To offer an effective counselling practice, I hold personal data about the people who contact me and decide to have counselling. This privacy notice tells you what I will do with your personal information from first enquiry until your counselling has ended. I follow the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and the guidance of my professional body (British Association for Counselling and Psychotherapy, BACP). I am registered with the Information Commissioners Office (ICO) which is the national regulator with responsibility for ensuring compliance with data protection in the UK.
My lawful basis for holding and using your personal information
A requirement of the GDPR is to state the basis on which I process personal data. For current clients, our contract is the lawful basis under GDPR definitions. I would not be able to carry out counselling without retaining your personal data. This includes data under the ‘special category’ of personal information which is often shared during counselling as part of the work. Special category data is retained under the GDPR provision for health treatment with a professional.
Personal data is retained for the purpose of ensuring that my counselling practice can operate. This means there are administrative requirements (such as being able to contact you to confirm or rearrange appointments), as well as the retention of basic notes from each session which is kept for clinical supervision and to comply with my professional obligations to my insurer. The ICO outlines that personal data should be kept only for as long as necessary and my insurer specifies seven years.
What data do I collect and retain
Your counselling contract includes the personal data that I request at the start of counselling: name, contact telephone number, address, date of birth, GP contact details and current medication.
The content of your counselling sessions is kept confidential. This means that the basic notes I retain are for my use only and to inform my clinical supervision. Supervision is done without identifying individuals and my supervisor is also bound by professional ethical guidelines around confidentiality. The notes I keep are stored securely, separate from your identifying data (name, contact number etc).
In line with BACP ethical guidance confidentiality will only be broken if you say something that raises concern about serious harm to yourself or others or if a court of law requires me to disclose information. In the event that confidentiality must be broken I will always try to speak to you about this first, unless there are safeguarding issues that prevent this. To fulfil my duty of care towards you while also maintaining your confidentiality I will only contact your GP if it is necessary and should these circumstances arise I would discuss this with you wherever possible before contacting your GP.
Personal data from the counselling contract is kept in hard copy and stored in a locked filing cabinet that can only be accessed by me. Electronic records of email communications about appointments are retained on my email account which is password protected. My electronic devices (laptop and phone) are used to access the email account and are both protected by separate passwords.
As part of my professional practice I have a clinical will. This is an arrangement with a counsellor colleague whereby in the event of sudden ill health or accident that prevents me from meeting you as planned, my counselling colleague has your first name, time of our regular appointment and contact phone number so that you can be informed about the situation by an appropriate professional. These details are destroyed when I tell my colleague that our sessions have ended, and for the duration of our work together, my colleague retains the details securely.
Once your counselling has ended
Current industry guidelines recommend the retention of counselling notes for seven years after the work has ended. Financial records are required to be retained for five years. I follow the recommendations accordingly: all my accounting records are destroyed after five years and my session notes after seven years. Personal details are destroyed one month after the end of sessions, with the exception of your name, date of birth and client reference number to enable me to identify your session notes if I’m required to do so.
Personal data retained from enquiries that do not lead to regular counselling sessions is destroyed after a month.
GDPR includes the following rights:
– to request access to the personal information that I store and process about you
– to ask for corrections to be made to the information held or for your personal information to be deleted
– to restrict the processing of your personal information
– to object to the processing of your personal information altogether in some circumstances.
Requests can be made directly to me, by email: email@example.com
Further information about your rights is available from the Information Commissioners Office ico.org.uk/your-data-matters
Note that in certain circumstances it may not be possible to fulfil a request. Where a court of law requires records to be retained, for example.
Queries or complaints
I am the Data Controller for my counselling practice and I’m registered in this capacity with the ICO (registration number ZA352968). (Data controller is the term used to describe the person that collects and stores and has responsibility for people’s personal data.)
Any complaints about my privacy notice and the way in which I handle your data can be emailed to me in the first instance. Formal complaints can also be made to the ICO directly (ico.org.uk/make-a-complaint).
Policy updated 18.11.2020