This privacy notice gives you information about how I look after the sensitive personal data that you share with me as part of our counselling relationship. It’s important to me that you know how I do this so that you can have trust in me as an ethical professional practitioner. It’s also a legal requirement under the General Data Protection Regulation (GDPR) and the Data Protection Bill that I explain to you how I process your personal data.
As a solo practitioner, I am the ‘Data Controller’ (the person who determines the purposes for which any personal data is processed, and the way in which this will be done) for my business. ‘Processing’ your data means obtaining, collecting, and holding your personal data (e.g. name, email, phone number) or sensitive personal data (e.g. physical and mental health information).
For full details of my data management systems, a copy of my Data protection – principles, policy and procedures document is available on request.
What personal data do I process and how do I do this?
Personal data is information about a living individual who can be identified from that data. As part of our counselling relationship, I will process personal data about you. This is in several forms:
contact details (e.g. name, email address) session notes (e.g. physical and mental health details, family history) reports letters and e-mails other such written material gathered during the period of assessment and therapy.
Your personal data may be processed using hard copy, electronically, or verbally. Where data is processed electronically, effort will be made to ensure the safe and secure processing of the data. Sensitive personal data (e.g. session notes) is encrypted by password.
What legal basis do I have for processing your data?
I process personal data to establish, develop, and maintain our therapeutic relationship, to comply with UK law, and to keep appropriate records and accounts. Data processing is necessary for the contract I have with you (to effectively provide counselling/ecotherapy), or because you have asked me to take specific steps before entering into a contract (e.g. by contacting me about providing counselling/ecotherapy).
I seek explicit consent from you to do this – as part of our contracting in our initial session, and via this privacy notice.
I meet my obligations under the GDPR by:
keeping personal data up to date storing and destroying it securely not collecting or retaining excessive amounts of data protecting personal data from loss, misuse, unauthorised access, and disclosure ensuring that appropriate technical measures are in place to protect personal data.
Will I ever share your personal data?
I will treat your personal data with strict confidentiality, and will not disclose your data without your explicit consent, except when obliged by UK law or if I believe there is a real and significant risk of harm to the yourself or to others.
How long do I keep your data for?
Your contact details will be deleted or destroyed when you end counselling. Session notes are kept for five years and then deleted, unless I am required by law or my governing bodies to retain your data for longer. In exceptional circumstances, I may keep your personal data for longer than five years where I believe there is a compelling psychological justification. Wherever possible I will seek to discuss these exceptional circumstances with you at an appropriate time.
What rights do you have as a client?
The right to access your personal data – You have the right to see the records I keep about you. Please ask me in writing and I will provide you with a copy of your records within one month of the request. There is no charge for this. The right of rectification – If you feel your data is inaccurate or incomplete, then please let me know. I will discuss this with you and do my best to correct it as soon as possible. The right to restrict processing – You can ask me to restrict the processing of your data, e.g. if there is a dispute over the accuracy or processing of your data. You may also ask that I do not delete your data after five years if you require it to be retained to allow you to establish, exercise or defend a legal claim. When processing is restricted, I would continue to store the personal data, but not further process it. The right of erasure – If you want to withdraw your consent for processing your data then you can ask me to erase it. I will do my best to erase data. However, it may not be possible to erase clinical notes for legal reasons, e.g. in the event of legal claims, and as it is a requirement of my insurance company to keep records for five years. The right to portability – You have the right to have your data returned to you in an electronic format – e.g. clinical notes to take to another counselling provider. The right to make a complaint – You have a right to object to my processing of your personal data, or make a complaint about the way I process your data. You can do this to me directly, or if you prefer (or if you are unhappy with my response), you can contact the Information Commissioner’s Office.
If I wished to use your personal data for a new purpose, not covered by this Data Protection Notice, then I would provide you with a new notice explaining the new use before doing this processing. I would seek your prior consent to the new processing.
If you have any questions or complaints, please in the first instance contact me.
You can also contact the Information Commissioner’s Office on 0303 123 1113 or via their website.