​
Data Privacy
​
General Data Protection Regulation Policy
​
The General Data Protection Regulation (GDPR) is concerned with the personal information about you that I collect and process. This privacy notice describes what personal data of yours is collected and why, how it is stored and shared, and your rights related to your information, in line with the regulation.
Lawful basis for processing your information:
The lawful basis for processing of your information is in relation to the delivery of a contract to you as a health care professional. As a member of the British Association for Counselling and Psychotherapy (BACP) I operate under a strict code of confidentiality.
​
Personal information I will collect:
​
-
Name
-
Gender (or preferred identity)
-
Date of birth
-
Family and significant relationships
-
Occupation
-
Address
-
Phone number(s) (plus permission to send an SMS and/or leave a voice message)
-
Email address (plus permission to send emails to you)
-
Phone number and/or email address of any third party paying for sessions
-
Counselling/psychotherapy history
-
GP practice name, address and phone number
-
Phone number and address of emergency contact, and their relationship to you – online/phone counselling only
-
Medical conditions relevant to counselling
-
Prescribed medication relevant to counselling
-
Details of other professionals and organisations providing support to you
-
Presenting difficulties
-
Significant life events and family history relevant to counselling
-
Session summary (After each session I will keep a short record of the content)
I will also ask and record how you heard about my services. This is not necessary for our work together and you are free to refuse to say how. I use this data to evaluate advertising or directory entries I have purchased.
Neither of us will video or audio record our sessions without the consent of the other.
​
How your personal information will be stored:
​
Storage methods:​
-
Paper: I store the paper documents listed below securely in a locked safe and/or locked filing cabinet. When I transport paper documents between locations, I carry them in a bag that has a combination lock. I will use a four-digit client code on documents relating to you to link them together.
-
Phone: I use an Android smartphone that is solely for my counselling work. The smartphone is secured by fingerprint identification and receives regular security updates. I will store your phone number in my contact list along with a four-digit client code rather than use your name or any information that could directly identify you. I will delete the logs of our calls, SMS messages and voicemails on a regular basis and on our work ending together. I will also delete your phone number on our work ending.
-
SMS: Electronic correspondence will be held in my phone’s SMS app should we exchange messages this way. I will delete all correspondence stored there on a regular basis and on our work ending together.
-
Gmail: Your email address and correspondence will be stored in my practice Gmail account by nature of you contacting me or vice versa. I will use Gmail when responding to website queries. I will delete all correspondence stored in my Gmail account on a regular basis and on our work ending together, except for the email from you that states that you have read and agreed to the therapy agreement and privacy notice. Gmail encrypts messages, so that it cannot be read by a third party in transit.
-
One Drive: A copy of your name, phone number and email address will be stored in my One Drive account while we are working together, so that the executor of my therapeutic will can access it and contact you in the event of my death or incapacity.
-
My website: If you contact me through the contact form on my website, hosted by Wix, the information will be forwarded to my Gmail account. A copy of the information will be held in my website account temporarily, but I will delete this on receipt of the information in my Gmail account.
-
BACS: If you (or a third party) choose to pay for your session by bank transfer my bank will record the transactions, and the payment will be recorded on my bank statement.
Documents that I will hold:
Paper:
-
Client contact information form
-
GP and emergency contact form
-
Third party contact information form
-
Therapy agreement
-
GDPR privacy notice
-
Assessment form
-
Brief notes on each session
-
Any cause for concern or safeguarding forms
-
Copies of additional documents, such as letters, related to clinical matters
-
Duplicates of receipts of cash payments with four-digit client code written on them
-
Copies of invoices
-
My bank statements
-
Appointments diaries
-
Email(s) showing that you have read and agreed to the terms of the therapy agreement and privacy notice
Electronic:
-
Phone number with four-digit client code
-
Phone contact log
-
Email and SMS correspondence
How I may share your personal information:
Supervision
I attend regular consultations with a qualified therapist. The purpose for this is to maintain the quality and effectiveness of my therapeutic work and to remain in line with the requirements of the BACP’s ethical framework. In order to protect your privacy, I will discuss you and any aspect of your life in a non-identifiable way.
Therapeutic will
I have made arrangements so that in the event of my death or incapacity a trusted counsellor colleague acting as my Therapeutic Executor will be able to access your name and contact details and notify you, if you are still in therapy with me.
Emergencies and accidents
If you become unwell, are in significant distress or in danger during a session I may call your emergency contact. I would also call them if we lose contact during a session and I have concerns about your safety.
If I believe that you are at risk of serious harm, I may share necessary personal information with emergency services, the mental health crisis team, your GP or the appropriate authority. I will endeavour to seek your consent before making a disclosure when possible.
If there is an accident in either 31 Park Square West or 45a Park Square East, I will need to report this to the owners of the relevant businesses.
Sharing in cases of public interest and legal obligation
I would share necessary and relevant personal information with the appropriate authority when there is a risk of serious harm to another person, organisation or the state (e.g. violence, drink-driving, terrorism), you have committed a serious crime, or a child is being abused. When possible and legally allowed, I will do so with your prior knowledge.
If you attend a session and are either confirmed as or suspected of having Covid-19 I may need to notify the owners of the relevant therapy centre that the incident has occurred. However, I will not need to provide your personal details to them.
I would also have to share relevant personal information with a court, if ordered to do so, when required by law, or with my insurer if you make a claim against me and it they require it.
​​
I would share cash payment receipts, invoices and my bank statements with the HMRC if required to provide them as evidence in matters of tax. On rare occasions I may need to securely share my bank statements with third parties, so that they can check my financial situation.
​
Third party platforms and software
​
For online counselling, I use the videoconferencing platform Zoom. Zoom uses AES-256 encryption for online calls. I do not share any personal information with Zoom for online counselling. For more information about Zoom’s security, please visit: https://zoom.us/security. To view Zoom’s privacy policy, please visit: https://zoom.us/privacy
​
I have made every effort to maintain your privacy by using third-party platforms and software that I consider to be appropriately secure and understand to be compliant with the General Data Protection Regulation. I have signed data processing agreements with the third parties and regularly look for and assess updates of third-party platforms and software to ensure that the latest security measures are in place and that I am satisfied that GDPR compliance is maintained. However, when using third-party platforms and software, it is not possible to guarantee data security completely. If at any point I have security concerns about third-party software or platforms, I will discuss these with you. I will also inform you if I become aware of breaches of personal data held or processed on third party software or platforms and take appropriate action in accordance with the General Data Protection Regulation.
​
Third party payments
​
If your sessions are paid for by a third party (e.g. an employer, a family member or a friend), I would discuss with them payment and payment-related matters, such as the number, time and date of sessions, when payment is due and when payment is no longer required following the termination of sessions. It may also involve sending them invoices or receipts.
I would not share with the third party details about clinical and personal matters discussed in our sessions.
​
How long I will hold your personal information:
​
When we have finished working together, I will shred paper copies of contact information and erase any electronic correspondence within one month. I will hold onto your consultation records (i.e. the therapy agreement, GDPR privacy notice, assessment form, session notes, and any other documents related to clinical matters) for up to five years past the end of our working together. This is so that I have a reference of our work in situations such as you returning to counselling in the future, and because it is a requirement of my insurer in case a legal claim is made against me. After the five years has passed, I will shred those documents.
​
I will keep duplicates of any cash payment receipts, invoices and bank statements, as well as my appointments diaries for five years after the 31st January deadline of the relevant tax year in case the HMRC require me to provide them as evidence in matters of tax.
​
Your rights relating to your personal information:
​
-
To be informed what information about you I hold (i.e. this document).
-
To request a copy of the information I hold about you (free of charge for the initial request).
-
To request that I rectify any inaccurate or incomplete information I hold on you.
-
To request that I stop using your information (However, I can decline whilst the information is needed for me to practise lawfully, competently & contractually, and I can continue to store the information for up to five years for use if you made a legal claim against me).
-
To request that I erase information that I hold about you (However, I can decline whilst the information is needed for me to practise lawfully, competently & contractually and to comply with the requirements of my insurer).
​
This policy was formulated using the following sources:
​
-
British Association for Counselling and Psychotherapy's 'The General Data Protection Regulation (GDPR) legal principles and practice notes for the counselling professions' guidance
www.bacp.co.uk/events-and-resources/ethics-and-standards/good-practice-in-action/
-
Buzz Web Design & Consultancy guidance on GDPR www.buzzwebconsultancy.co.uk/gdpr-products-and-services/
-
Dean Richardson’s Havant Counselling website https://havantcounselling.com/counselling-frequently-asked-questions/gdpr-privacy-policy/
-
Karen Emery’s website: Counselling In Notts- GDPR Made Easy for Counsellors
www.counsellinginnotts.co.uk/gdpr-made-easy-for-counsellors-part-1
-
Information Commissioner's Office's GDPR guidance and resources, including their 'Lawful basis Interactive guidance tool'
www.ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ www.ico.org.uk/for-organisations/gdpr-resources
​​
This policy will be reviewed regularly. Last updated December 2022.
​