As per the regulations of the General Data Protection Regulation (GDPR), we will:
- When required, we ask for your explicit permission to process your personal data. This includes when you start using our services and when you ask us to deviate from this policy. When our work involves minors (children below age 16), this includes the permission of all legal custodians of the minor.
- We have made suitable technical and organizational provisions to warrant the protection of your personal information.
- We are aware of your rights regarding your personal information and want to inform you and respect your rights.
As Embracing Horizons we are responsible for the processing of your personal information. If you have any further questions about how we process your personal information, please contact Jet Sichterman at jet#embracinghorizons.com (replace # for @).
Processing of the personal data of our clients
As our clients often are minors (children below age 16), the following apply to both the personal information of the minor as well as data of their legal custodians (usually their parents).
We use your information to inform you about our services, to deliver our services and for the administrative and financial purposes related to delivering our services.
We may process and store any information that you deliver to us as long as it helps us to deliver our services to you. This may include general personal data as well as special personal data, included, but not limited to, personal information about health.
The information you share with us is held confidential and secure, and will not be shared with others without your consent. There are a few exceptions to this:
- Our therapists may discuss your case in supervision and peer supervision, with (peer) supervisors within the practice or outside of our practice. When discussing with external (peer) supervisors, we will only share the information that is absolutely required in order to receive the supervision and we will share the situation anonymously.
- We may need to break confidentiality if we are seriously concerned there is a risk of harm to you or to someone else. In such situations, we will contact the institutions most suitable to help you (for example, your GP, social services or the police). In such situations, we will tread carefully and when possible discuss the situation with our (peer) supervisors before deciding to break confidentiality. When possible, we will let you know about this before disclosing the information, or we will let you know what information is shared and with whom.
- We store your data on a cloud-based software solution called Praktijkdata, operated by Telasoft. We have a controller-processor contract with Telasoft, the company operating Praktijkdata, which limits them to processing of your information solely for the purpose of storing the information and assisting us to use the online environment. It is unlikely that employees of Telasoft will need to review your personal information to deliver their services to us, however, if they should observe any personal information they are bound to the same respect and confidentiality towards this information as we are.
We store your information in different ways:
- In the cloud-based software solution Praktijkdata. We use this solution as it enables us to collaborate within our practice and provide supervision. Within Embracing Horizons, your sensitive information is accessible to the therapist(s) working with you/your family and to the owner of Embracing Horizons (Jet Sichterman). Additionally, our administrative assistant has access to your name and address details in order to schedule appointments and send invoices to you. Praktijkdata is protected by measurements according to the ISO27001 & NEN7510 standards.
- On our email servers. Email is not a secure option to send personal information relating to health. We therefore aim to use email only for scheduling purposes and to share general information with you about our practice or about our appointments. When we need to send you information about your/your child’s health digitally, we will use Praktijkportal (a functionality of Praktijkdata which enables secure transfer of information). We can also make Praktijkportal available to you if you wish to send us personal information. If you instead opt to use email for this, Embracing Horizons is not liable for any breach of security. We will however process your email to store it in Praktijkdata, and delete it from the email servers, within 3 months.
- On our laptops, which are password protected and protected by up-to-date security software.
- On a secure external hard drive that will be stored in a locked cabinet.
- On paper. When paper data is stored, it will be secured in a locked cabinet and when it is no longer required we will shred it. It may occur that information on paper is temporarily traveling between locations when we have met you away from our office or when we need to process the information away from our office. We attempt to limit such instances and limit the amount of information that we process away from the office on each instance. We will also, whenever possible, limit the amount of personal details used on paper so that an outsider may not know the names of the people involved. Whenever possible we attempt to use erasable paper which will be erased once your information has been processed and stored elsewhere.
When you inquire about our services but have not yet booked a chargeable appointment, we consider you a potential client. Your data will be used and stored as outlined above and will be retained up to one year after the year you have last contacted us. You have the right to request insight into your file and the right to request the file to be destroyed.
When you have booked a chargeable appointment with us, we consider you a client. After processing, your personal information will be stored and archived by Embracing Horizons. We will maintain the file as long as we are required to do so by law – including when there are changes in the law that apply to older files. Currently, as of January 2020, the term set by law is 20 years. We may maintain a file longer than required by law if we have grounds for doing so, in this case we will inform you accordingly. You have the right to request insight into your file and the right to request the file to be destroyed.