WHAT IS PERSONAL DATA?
Personal data is any information relating to a living individual who can be identified from that data. Identification can be by the information alone, or in conjunction with any other information in the data controller’s possession or likely to come into their possession. Information about you that does not identify you is not personal data. By law I have to tell you when I collect your personal data, what I do with it, and your rights relating to it.
WHO IS WOLLATON COUNSELLING SERVICES?
Wollaton Counselling Services is registered with the Information Commissioners’ Office (ICO), Registration Reference: ZA247554.
Mrs Julie Anne Bailey is the sole trader and data controller for Wollaton Counselling Services, responsible for processing your information.
HOW DO I PROCESS YOUR PERSONAL DATA?
Wollaton Counselling Services complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure, and by ensuring that appropriate technical measures are in place to protect personal data.
WHY I PROCESS YOUR PERSONAL DATA
I only use your data in relation to the delivery of my services. I do not use it for marketing purposes, or profiling, or sell it to third parties. I need to process information about you so that I can provide you with services, because the law says I must, or because there is a legitimate interest to process it.
(a) Providing Services
I may process information about you to provide you, or an organisation you represent, with services such as counselling, debriefing, confidential reports, or training.
I may also process information about you so I can receive services from you, such as clinical supervision or professional advice, or so I can carry out work agreed with you for any other reason.
The lawful basis for this kind of processing is to fulfil a contract or to provide information before a contract is agreed. There may be an implicit contract between us even when it is not written. I will usually not be able to fulfil a contract unless I process your information.
(b) Complying with the Law
I may process information about you because the law says I must. Under GDPR, the lawful basis for this kind of processing is legal obligation.
When a child or adult is at risk of harm, the law says I must process that information and share as necessary to keep the person safe. The law says I must also process, and pass on as necessary, concerns that an identifiable person may have harmed others in the past.
The law also says I must use personal data to keep financial records relating to services given and payments received.
I may also need to process your information to comply with other legal requirements, such as court orders.
(c) Legitimate Interests
I may process information about you for valid reasons to help me, you, or other people – or what GDPR calls the lawful basis of legitimate interests.
When I provide clinical services such as counselling and debriefing, I may process information about persons who are not receiving those services from me. This is called third party information. I process third party information when it helps with the service I am providing. For example, in therapy you may expect me to remember information you have told me about other people in your family, and so I would record that information to remind me. Or if you wanted me to consult with other health professionals about your care, I would need to know their name and contact details. When I receive third party information about someone in confidence, I do not have to tell them, but they do have other rights over their information – see section 9, Your Rights.
If you contact me about my services or website, I may process your information so I can respond to your query, to make notes about any services I agree to provide for you, or to block you if I suspect you of phishing or spam.
When you email me or visit my website, information is routinely collected to trace which computer you connected from, making it possible to track any faults and maintain security.
I may ask you for feedback, and process any feedback I receive so that I can improve my services. I may post selected anonymous feedback on my website.
If you are a professional colleague, I may process your personal information as part of my work with you, so that we can keep in contact, meet and communicate to share ideas, and keep and share records of meetings we have, for our mutual benefit.
If you are a child, the law says I can’t expect you to agree a contract with me. But I may use information about you and other important people in your life. I use it to help you and your family stay or become more healthy. I write down what you tell me so I can remember it when you talk to me again. I may talk to other people who can help you and write down what they say. I keep your information private unless you want me to pass it on, or unless I have to tell other people to keep you safe. If I do tell other people, I only tell the people who need to know, and I only tell them what they have to know.
WHAT DATA DO I COLLECT?
I may collect any information you tell me. I may also collect information from other people about you, for example, people in your organisation or family, health professionals, or individuals who give me information about you before I have agreed to provide you a service, or to help me provide a service to you. This information may include:
- basic personal information (e.g. name, date of birth, organisation if relevant…)
- contact information (e.g. email addresses, phone numbers, postal address, Skype identities or other electronic contacts, emergency contact name and number)
- sensitive personal information, also known as special category data (usually about your health, and sometimes also other sensitive information if it’s relevant to my work with you)
- information about your network (e.g. your family relationships, friends, GP)
- safeguarding information about any risks affecting you and action taken to protect you
- any other information that may be relevant to my work with you
Where possible, I separate the personal information that would identify you from sensitive information and other information I process about you by keeping it anonymous. Information that does not identify you is not personal data.
I may also receive information from other sources, such as financial providers who display your identity when you make a payment, or email and web-hosting providers who automatically supply your IP address when you email me or visit my website.
I may collect names or contact details which are available publicly (e.g. full GP contact details when a client cannot recall them fully). I do not collect other information about you that is in the public domain (e.g. google searches or your website, blog or other web presence) unless you ask me to. Please let me know if you would like me to look at such information.
SHARING YOUR PERSONAL DATA
With your express permission, i.e. the legitimate basis of consent, I may share information with your family members, medical and other health professionals, teachers, social care or other professionals, or responsible contacts in your organisation.
It may become necessary during our work together for me to break confidentiality under the legitimate basis of legal obligation. This might be for safeguarding reasons; risk of serious harm to self or others; acts of terrorism; drug trafficking/money laundering, or if I was issued with a court order which required me to share information. Where the reason is to safeguard a child or adult at risk of harm, I may share information with family members, police, statutory services, other professionals or responsible contacts in your organisation without getting your permission.
I may also share information for reasons of legitimate interest.
I do not share information that would personally identify you with supervisors or colleagues. However, I may discuss you anonymously in supervision or in consulting with colleagues, to ensure that I am providing you a good service.
In the event of my death or becoming incapacitated, a family member will pass a sealed envelope from my secure storage, containing names and contact details of my current clients, to my clinical supervisor. This is to enable my supervisor to make contact regarding my situation and to discuss counselling options going forward, to maintain your safety and wellbeing. My supervisor is bound by the same level of confidentiality as I am.
I may share information with financial providers where necessary for billing and payment, and email and webhosting providers where that is necessary for email and website security.
I use electronic services for storing, transferring and processing information, including Skype, Zoom, VSee and Google. Some of these involve transferring information to countries outside the EU. All these services are password protected and encrypted and have an adequate level of protection.
I do not sell or pass on information to third parties to use for marketing purposes, data harvesting, or profiling.
HOW LONG DO I KEEP YOUR PERSONAL DATA?
I keep anonymous notes from client sessions in line with the requirements of my professional insurance and the Limitation Act. Where a contract is completed and I do not expect to work with the individual again, I keep information for five years after the end of a contract, the normal maximum time the HCPC allows for raising concerns. If the person returns for further work during that period, the five years will be from the end of our final contract.
For under-18s, information will be retained until five years after their 18th birthday. Keeping information after they reach adulthood gives them time to exercise their rights to access that information. This includes information on any concerns about risk to a child.
National and local guidelines say that information about alleged historical abuse must be retained until the natural retirement age of the abuser, or for ten years, whichever is the longer. If allegations are found to be malicious, or all information has been passed on to the police, I destroy such records within three months.
If relevant legal proceedings have begun but not been completed, including legal proceedings against an organisation, I may need to keep information about alleged abuse until the legal process is complete.
I am required to keep financial records for seven years, to ensure I comply with HMRC requirements.
Under GDPR, you have the following rights in relation to the processing of your information:
- The right to be informed about whether I am processing your personal information, and how I use it (you exercise this right by reading this privacy notice)
- The right to access (i.e. you can request to see the information I hold about you)
- In some circumstances, the right to data portability, i.e. for a copy of information you gave me to be passed on to another data controller (such as case notes to another therapist)
- The right of rectification, i.e. you can ask me to amend information about you if it is incorrect or incomplete
- If particular conditions apply, the right to ask me to erase information about you or to restrict my processing of it
- The right to object to my processing your information for reasons of legitimate interests
If I make changes to your information, or how I process it, as a result of your request, I also must tell you about anyone else I passed your information on to, and I must tell them about the changes.
If you want to exercise any of these rights, please contact me and make clear what you are asking for. Usually I have to act on your request within one month, without charging you a fee. I may need to ask you for more information about your request or to prove your identity.
Children have the same rights over their data, but where a child is not considered to be competent; an adult with parental responsibility may exercise the child’s data protection rights on their behalf.
There are exceptions to these rights. For example, if I received third party information about you in confidence, I do not have to tell you, but that does not affect your other rights. Or I may need to withhold personal information from you to protect you or others. In these and various other circumstances I may not have to comply with your request. If a request is unfounded or excessive, I may charge you a reasonable administrative fee to comply. If I refuse a request or charge a fee, I have to tell you why. If you are not happy with my response, you may complain to the ICO.
If you have any concerns about how I have used your data, you can discuss it with me in the first instance. My email is firstname.lastname@example.org and my phone is 07719 785 169.
You also have the right to complain to the ICO at https://ico.org.uk
The ICO also provides further information on GDPR.