top of page

​

Data Privacy

​

General Data Protection Regulation Policy

 â€‹

The General Data Protection Regulation (GDPR) is concerned with the personal information about you that I collect and process. This privacy notice describes what personal data of yours is collected and why, how it is stored and shared, and your rights related to your information, in line with the regulation. 

 

Lawful basis for processing your information: 

 

The lawful basis for processing of your information is in relation to the delivery of a contract to you as a health care professional. As a member of the British Association for Counselling and Psychotherapy (BACP) I operate under a strict code of confidentiality.  

 

Personal information I will collect: 

 

  • Name 

  • Title 

  • Date of birth 

  • Family and significant relationships  

  • Occupation 

  • Address(es) 

  • Phone number(s) (plus permission to send an SMS and/or leave a voice message) 

  • Email address 

  • Name and contact details of any third party paying for sessions 

  • Counselling/psychotherapy history 

  • GP name, GP practice name, address and phone number 

  • Mental health or medical conditions relevant to counselling 

  • Prescribed medication relevant to counselling 

  • Details of other professionals and organisations providing support to you 

  • Presenting difficulties 

  • Significant life events and family history relevant to counselling 

  • Session summary (After each session I will keep a short record of the content) 

 

I will also ask and record how you heard about my services. This is not necessary for our work together and you are free to refuse to say how. I use this data to evaluate advertising or directory entries I have purchased. 

 

Neither of us will video or audio record our sessions without the consent of the other. 

​

Additional documents that I will store: 

​

  • Appointment diaries 

  • Cause for concern and safeguarding forms 

  • Clinical letters 

  • Copies of invoices and receipts  

  • Email(s) showing that you have read and agreed to the terms of the therapy agreement and privacy notice (online and phone counselling only) 

  • Signed GDPR privacy notices 

  • Signed therapy agreements 

 

How your personal information will be stored: 

 

  • BACS: If you (or a third party) pay for your sessions by bank transfer my bank will record the transactions, and the payment will be recorded on my bank statement.  

​

  • Clinical notes software: I use the encrypted clinical notes software, Kiku (wearekiku.com), to store client data and clinical documents. Kiku’s software is secured with RSA 256-bit SSL encryption, and access is both password and two-factor authentication protected. To provide support in use of the software, the Kiku support team has access to client contact details and attendance history only. In the event of data loss, permitted members of the Kiku Development Team can access clinical notes and documents for the sole purpose of restoring client records.  For more details on how Kiku securely store and processes data, please view their privacy policy at https://www.wearekiku.com/privacy-notices. Kiku is hosted by Amazon Web Services, Ireland, which has robust security measures in place. Information about their security measures can be found via this link: https://aws.amazon.com/security/?nc=sn&loc=0 

 

  • Gmail:  Your email address and correspondence will be stored in my practice Gmail account by nature of you contacting me or vice versa. I will use Gmail when responding to website queries. I will delete all correspondence stored in my Gmail account on a regular basis and on our work ending together, except for in the case of online or phone counselling, any email from you that states that you have read and agreed to the therapy agreement and privacy notice. Gmail encrypts messages, so that it cannot be read by a third party in transit.  

 

  • My website: If you contact me through the contact form on my website, hosted by Wix, the information will be forwarded to my Gmail account. A copy of the information you submit will be held in my Wix website account temporarily, but I will delete this on receipt of the information in my Gmail account. Information about Wix’s security measures can be found via the following link: https://support.wix.com/en/article/wix-security-measures-overview  

 

  • Paper: I store paper documents in a locked safe and/or locked filing cabinet. When I transport paper documents between locations, I carry them in a bag that has a combination lock. I will use a four-digit client code on documents relating to you to link them together. When a clinical document has been completed in writing, I will input the details into Kiku or scan the document and upload it to Kiku for storage. Once a document or information has been added to Kiku, I will shred the paper version and delete any scans or files on my laptop. 

 

  • Phone: I use an Android smartphone that is solely for my counselling work. The smartphone is secured by fingerprint identification and receives regular security updates. I will store your phone number in my contact list along with a four-digit client code rather than use your name or any information that could directly identify you. I will delete your phone number, the logs of our calls, SMS messages and voicemails when our work together ends.  

 

Personal data breaches 

 

I make every effort to maintain your privacy by using methods of data protection and third-party software and platforms that I consider to be appropriately secure. I will inform you if I become aware of breaches of personal data held or processed either by myself or third-party software or platforms where your rights and freedoms are at high risk and take action in accordance with the General Data Protection Regulation. 

​

How I may share your personal information: 

 

Emergencies and accidents 

​

If I believe that you are at risk of serious harm, I may share necessary personal information with emergency services, the mental health crisis team, your GP or the appropriate authority. I will endeavour to seek your consent before making a disclosure when possible. If there is an accident at the premises where I practise, I will need to report this to the owners of the relevant businesses. 

 

Sharing in cases of public interest and legal obligation 

 

I would share necessary and relevant personal information with the appropriate authority when there is a risk of serious harm to another person, organisation or the state (e.g. violence, drink-driving, terrorism), you have committed a serious crime, or a child is being abused. When possible and legally allowed, I will do so with your prior knowledge. I would also have to share relevant personal information with a court, if ordered to do so, when required by law, or with my insurer if you make a claim against me and if they require it. 

 

I would share cash payment receipts, invoices and my bank statements with the HMRC if required to provide them as evidence in matters of tax. On rare occasions I may need to securely share my bank statements with third parties, so that they can check my financial situation. 

 

Supervision 

 

I attend regular consultations with a qualified therapist. The purpose for this is to maintain the quality and effectiveness of my therapeutic work and to remain in line with the requirements of the BACP’s ethical framework. To protect your privacy, I will discuss you and any aspect of your life in a non-identifiable way. 

​

Therapeutic will 

​

I have made arrangements so that in the event of my death or incapacity my therapeutic will executor will be able to access your name and contact details and notify you, if you are still in therapy with me. They will also have access to your clinical records for the purpose of deleting them when required by my insurer. 

 

Third-party payments 

 

If your sessions are directly paid for by a third party (e.g. an employer, a family member or a friend), I would need to discuss with them payment and payment-related matters, such as the number and date of sessions that take place and when payment is due. In the event you end the sessions but the third-party continues to pay, I would need to notify them that the sessions have finished. I may also need to send the third-party invoices or receipts. I would not share with the third-party details about clinical and personal matters discussed in our sessions. 

​

Third-party platforms for online counselling 

​

For online counselling, I use the videoconferencing platform Zoom. Zoom uses AES-256 encryption for online calls. I do not share any of your personal information with Zoom. For more information about Zoom’s security, please visit https://zoom.us/security. To view Zoom’s privacy policy, please visit https://zoom.us/privacy 

 

How long I will hold your personal information: 

 

When we have finished working together, I will delete all of your contact details, and erase all correspondence that is no longer needed, within one month. I will hold onto clinical notes and documents (i.e. the therapy agreement, GDPR privacy notice, session notes, and any other documents related to clinical matters) for up to five years past the end of our working together. This is so that I have a reference of our work in situations such as you returning to counselling in the future, and because it is a requirement of my insurer in case a legal claim is made against me. After the five years has passed, I will shred those documents.  

​

I will keep duplicates of any cash payment receipts, invoices and bank statements, as well as my appointments diaries for five years after the 31st January deadline of the relevant tax year in case the HMRC require me to provide them as evidence in matters of tax. 

​

Your rights relating to your personal information: 

 

  • To be informed what information about you I hold (i.e. this document). 

  • To request a copy of the information I hold about you (free of charge for the initial request). 

  • To request that I rectify any inaccurate or incomplete information I hold on you. 

  • To request that I stop using your information (However, I can decline whilst the information is needed for me to practise lawfully, competently & contractually, and I can continue to store the information for up to five years for use if you made a legal claim against me). 

  • To request that I erase information that I hold about you (However, I can decline whilst the information is needed for me to practise lawfully, competently & contractually and to comply with the requirements of my insurer). 

 

If you would like to make a request, please email me at wjcounselling@gmail.com. I will respond to requests within 30 days. 

bottom of page