This privacy notice provides you with details of how we collect and process your personal data through your use of our site www.unconditionalcounselling.co.uk.
In addition to processing data in accordance with the DPA, Counselling and Psychotherapy is undertaken in accordance within the BACP Ethical Framework which places professional responsibilities on the therapist to handle client data confidentially, safely, and ethically.
Like any business the company needs to transact business, keep accounts and communicate with suppliers and organisations. It has to keep your data in respect of these functions. In respect of this, the company uses personal data. Some examples of this type of data are:
Email contact information
It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at firstname.lastname@example.org
Sources of data
Our data comes from a number of sources:
Referrers may contact us asking us to work with a particular client. Typically, the referral will include both personal and sensitive data. We process all data in accordance with DPA and GDPR and by the contract that exists between the referrer and ourselves.
Clients will contact us looking for counselling services. Typically the information required to deliver that service may include sensitive and personal data. We process that data in accordance with the DPA and GDPR and for the purposes laid out below.
Processing of data
At the start of counselling, we will discuss the information that we will hold with you and ask you to consent to us holding and processing that data.
We hold and process sensitive data for the medical diagnosis and treatment undertaken by us in the course of counselling. This is held in the form of clinical notes.
We hold personal data for a number of purposes:
It is a contractual necessity to be able to carry out your counselling, for example to arrange and maintain appointments.
We have a need to collect data to fulfil our legitimate interests in carrying out our legal obligations in running the company.
We may use your information in a situation where there is an emergency or a life-or death situation as out lined below.
Where the client intends to harm themselves or someone else, we will breach their confidentiality.
Where we reasonably believe that a child or a vulnerable person is at risk, we may share a minimum set of data.
We will share data with a court where we receive a court order, valid in Scotland for release of data.
We will share data where the client consents to a release of data. In this case, we will agree with the client what data is released. We will ask for identity and written authorisation.
Who do we share information with?
For the clients whom they are or have been treating: They have access to the clinical notes that contain sensitive data. They can also access personal data.
Referrers (Includes EAP referrers)
For the clients they have referred. They can see the outcome reports of the therapy that may include sensitive data. They will have access to the personal information. In respect of the company, we are a sub controller of this data and process it according to the contract between us.
Where an individual has paid by BACs, Cheque or electronic means, personal data may appear on our bank statements and as such is in our accounting records.
Where we make a referral
If we make a referral we will agree with you the information to be passed on, but it will normally include both personal and sensitive data.
We do not hold or process mailing lists or carry out direct marketing nor do we provide personal details to other organisations for the same or similar purposes.
A Data Protection Policy includes the physical and electronic protection of the data. This is important both during the period of use and in any retention period.
The company keeps both paper and electronic records.
Paper records are secured under lock and key at all times in locked filing cabinets.
Electronic records are encrypted using strong encryption. The encryption keys are stored separately to the data. The data files are not stored in a device that is accessible from the Internet and secure backups are taken and stored with the same electronic safeguards.
Email is not currently encrypted and so is not used for the company’s sensitive information.
Referrer client information is transferred in accordance with that referrer’s data controller’s instructions and processes.
Phone and email data is only maintained for the duration of a client or supplier’s active contact with the company.
The company maintains no personal data on social media or on its website.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.
For tax purposes the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.
Access to records
The DPA gives the subject of personal data a right to access the information which is being held about them. This right is referred to as a ‘subject access right’ and refers to all electronically stored records and data held about the client in structured manual files.
A written request and proof of identity is required, and there is no fee. This entitles the data subject to be informed about what data are being processed, for what purpose, to whom they have been or may be disclosed, and to be provided with a copy of those data.
This information should be provided within 30 days, and the release of records cannot be made conditional.
A client who considers that there is an inaccuracy in the record may ask for it to be corrected with the agreement of the therapist. If there is disagreement about what would be a correct record, it is good practice to include a record of the client’s objections in the notes. Any therapist who is concerned about the client’s response to seeing their records may offer to be present and explain the records or to arrange for another suitably qualified person to be present. If the therapist is concerned that access to the notes would cause serious harm to the physical or mental health of the data subject and that access to the notes may constitute a health risk. It may be possible to refuse or defer access with the authorisation of the health professional that is currently or was most recently responsible for the clinical care of the person concerned. (Data Protection (Subjects Access Modification) (Health) Order 2000, section 7) https://ico.org.uk/for-organisations/guide-todata-protection/principle-6-rights/subject-access-request/ the legal presumption in favour of access to personal data makes this an exceptional provision that ought not to be sought or granted lightly.
Clients of the Company have the right under Data Protection legislation to the following rights under the DPA; clients are informed of this via the client contract that they sign and agree to for any clinical work.
To access a copy and explanation of your personal data.
To request correction or erasure, in certain circumstances.
To request limiting or ceasing data processing, where applicable.
To compensation for substantial damage or distress caused by data processing, where applicable.
Data access request for information procedure
A clear, specific request
The company does not have to start working on a subject access request until you have provided enough information for us to find the personal data.
For example, a request for ‘all of the personal data held on me’ is not specific enough for us to find your personal data.
The company takes great care to ensure that personal data is only disclosed to those who are authorised to access it. For this reason, you will need to provide a form of ID from each of the lists below to request your personal information.
Examples of acceptable photographic identification:
Current driver’s licence
Current work identification badge with unique works number
Examples of acceptable proof of address:
Council tax bill
Address ID is necessary to ensure that your personal data is being posted to the right place.
Subject access requests should be made by emailing email@example.com outlining your request.
Report of Data Breaches
Any breaches of Sensitive Personal Data held by the company will be reviewed and actioned in line with current legislation and reporting processes in place with the Information Commissioners Office. It is a mandatory requirement that all data breaches that have a material impact on an individual’s rights must be reported to the ICO within 72hrs.
Data Breaches affecting contracts with Employee Assistance Programmes must be actioned in line with each organisations’ specific policy/agreement and processes in place within these organisations, which also meets current regulations with ICO and Data Protection law.
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.