Consent and Record Keeping

Your personal and health information is classified as “special personal information” under the Protection of Personal Information Act (POPIA).
This page explains what I collect, why I collect it, how long I keep it, with whom it is shared and what your rights are.


1. What information do I collect?

  • Patient Intake Form – completed online at patient form or in person.
    Includes identification details, contact information, medical-aid data and a brief psychosocial history.
  • Session Notes – contemporaneous notes taken during therapy, stored on paper and (from Feb 2025) in encrypted iPad notes.
  • Optional Session Recordings – audio recordings made only with your explicit written consent.
  • Administrative Data – invoices, ICD-10 codes, statements and correspondence with medical schemes.

Legal basis: your written / electronic consent (HPCSA Booklet 4) and the legitimate purpose of diagnosis, treatment and billing (POPIA s 11(1)(c)).

2. Why is the information needed?

  1. Clinical care – to assess, diagnose and provide evidence-based treatment.
  2. Continuity of care – to collaborate with your GP, psychiatrist or other treating professionals when you authorise this.
  3. Statutory & contractual duties – ICD-10 coding and invoices for medical-aid reimbursement.
  4. Teaching / research – anonymised case material may be used for academic supervision or conferences only with your opt-in consent.

3. How and where is it stored?

Medium Location Safeguards
Paper files Locked cabinet, 621 Olivia St, Garsfontein Physical keys; alarmed premises
iPad clinical notes Apple iCloud (EU/US) Device encryption; Face ID; 2-FA; end-to-end encryption
Website forms Xneelo servers (SA) HTTPS; server-side firewalls; daily backups
Back-ups Dropbox (EU/US) & Proton Drive (CH) Zero-knowledge encryption; signed operator agreements

Cross-border transfers: Data stored in the EU, US and Switzerland is protected by Standard Contractual Clauses plus your explicit consent (POPIA s 57 & Reg 11).

4. How long is it kept?

  • Standard clinical records: minimum 6 years after they become dormant – HPCSA Guidelines on the Keeping of Patient Records (Booklet 9, 2016 §9.3)
  • Minors: Until the patient’s 21st birthday – HPCSA Booklet 9 §9.5
  • Mentally incompetent patients: Indefinitely / lifetime – HPCSA Booklet 9 §9.4

5. Who sees your information?

  • EKB Billing Bureau – for invoicing and medical-aid submissions.
  • Referring practitioners – only with your written authorisation.
  • Medical Schemes / Banks – limited data required for payment.
  • Courts or statutory bodies – only when required by law.

All third-party service providers sign POPIA-compliant Operator Agreements with 24-hour breach-notification clauses.

6. Your rights under POPIA & PAIA

  1. Access: Request a copy of your records (PAIA s 53). No fee for first-person requests.
  2. Correction / Deletion: Ask for inaccuracies to be corrected or, where lawful, deleted (POPIA ss 24-25).
  3. Objection: Object to certain processing such as marketing (POPIA s 11(3)).
  4. Data portability: Receive an electronic summary for transfer to another clinician.
  5. Complaint: Lodge concerns with the Information Regulator: complaints.IR@justice.gov.za

7. Electronic & Tele-psychology communications

I offer secure video-consultations compliant with HPCSA Telehealth Guidelines (Booklet 10).
WhatsApp (Business) is used only for scheduling; please avoid clinical details in chat.
All emails are TLS-encrypted and contain minimal personal data (“Your appointment is on…”).

8. Questions or requests?

Email the Information Officer at privacy@psydev.co.za
or write to 621 Olivia Street, Garsfontein, Pretoria, 0042.
You will receive an acknowledgement within two working days.



Document version: v 2.0 – 15 May 2025 | Based on HPCSA Ethical Booklets 4, 5, 9, 10 and POPIA Condition 6.
For the full PAIA/POPIA manual, click here.