Your confidentiality and privacy are very important. Under the General Data Protection Regulations (GDPR), I am required by law to inform you how I keep the data you provide me with, and I how I hold this data. I am also bound by the British Association for Counselling and Psychotherapy’s (BACP) code of ethics. I will never sell your data to any other individual, company or organisation for any purpose.
I am required to gain your explicit consent to my holding your data in certain ways.
I aim to be as clear as possible about how and why I use the data I hold about you so that you can be confident that your privacy is protected. This policy describes:
The information that I collect when you attend counselling sessions
How I manage your information when you attend counselling.
As per these laws, I am the data controller, and the data processor. If your questions are not fully answered by this policy, please contact the Information Commissioner's Office (ICO) https://ico.org.uk.
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for retaining and processing this information will depend on the phase of the therapeutic relationship. The lawful bases for retaining and processing your data will be as follows:
Performance of a contract - Some identifiable information is required in order to follow up enquiries you make, or to maintain contact with you after the service has commenced.
Legitimate interest - I am ethically bound to keep case notes, assessment information and medical information which enables me to provide a service which is considered and tailored to individual's needs and circumstances.
1. What personal information do I collect and how do I collect it?
I retain the data you provide so that I can provide you with a safe and professional counselling service.
The data that I hold may include:
Your name, address, phone numbers and email addresses
Your GP's name and contact details
Medical information, counselling history, counselling goals
Your name, email address and contact number will be collected when you make the initial enquiry.
All other information will be collected in the initial assessment session.
I will record brief notes of our sessions. This is so that I can keep track of progress, as well as serving as a reminder of what was discussed in sessions.
2. Why do I Collect this Data?
I keep generic information so that I can maintain contact with you with regards to appointments.
I need to know of any medical conditions that you have so that I can be aware of anything else happening in your life which may impact on our work together, and what I can do to keep you safe. I will also ask for details of any medication that you are taking, so that I am aware of how this may impact on a session.
Your counselling history will give me an insight of how you may feel if you’ve never attended counselling before, and if you have, how you have experienced this, and how this may impact on our work together.
I need to retain your GP's contact details in case I become concerned about your welfare.
3. Where do I keep your information, and how is it kept safe?
I use a computer that is located outside of the business premises. The computer is password protected. I do not use Dropbox, Google Drive or any other cloud service to store your data.
I use Microsoft Access (a database package on the computer) to record brief details of every counselling session. In these records, your identifying details are not used. I protect your data by using a random pseudonym to replace your name. Any other identifying information shared in the session (e.g. place names, names of family / friends) will also be given random pseudonyms.
I keep paper copies of receipts that are issued to you at the end of sessions. Records of transactions are kept on a formatted Microsoft Excel spreadsheet. This is for the purposes of accounting.
My email account is protected. I may delete emails and texts after I have noted their content (for example, emails around scheduling). Any emails that I consider necessary to keep are held securely.
My phone is PIN protected and is not shared with anyone else. This mitigates the risk of anyone accessing records of mobile communication.
I keep paper copies of the contract and personal details that you complete in the first session.
I keep paper copies of ongoing assessment tools which are used to keep a record of cumulative progress. All hard copies of paperwork is kept in a lockable filing cabinet.
I scan this paperwork, and save it on a password-protected computer. The scanned paperwork is then kept in password protected files. As these files contain your identifiable personal information, I keep them separate from the session notes which contain your pseudonyms.
I am required by law to retain certain financial information, primarily for tax purposes, and as advised by HMRC this is retained for five years. Payments you make are input into an MS-Excel spreadsheet referenced by 1st name only.
When payment is made via BACS, your account name (or the name of the person who is paying) and any reference used may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me. Banking transactions may be viewed by employees of the bank, my accountant, and HMRC tax officers who will all have their own GDPR policies.
4. How long do I keep the information?
As per the terms of my indemnity insurer, I retain your information for 5 years. After this time has elapsed, I will shred any paperwork I have, and delete any electronic records I have about your sessions.
I will need to discuss content of our sessions from time to time with my supervisor. These supervisions sessions take place for the purpose of ensuring that I am providing the very best service to my clients. During these supervision sessions, I may refer to you by initials. If you are not happy with this, then we can discuss a pseudonym that you would be happy with.
My duty of confidentiality has limitations, and there are particular circumstances, which will require me by law to act, by notifying relevant external agencies. I will be transparent with you about this, however your permission is not required.
The circumstances in which I will need to break the confidentiality agreement are explained below, and they will be reiterated in our first meeting:
Prevention of serious harm to the client or to others – Should I have serious concerns about your immediate safety, or the safety of others, I may discuss with you sharing this information with relevant professionals (i.e. your GP or the police).
When I am required to do so by a Court order. If you divulge involvement in or knowledge of, an act of terrorism, money laundering, drugs trafficking or substantial profiting from proceeds of crime.
If another person, a child, or vulnerable adult be at risk of harm or abuse - This can be current, planned, or historical. If conforming to the duty of confidentiality jeopardises the safety of another individual, then this confidentiality will be breached accordingly to relevant professionals.
6. Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to make a Subject Access Request (SAR), which will enable you to copies of all of the information I hold about you. A SAR can be made my contacting email@example.com. I will ensure that you receive this within 1 month of your request. A SAR will be free of charge in most cases. However, if meeting this request will take up an excessive amount of time / resources, then a charge will be incurred.
Your right to rectification - You have the right to ask me to rectify information you think is inaccurate or incomplete.
Your right to erasure - You have the right to ask me to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask me to restrict the processing of your information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal data in certain circumstances.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
You can read more about your rights at ico.org.uk/your-data-matters.
7. Online Working
I also deliver counselling sessions via an app called Zoom, which offers end-to-end encryption. I ensure that I am in a safe space where the content of our sessions won’t be heard, and that I am wearing headphones to prevent sound leaking. It is important that you take measures to ensure the privacy of our session from your space.
I suggest that you use a private computer, which is password-protected. Please ensure you keep your anti-viral protection up-to-date and I will undertake to do the same.
It is important that you use a private and quiet space in which to carry out your online counselling, and it is advised that you also wear headphones. If you don’t have access to a private space, then online counselling won’t be an option for you at this time. This is because therapeutic work cannot be undertaken unless you are in a safe private space where you can focus on your process. It would also compromise confidentiality from your side of the session.
Technology breakdown arrangements
Occasionally, technical hitches may happen. If this happens when we are using Zoom, then we can either resume our session using Whatsapp (this is also secure, as it offers end-to-end encryption), or by telephone.
If you experience a technical hitch which prevents you from participating in your appointment via Zoom, please contact me by telephone so that we can discuss alternatives or rescheduling. I will contact you by telephone should I experience a technical hitch.
I aim to meet the highest standards with regards to handling your data. However, if you have a complaint about how I handle your personal data please do not hesitate to get in touch with me by email at firstname.lastname@example.org.
If you want to make a formal complaint about the way I have handled your data you can contact the ICO which is the statutory body that oversees data protection law in the UK. For more information go to ico.org.uk/make-a-complaint.
9. Third Party Applications
My website and any other social media channels may contain links to other third parties. When you correspond with any third parties referenced, they hold responsibility for any interactions you have with them. I recommend that you consider the privacy statements of other websites and applications, to make sure you understand their individual policies.
I cannot be held responsible for any social media channels which may contain links / references to other websites that are not covered by this policy.