Considerate Counselling provides counselling, supervision, training and IT consultancy services to individuals, groups and organisations. In pursuit of carrying out our business, we capture information and data to deliver the services. This policy describes the data that we use, how we process it, store it and destroy it. It also describes how you can see any data that we hold about you, how you can ask for it to be corrected or removed. We comply with the provisions of the DPA and GDPR.
- Company – Considerate Counselling
- DPA – Data Protection Act
- GDPR -General Data Protection Regulation
- EAP – Employee Assistance Provider
Nature of Work
Counselling and Psychotherapy regularly requires the collection of sensitive data examples of this are:
- Physical or mental health details
- Racial or ethnic origin
- Religious or other beliefs
- Offences, criminal convictions and alleged offences
In addition to processing data in accordance with the DPA, Counselling and Psychotherapy is undertaken in accordance within the BACP Ethical Framework which places professional responsibilities on the therapist to handle client data confidentially, safely and ethically.
Like any business the company needs to transact business, keep accounts and communicate with suppliers and organisations. It has to keep your data in respect of these functions. In respect of this, the company uses personal data. Some examples of this type of data are
- Telephone Number
- Financial details
- Email contact information
Sources of data
Our data comes from a number of sources
Referrers may contact us asking us to work with a particular client. Typically, the referral will include both personal and sensitive data. We process all data in accordance with DPA and GDPR and by the contract that exists between the referrer and ourselves.
Clients will contact us looking for counselling services. Typically the information required to deliver that service may include sensitive and personal data. We process that data in accordance with the DPA and GDPR and for the purposes laid out below.
Processing of data
We process data for the following purposes
At the start of counselling, we will discuss the information that we will hold with you and ask you to consent to us holding and processing that data.
We hold and process sensitive data for the medical diagnosis and treatment undertaken by us in the course of counselling. This is held in the form of clinical notes.
We hold personal data for a number of purposes. It is a contractual necessity to be able to carry out your counselling, for example to arrange and maintain appointments. We have a need to collect data to fulfil our legitimate interests in carrying out our legal obligations in running the company.
We may use your information in a situation where there is an emergency or a life-or death situation as out lined below.
- Where the client intends to harm themselves or someone else, we will breach their confidentiality.
- Where we reasonably believe that a child or a vulnerable person is at risk, we may share a minimum set of data
We will share data with a court where we receive a court order, valid in Scotland for release of data.
We will share data where the client consents to a release of data. In this case, we will agree with the client what data is released. We will ask for identity and written authorisation.
Who do we share information with?
For the clients whom they are or have been treating: They have access to the clinical notes that contain sensitive data. The can also access personal data.
Referrers (Includes EAP referrers)
For the clients they have referred. They can see the outcome reports of the therapy that may include sensitive data. They will have access to the personal information. In respect of the company, we are a sub controller of this data and process it according to the contract between us.
Where an individual has paid by BACs, Cheque or electronic means, personal data may appear on our bank statements and as such is in our accounting records.
Where we make a referral
If we make a referral we will agree with you the information to be passed on, but it will normally include both personal and sensitive data.
We do not hold or process mailing lists or carry out direct marketing nor do we provide personal details to other organisations for the same or similar purposes.
The company notes that an important part of a Data Protection Policy is the physical and electronic protection of the data. This is important both during the period of use and in any retention period.
The company keeps both paper and electronic records.
- Paper records are secured under lock and key at all times in either locked filing cabinets or in locked archive storage bins.
- Electronic records are encrypted using strong encryption. The encryption keys are stored separately to the data. The data files are not stored in a device that is accessible from the Internet and secure backups are taken and stored with the same electronic safeguards.
- Email is not currently encrypted and so is not used for the company’s sensitive information.
- Referrer client information is transferred in accordance with that referrer’s data controller’s instructions and processes.
- Phone and email data is only maintained for the duration of a client or supplier’s active contact with the company.
The company maintains no personal data on social media or on its website.
Access to records
The DPA gives the subject of personal data a right to access to the information, which is being held about them. This right is referred to as a ‘subject access right’ to all electronically stored records and to the data held about the client in structured manual files. The aim is to enable any citizens to know what information is being processed about them.
A written request and proof of identity is required, and there is no fee. This entitles the data subject to be informed about what data are being processed, for what purpose, to whom they have been or may be disclosed, and to be provided with a copy of those data.
This information should be provided within 30 days, and the release of records cannot be made conditional,
A client who considers that there is an inaccuracy in the record may ask for it to be corrected with the agreement of the therapist. If there is disagreement about what would be a correct record, it is good practice to include a record of the client’s objections in the notes. Any therapist who is concerned about the client’s response to seeing their records may offer to be present and explain the records or to arrange for another suitably qualified person to be present. If the therapist is, concerned that access to the notes would cause serious harm to the physical or mental health of the data subject and that access to the notes may constitute a health risk. It may be possible to refuse or defer access with the authorisation of the health professional that is currently or was most recently responsible for the clinical care of the person concerned. (Data Protection (Subjects Access Modification) (Health) Order 2000 section 7) https://ico.org.uk/for-organisations/guide-todata-protection/principle-6-rights/subject-access-request/ the legal presumption in favour of access to personal data makes this an exceptional provision that ought not to be sought or granted lightly.
Clients of the Company have the right under Data Protection legislation to the following rights under the DPA. Clients are informed of this via client contract that they sign and agree to for any clinical work.
- To access a copy and explanation of your personal data.
- To request correction or erasure, in certain circumstances.
- To request limiting or ceasing data processing, where applicable.
- To compensation for substantial damage or distress caused by data processing, where applicable.
DATA ACCESS REQUEST FOR INFORMATION PROCEDURE
A clear, specific request
The company does not have to start working on a subject access request until you have provided enough information for us to find the personal data.
For example, a request for ‘all of the personal data held on me’ is not specific enough for us to find your personal data.
The company takes great care to ensure that personal data is only disclosed to those who are authorised to access it. For this reason, you will need to provide a form of ID from each of the lists below to request your personal information.
Examples of acceptable photographic identification:
- Current driver’s licence
- Current passport
- Current work identification badge with unique works number
Examples of acceptable proof of address:
- Utility bill
- Bank statement
- Council tax bill
- Address ID is necessary to ensure that your personal data is being posted to the right place.
- Subject Access Request.
Subject access requests should be made by emailing email@example.com outlining your request.
Report of Data Breaches
Any breaches of Sensitive Personal Data held by the company will be reviewed and actioned in line with current legislation and reporting processes in place with the Information Commissioners Office. It is a mandatory requirement that all data breaches that have a material impact on an individual’s rights must be reported to the ICO within 72hrs.
Data Breaches affecting contracts with Employee Assistance Programmes must be actioned in line with each organisations’ specific policy/agreement and processes in place within these organisations, which also meets current regulations with ICO and Data Protection law.