Saffron Counselling GDPR Data Protection Privacy Statement and Information
Heather Robbie, Diploma in Psychodynamic Counselling
Dynamic Interpersonal Therapy (DIT) Practitioner
Diploma in Groupwork Practice
Advanced Certificate in Clinical Supervision
Accredited Counsellor, BACP Registration Number 096096
Telephone: 07548 110979
For the purposes of the Data Protection Act 1998 and the General Data Protection Regulation (“GDPR”) 2016/679 that came into effect on 25th May 2018.
Privacy and data protection compliance have always been a high priority now GDPR makes it a legal requirement.
The GDPR is EU legislation affecting how we collect store and use data, providing us with a framework, building on the provisions of the Data Protection Act 1998. It concerns data held in any form i.e. paper, on computers or on any mobile device such as mobile phone, tablet or data storage.
GDPR states data should be processed fairly and lawfully obtained for lawful purpose adequate and not excessive, accurate and retained for no longer than necessary. Data should be processed in accordance with the rights of the data subject and secured against breaches loss or destruction. It won’t be transferred outside the jurisdiction (Europe).
What you need to know-
I need to tell you what I do with your information in my role as Counsellor and Supervisor and as a Data Controller and Processor.
I need to explain why I store your data, how I hold data and for how long and your right to complain to ICO if you feel there is a problem in how you feel I store your data.
I am a data controller and processor under GDPR and registered with ICO under Registration number ZA313809.
As a data controller I gather, record, process, store and destroy personal data and by doing so I need to meet GDPR requirements.
I am responsible for compliance with the principles set out in GDPR and must be able to demonstrate this to data subjects and the regulator (ICO).
The information I am collecting-
- Data is personal information that can identify an individual.
- As a counsellor I collect sensitive personal data – client information contact information personal detail and story e.g. on mental health history or relational or sexual history criminal offences or convictions.
- This means there are enhanced requirements to add regarding security and consent.
- I hold contact data on laptop and phone (email address telephone number)
- I hold clinical notes on paper only – I will review and update annually to destroy notes (shedding and or burning which are no longer needed to be held).
- All client information is regarded as confidential by me.
- Client information will not be used for any purpose other than authorised.
- Only Information whose need can be justified is accessed e.g. for the purposes of administration assessment and treatment.
- Passwords are not shared e.g. email access or mobile phone access.
- Contact information Data is protected by a Case Number and clinical notes are held under this number.
You have the right to expect the highest level of confidentiality regarding your information. Serious breaches of confidentiality involving sensitive personal information may result in legal proceedings being instigated by the ICO.
Consent to data collection and processing by a data subject (client or supervisee) needs to be explicit and signed by the data subject. Therefore, you will be asked to read and agree for me to process your data to provide counselling.
GDPR states Personal data should be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified explicit and legitimate purposes.
- Adequate relevant and limited to what is necessary.
- Accurate and where necessary kept up to date.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.
- Processed in a manner that ensures appropriate security of the personal data. This includes retention and destruction processes for information no longer required.
Why I am collecting your data/ My legal basis for data processing. (Contract & Consent)
My justification, the legal basis, for gathering data is that I need to gather data necessary for the fulfilment of a contract (please also see Counselling or Supervision Agreement).
I hold data as long as needed in order to contact you to set up a session or change any arrangements, or to take a history of relevant information to progress counselling or supervision.
I need your explicit consent to collect, store and use this data. (see agreement).
How I will use your data – in carrying out what is required to provide my counselling or supervision service to you. This refers to the acceptable use of systems, my responsibility and any possible consequence of a breach of confidentiality.
I do not pass your data to any third party for marketing purposes. It is important that when the you share contact details with me, that they are either confidential, or the you agree to messages being left on the telephone numbers, to any person answering their telephone, or necessary correspondence being sent to the postal address given.
It is not my policy to share information about you with any third party unless there is an issue of risk or I am required in law to do so. If information about you is requested, it will only be shared with your specific written and signed consent. You will see and sign this in our agreement at the beginning of any work we do together.
You also have a right to access data within 30 days of request, and this will be provided free of charge and within 30 days of your written request. Please also see my Counselling Agreement which explains consent and that my complaint procedure is through my supervisor and professional body.
Your 6 Rights under GDPR
You have the right to:
be informed of how data is collected stored and managed (protected and processed)
access the data that is held about you
rectification /review data and understand how it is stored and used. You have the right to correct personal data.
stop data processing (eurasure)
data portability (refers to personal data by automated means- devices)
not be the subject of automated decision making including Profiling
The ICO website includes information on your rights:
How will your data be recorded and stored?
(And what happens re Data Breaches)
I will have systems in place to ensure as much confidentiality and safety as possible for no data to breach GDPR regulations and principles. Specifically:
- My laptop is password protected only to me and only for work.
- I keep paper notes which are locked in a filing cabinet in my home and accessible by a key I keep.
- I have a work phone separate from personal so information is only saved on first name and held as long as it is necessary to contact I will not hold onto your information longer than is necessary.
- Texts and emails are not currently encrypted I endeavour only to use text and email for practical purposes e.g. to arrange appointment or sometimes send self-help material or links but I will check with you beforehand to ensure this is okay with you.
- If I discover a data breach I will inform ICO within 72 hours and/or affected individuals if a breach happens, in line with ICOs recommendations.
- A counsellor needs to retain clinical notes for defensive purposes, for up to 7 years, in case of a complaint according to my professional/clinical insurance guidance. You can authorise me not to retain clinical notes by providing a disclaimer that you will not make a complaint against me at any stage during the term of our counselling or supervision agreement, or after it is terminated.
- You have the right not to be contacted by me after our work together has ended which I do not normally do.
- Oxygen, my professional indemnity insurer, recommend holding contact information in emails and phone number or 6 months after works completion.
- I keep clinical notes in paper form which I hold for up to 7 years from the end of our work together. After 7 years, paper notes are shredded.
- Any enquiries by phone or email that do not progress to an assessment or ongoing work, I keep for 6 months and then destroy by shredding or removal from my computer or mobile device.
I only use your Personal Information in the case of a necessary or emergency contact. Your information will be stored in a locked filing cabinet, and retained for a period of seven years after termination of the Counselling or Supervision contract. After seven years, any information about you that is held in paper form will be destroyed safely and securely, by shredding. Any electronic records or information such as emails relating to will be retained for a period of seven years after the termination of our Counselling or Supervision contract, after which all electronic information will be deleted.
Your contact details will be stored on my work mobile phone fr the duration of the supervision contract. All contact details and text messages will be deleted one month after termination of the supervision contract.
The Personal information stored me under GDPR must be accurate and up to date. If the information is incorrect or requires updating, please notify me as soon as possible. You have the right at any time to revoke your consent and request that your Personal information is erased or destroyed. I am duty-bound to abide by your request unless there is any over-riding legislation or legal reason requiring me to retain your information.
You have a right to access and request access to or copies of l information held by me, and I will respond within 30 days of receipt of a written request from you.
I do not pass your data to any third party for marketing purposes. It is important that when you share contact details me, that they are either confidential, or that you agree to messages being left on the telephone number(s), or with any person answering the telephone, or necessary correspondence being sent to the postal address given.
It is not the policy for me to share information about you with any third party and if requested to do so, information will only be shared with your specific written and signed consent.