General Data Protection Regulation Notice
In my role as a therapist, I will hold information about you in electronic data format. This notice explains how I look after your personal data. It informs you about your privacy rights and how the law protects you.
What is personal data?
The GDPR applies to ‘personal data’ meaning any information relating to an identiﬁable person who can be directly or indirectly identiﬁed in particular by reference to an identiﬁer.
This deﬁnition provides for a wide range of personal identiﬁers to constitute personal data, including name, identiﬁcation number (e.g. national insurance number), location data or online identiﬁer, reﬂecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual ﬁling systems where personal data are accessible according to speciﬁc criteria. This includes chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised (e.g. key-coded) can fall within the scope of the GDPR depending on how diﬃcult it is to attribute the pseudonym to a particular individual.
What sort of personal data do I collect?
I electronically record your contact details: your name, telephone number, email address, date of birth, postal address and the details of the GP you are registered with on my ﬁle.
I electronically record date and time of your sessions, as pseudonymised (coded) calendar items.
I retain any emails and text messages relating to session bookings and cancellations.
Do I collect sensitive personal data?
I do not record on your ﬁle any of your sensitive personal data. By GDPR deﬁnition, sensitive personal data would include genetic or biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union activities, health, sexual orientation, or details of criminal oﬀences.
How do I obtain personal data?
I obtain personal data directly from you. It is important that this data is accurate, so please inform me in case of any changes.
Why do I collect personal data?
I collect personal data to retain the information needed in order to contact you in relation to your bookings and cancellations, and also for safeguarding practices, outlined under British Association for Counselling and Psychotherapy (BACP) Code Of Ethics.
I record session attendance to track the progress of counselling and for accounting purposes.
How long do I keep personal data?
I will keep your data stored for seven years after the end of counselling. For clients under 18 at the end of counselling, I will keep this data for seven years after reaching adulthood. I will keep your data for longer if there’s a possibility of regulatory or legal proceedings or if I am at the time subject to an ongoing legal obligation.
What do I do with personal data?
I create personal data when I ﬁrst enter a record on my ﬁle, and access it when required thereafter until deletion.
What security measures have I put in place?
I have put in place appropriate information technology security measures to prevent your personal data from being accidentally lost or accessed in an unauthorised way. I have a duty to report to ICO and yourself any case of loss or unauthorised access of your personal data.
Additional info on non-encrypted electronic communication:
Please note that no communication via open text email or SMS is secure in strict technological sense. When using email or SMS the privacy may be compromised on sender side, on receiver side, or in transit, as there is no end-to-end encryption. While the messages you send me via email or SMS are stored encrypted once they reach my inbox, please use good judgement with respect to the content of your messages if emailing or SMS texting me, as I cannot be liable for the inherent lack of security of such data protocols. End-to-end encrypted services like iMessage or Whatsapp are more secure in principle.
With whom do I share personal data?
Under BACP’s Code of Ethics, where I believe you or others are at signiﬁcant risk of harm, I have a duty of care to inform your GP, social services or police.
I may also be required by relevant bodies or organisations to share your personal data case of regulatory or legal proceedings.
I am satisﬁed that any of the relevant organisations and bodies I may have to share the information are GDPR compliant in their own right.
Is there any legal basis for me to collect your personal data?
Yes, there is:
Where it is necessary for my legitimate interests in as a professional psychotherapeutic counsellor in providing services to you and meeting my own professional obligations, which do not override your interests and fundamental rights.
Where it is necessary to comply with a legal obligation.
For the purposes of the provision of healthcare and treatment and in light of my professional obligations of conﬁdentiality.
For the purposes of safeguarding an individual from harm.
To establish, exercise or defend legal claims.
Do I allow personal data to be transferred outside of the EEA?
I don’t allow personal data to be transferred outside of the EEA.
Am I registered with relevant bodies?
I am registered with the Information Commissioner’s Oﬃce (ICO).
Your rights Under GDPR, you have the rights to:
Request access to your personal information (commonly known as a "Data Subject Access Request"). You can request a copy of your personal information that I hold and check that I am lawfully processing it.
Request correction of the personal information that I hold about you. This enables you to request for any incomplete or inaccurate data I hold about you corrected.
Request erasing of your personal information. You can ask me to delete or remove personal information where there is no good reason for me continuing to process it. You also have the right to ask me to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where I may have processed your information unlawfully or where I am required to erase your personal data to comply with local law.
Object to processing of personal information where I am relying on my legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feels it impacts on your fundamental rights and freedoms.
Request restriction of processing of your personal information. You can ask me to suspend the processing of your personal information in the following scenarios: (a) if you want me to establish the information's accuracy; (b) where my use of the data is unlawful but you do not want me to erase it; (c) where you need me to hold the data even if I no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to my use of your information but I need to verify whether I have overriding legitimate interest to use it.
These rights are subject to various legal exceptions. If you make any of the requests above, I would explain to you in my response if I have relied upon any of these exceptions.
You have the right to make a complaint at any time to the ICO. Full details can be found on the ICO’s website www.ico.org.uk. However, if you have any concerns, I would be grateful for a chance to deal with these before you approach the ICO.
Changes to this privacy notice I keep this privacy notice under regular review. Last updated: 10 March 2020.
MSc BA (Hons) PGdip: MBACP