Background
Considerate Counselling provides counselling, supervision, training and IT consultancy services to individuals, groups and organisations. In pursuit of carrying out our business, we capture information and data to deliver the services. This policy describes the data that we use, how we process it, store it and destroy it. It also describes how you can see any data that we hold about you, how you can ask for it to be corrected or removed. We comply with the provisions of the DPA and GDPR.
Definitions
- Company – Considerate Counselling
- DPA – Data Protection Act
- GDPR -General Data Protection Regulation
- EAP – Employee Assistance Provider
Nature of Work
Counselling and Psychotherapy regularly requires the collection of sensitive data examples of this are:
- Physical or mental health details
- Racial or ethnic origin
- Religious or other beliefs
- Offences, criminal convictions and alleged offences
In addition to processing data in accordance with the DPA, Counselling and Psychotherapy is undertaken in accordance within the BACP Ethical Framework which places professional responsibilities on the therapist to handle client data confidentially, safely and ethically.
Like any business the company needs to transact business, keep accounts and communicate with suppliers and organisations. It has to keep your data in respect of these functions. In respect of this, the company uses personal data. Some examples of this type of data are
- Name
- Telephone Number
- Address
- Financial details
- Email contact information
Sources of data
Our data comes from a number of sources
Referrers may contact us asking us to work with a particular client. Typically, the referral will include both personal and sensitive data. We process all data in accordance with DPA and GDPR and by the contract that exists between the referrer and ourselves.
Clients will contact us looking for counselling services. Typically the information required to deliver that service may include sensitive and personal data. We process that data in accordance with the DPA and GDPR and for the purposes laid out below.
Processing of data
We process data for the following purposes
At the start of counselling, we will discuss the information that we will hold with you and ask you to consent to us holding and processing that data.
We hold and process sensitive data for the reasons you disclose as part your treatment by us in the course of counselling. This is held in the form of clinical notes.
We hold personal data for a number of purposes. It is a contractual necessity to work together in an ethical manner . It serves as a record for professional and ethical purposes and may be relied upon as the basis of a legal defence in the case of a malpractice acti
We have a need to collect data to fulfil our legitimate interests in carrying out our legal obligations in running the company.
We may use your information in a situation to get emergency help or a life-or death situation as out lined below.
- Where the client is a danger to themselves or someone else, we will breach their confidentiality.
- Where we reasonably believe that a child or a vulnerable person is at risk.
- Where compelled to do by statutue (for example the money laundering regulations)
- We will share data with a court where we receive a court order, valid in Scotland for release of data.
- We will share data where the client consents to a release of data. In this case, we will agree with the client what data is released. We will ask for identity and written authorisation.
In all cases we would share the minimum amount of information to achieve the purpose outlined.
Who do we share information with?
The therapist
For the clients whom they are or have been treating: They have access to the clinical notes that contain sensitive data. The can also access personal data.
Referrers (Includes EAP referrers)
For the clients whom they have referred. They can see the outcome reports of the therapy that may include sensitive data. They will have access to the personal information. In respect of the company, we are a sub controller of this data and process it according to the contract between us.
Accountant/HMRC/Bank staff
Where an individual has paid by BACs, Cheque or electronic means, personal data may appear on our bank statements and as such is in our accounting records.
Where we make a referral
If we make a referral we will agree with you the information to be passed on, but it will normally include both personal and sensitive data.
Third party sub processors
We make use of third party services to book clients and digitally sign documents. These third party suppliers are GDPR compliant and we only share name and email address for the purposes of enabling access to our service.
We do not hold or process mailing lists or carry out direct marketing nor do we provide personal details to other organisations for the same or similar purposes.
Information Security
The company notes that an important part of a Data Protection Policy is the physical and electronic protection of the data. This is important both during the period of use and in any retention period.
The company keeps both paper and electronic records.
- Paper records are secured under lock and key at all times in either locked filing cabinets or in locked archive storage bins.
- Electronic records are encrypted using strong encryption. The encryption keys are stored separately to the data. The data files are not stored in a device that is accessible from the Internet and secure backups are taken and stored with the same electronic safeguards.
- Email is not currently encrypted and so is not used for the company’s sensitive information.
- Referrer client information is transferred in accordance with that referrer’s data controller’s instructions and processes.
- Phone and email data for emergency contacts is only maintained for 14 days after the clients final session.
The company maintains no personal data on social media or on its website.
Access to records
The DPA gives the subject of personal data a right to access to the information, which is being held about them. This right is referred to as a ‘subject access right’ to all electronically stored records and to the data held about the client in structured manual files. The aim is to enable any citizens to know what information is being processed about them.
A written request and proof of identity is required, and there is no fee. This entitles the data subject to be informed about what data are being processed, for what purpose, to whom they have been or may be disclosed, and to be provided with a copy of those data.
This information should be provided within 30 days, and the release of records cannot be made conditional,
A client who considers that there is an inaccuracy in the record may ask for it to be corrected with the agreement of the therapist. If there is disagreement about what would be a correct record, it is good practice to include a record of the client’s objections in the notes. Any therapist who is concerned about the client’s response to seeing their records may offer to be present and explain the records or to arrange for another suitably qualified person to be present. If the therapist is, concerned that access to the notes would cause serious harm to the physical or mental health of the data subject and that access to the notes may constitute a health risk. It may be possible to refuse or defer access with the authorisation of the health professional that is currently or was most recently responsible for the clinical care of the person concerned. (Data Protection (Subjects Access Modification) (Health) Order 2000 section 7) https://ico.org.uk/for-organisations/guide-todata-protection/principle-6-rights/subject-access-request/ the legal presumption in favour of access to personal data makes this an exceptional provision that ought not to be sought or granted lightly.
Clients of the Company have the right under Data Protection legislation to the following rights under the DPA. Clients are informed of this via client contract that they sign and agree to for any clinical work.
- To access a copy and explanation of your personal data.
- To request correction or erasure, in certain circumstances.
- To request limiting or ceasing data processing, where applicable.
- To compensation for substantial damage or distress caused by data processing, where applicable.
DATA ACCESS REQUEST FOR INFORMATION PROCEDURE
A clear, specific request
The company does not have to start working on a subject access request until you have provided enough information for us to find the personal data.
For example, a request for ‘all of the personal data held on me’ is not specific enough for us to find your personal data.
Current identification
The company takes great care to ensure that personal data is only disclosed to those who are authorised to access it. For this reason, you will need to provide a form of ID from each of the lists below to request your personal information.
Examples of acceptable photographic identification:
- Current driver’s licence
- Current passport
- Current work identification badge with unique works number
- Signed request for subject access through client’s solicitor
Examples of acceptable proof of address:
- Utility bill
- Bank statement
- Council tax bill
- Address ID is necessary to ensure that your personal data is being posted to the right place.
- Subject Access Request.
Subject access requests should be made by emailing dpo@consideratecounselling.co.uk outlining your request. When we have checked identification documents we do not retain any copy of them.
Report of Data Breaches
Any breaches of Sensitive Personal Data held by the company will be reviewed and actioned in line with current legislation and reporting processes in place with the Information Commissioners Office. It is a mandatory requirement that all data breaches that have a material impact on an individual’s rights must be reported to the ICO within 72hrs.
https://ico.org.uk/media/for-organisations/documents/1562/guidance_on_data_security_breach_management.pdf
Data Breaches affecting contracts with Employee Assistance Programmes must be actioned in line with each organisations’ specific policy/agreement and processes in place within these organisations, which also meets current regulations with ICO and Data Protection law.
Retention of data
If you make an enquiry but do not proceed with therapy, I will hold your data for 14 days from our last contact then destroy it.
If you have therapy with me then I hold your records for a period of 7 years from your last session.
Complaints
If you have a complaint, a question or a comment about how I handle data please contact me at dpo@consideratecounselling.co.uk in the first instance.
In addition, the ICO have a formal complaints process which you can access at ICO.org.uk