Your personal and health information is classified as “special personal information” under the Protection of Personal Information Act (POPIA).
This page explains what I collect, why I collect it, how long I keep it, with whom it is shared and what your rights are.
1. What information do I collect?
- Patient Intake Form – completed online at patient form or in person.
Includes identification details, contact information, medical-aid data and a brief psychosocial history. - Session Notes – contemporaneous notes taken during therapy, stored on paper and (from Feb 2025) in encrypted iPad notes.
- Optional Session Recordings – audio recordings made only with your explicit written consent.
- Administrative Data – invoices, ICD-10 codes, statements and correspondence with medical schemes.
Legal basis: your written / electronic consent (HPCSA Booklet 4) and the legitimate purpose of diagnosis, treatment and billing (POPIA s 11(1)(c)).
2. Why is the information needed?
- Clinical care – to assess, diagnose and provide evidence-based treatment.
- Continuity of care – to collaborate with your GP, psychiatrist or other treating professionals when you authorise this.
- Statutory & contractual duties – ICD-10 coding and invoices for medical-aid reimbursement.
- Teaching / research – anonymised case material may be used for academic supervision or conferences only with your opt-in consent.
3. How and where is it stored?
| Medium | Location | Safeguards |
|---|---|---|
| Paper files | Locked cabinet, 621 Olivia St, Garsfontein | Physical keys; alarmed premises |
| iPad clinical notes | Apple iCloud (EU/US) | Device encryption; Face ID; 2-FA; end-to-end encryption |
| Website forms | Xneelo servers (SA) | HTTPS; server-side firewalls; daily backups |
| Back-ups | Dropbox (EU/US) & Proton Drive (CH) | Zero-knowledge encryption; signed operator agreements |
Cross-border transfers: Data stored in the EU, US and Switzerland is protected by Standard Contractual Clauses plus your explicit consent (POPIA s 57 & Reg 11).
4. How long is it kept?
- Standard clinical records: minimum 6 years after they become dormant – HPCSA Guidelines on the Keeping of Patient Records (Booklet 9, 2016 §9.3)
- Minors: Until the patient’s 21st birthday – HPCSA Booklet 9 §9.5
- Mentally incompetent patients: Indefinitely / lifetime – HPCSA Booklet 9 §9.4
5. Who sees your information?
- EKB Billing Bureau – for invoicing and medical-aid submissions.
- Referring practitioners – only with your written authorisation.
- Medical Schemes / Banks – limited data required for payment.
- Courts or statutory bodies – only when required by law.
All third-party service providers sign POPIA-compliant Operator Agreements with 24-hour breach-notification clauses.
6. Your rights under POPIA & PAIA
- Access: Request a copy of your records (PAIA s 53). No fee for first-person requests.
- Correction / Deletion: Ask for inaccuracies to be corrected or, where lawful, deleted (POPIA ss 24-25).
- Objection: Object to certain processing such as marketing (POPIA s 11(3)).
- Data portability: Receive an electronic summary for transfer to another clinician.
- Complaint: Lodge concerns with the Information Regulator: complaints.IR@justice.gov.za
7. Electronic & Tele-psychology communications
I offer secure video-consultations compliant with HPCSA Telehealth Guidelines (Booklet 10).
WhatsApp (Business) is used only for scheduling; please avoid clinical details in chat.
All emails are TLS-encrypted and contain minimal personal data (“Your appointment is on…”).
8. Questions or requests?
Email the Information Officer at privacy@psydev.co.za
or write to 621 Olivia Street, Garsfontein, Pretoria, 0042.
You will receive an acknowledgement within two working days.
Document version: v 2.0 – 15 May 2025 | Based on HPCSA Ethical Booklets 4, 5, 9, 10 and POPIA Condition 6.
For the full PAIA/POPIA manual, click here.