own safety or that of you the client, the client’s family members or other members of the public is at risk, or if I am required by law to do so.

4. Disclosures of Your Personal Information
I will not share your personal information with anyone unless I have your explicit consent to do so. However, I may have to share your personal data with the parties set out below for the outlined purposes:

  • Previously agreed third parties such as General Practitioners (Fastelege) and schools. 
  • Professional advisers including other psychologists for the purposes of supervision and accountants in order to maintain my own accounts and records. 

I require all third parties to whom I transfer your data to respect the security of your personal data and to treat it in accordance with the law. I only allow such third parties to process your personal data for specified purposes and in accordance with my instructions.

If you contact me directly in between sessions, either over email or text message, if I should respond I will not send any sensitive or confidential information, but will discuss any sensitive information in our next session. 

5. Data Retention
I will only retain your personal data for as long as necessary to fulfil the purposes I collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
I store all client details online using Write Upp Practice Management Software. This software is secured with two-Factor Authentication (2FA) and 256-bit SSL encryption.
Any paper records, such as questionnaires, with identifying data will be uploaded onto the practice management software and then destroyed. 
Any emails or texts which you send me will be periodically trashed and cleared. 
I keep records for 7 years after our work is complete or if you are a young person, I keep your records up to the age of 25. After that point I will dispose of your notes.

6. How do I access my information?
I recognise that on occasion, my clients may wish to exercise their rights under the General Data Protection Regulation (May 2018) and make a subject access request in respect of their personal information that I am holding. At times during therapy, information is provided by more than one individual. In these cases, I will only release information if consent has been given by all of the individuals involved.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). I try to respond to all legitimate requests within one month. Occasionally it may take me longer than a month if your request is particularly complex or you have made a number of requests. In this case, I will notify you and keep you updated.

7. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.
  • The right to lodge a complaint with the Information Commissioners Office.

You can see more about these rights at:

If you wish to exercise any of the rights set out above, please email me at 

8. Complaints Notice
If you are not happy with any aspect of how I collect and use your data, please let me know so I can try and resolve it for you. Should this not be resolved, you have the right to complain to the Information Commissioner’s Office (ICO) (


Last updated: May 2018