Statement of Intent

This policy is set out in detail on how I will handle your data.  This policy ensures that any personal details submitted to me are processed and stored securely when you contact me and the lawful basis under the Data Protection Act 2018 and the General Data Protection Regulations (‘GDPR’) that permits me to do so.  The Data Protection Act and General Data Protection Regulation aims to protect individual’s fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.  The Act applies to paper and electronic records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data. 

Data protection operates by giving individuals the right to gain access to their personal data.  This is done by making a subject access request in which they are entitled to:

• A description of their personal data
• The purposes for which they are being processed
• Details of whom they are or may be disclosed to

As a data controller I must not hold data for longer than required.  Persons have the right to inspect and receive a copy of all data regarding them.  Persons have the right to apply to be forgotten. Once an application regarding erasure of information has been received, I will respond within 1 month and delete all of the data related to that person (unless required by law to retain any documents).  I process personal client information on a secure and password protected computer and am registered with the ICO as a data protection officers.

Purpose of the Policy

I recognise confidentiality and privacy are very important.  From 25th May 2018, under the General Data Protection Regulations, I am required by law to inform you how I keep safe the data you provide and how I hold this data.  I am bound by the British Association for Counselling and Psychotherapy’s code of ethics (BACP).  I am required to gain your explicit consent to holding your data in certain ways. 

My aim is to:

• Process personal data fairly and lawfully and not process data unless these principles and the rules set out here are followed
• Obtain personal data only for specified and lawful purposes, and not process data in any manner incompatible with that purpose or those purposes
• Obtain personal data that is adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
• Keep personal data accurate and up to date
• Not keep personal data for longer than is necessary for their legitimate purposes
• Process personal data in accordance with the rights of data subjects under the Data Protection Act, including GDPR regulations
• Take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
• Not transfer personal data to a country or territory outside of the UK

The types of personal data I collect and use

I will keep client data you provide so that I can work safely and professionally following the BACP Ethical Framework.  Under GDPR you have the right to know what client data I hold, why I hold it, and for how long.  The client data that I hold may include:

• Your name and address
• Date of birth
• Contact information including email address
• An emergency contact’s name and phone number
• Your GP name and contact details
• Relevant medical information
• Information about any disability or communication difficulty you may have
• Session notes
• Payment information
• Emails to you, and yours to me
• Informed Consent Form

All information you provide is stored securely on a password/code protected computer with up-to-date antivirus software.  Any payment transactions via your bank will only be identified by an anonymised client reference number and no other information will be required or shared.

Unfortunately, the transmission of information via the internet cannot be completely secure.  I have in place security measures to protect your personal data, but I cannot guarantee the security of your data particularly by email; any transmission is at your own risk.  If there had been a data breach of your personal information I am obligated to let you know.   Your contact details are kept in an electronic format on my laptop and mobile.  My laptop and mobile is password/code protected.  My professional liability insurer advise I keep session notes for up to five years after the relationship has ended and for clients under the age of eighteen their records will be kept for five years after their eighteenth birthday.  After this time, they will be shredded.  I may delete your data when we have finished our work together, unless there is a possibility we will work together again in the future.

Controlling your personal information

I do not share your personal information with anyone else unless in pursuit of counselling on your behalf and only then if I have your permission to do so. In exceptional circumstances I may be required by law and my ethical responsibilities to break confidentiality with you.  I would discuss this with you first wherever possible but if you do not give consent I may still have to disclose information.  This relates to situations where you may be at risk of harm, causing harm to others, the safeguarding of children and adults at risk, offences under the Prevention of Terrorism Act 2000, serious crime under the Serious Crime Act 2007, drug trafficking or money laundering and road traffic accidents under the Road Traffic Act 1991 where I am under legal obligations.

This policy was updated on 18th January 2022, and will be reviewed on a regular basis.