Under GDPR regulations 2018, I am what is known as the 'data controller' and also the 'data processor', and I have specific responsibilities and requirements, accompanying these roles to protect your privacy.
My counselling practice is registered with the Information Commissioners Office, the UK authority for upholding data protection, (www.ico.org.uk). I am bound by their policies with regards your privacy, as well as the BACP code of professional practice.
What is personal information?
The Data Protection Act 1998 (DPA) defines personal information as any information that can be used to identify a living individual. Individuals can be identified by various means including their name, address, telephone number or email address for example.
What are the laws that protect my personal information?
The DPA and the General Data Protection Regulation (GDPR) require that all organisations that store personal information about people may only do so provided that the information is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept in a form that permits identification of information subjects for no longer than is necessary for the purposes for which the personal information are processed; and processed in a manner compatible with the purposes for which they were collected.
How will you collect and store my personal information?
I will collect your personal information in the following ways: via my website, over the telephone, via e mail, in writing, and in person during our meetings.
How will you store my personal information?
I will store your personal information both electronically and manually. Personal information such as phone numbers and e mail addresses are stored electronically on devices that are password and/or fingerprint I.D. protected.
Session notes are all written on paper and held securely in locked storage in an anonymised format. These records are only accessible by me.
Your role in protecting your own privacy:
~ You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.
~ You acknowledge and agree that you share information via the internet at your own risk.
~ You agree to take responsibility for your own role in safeguarding your data privacy in the email address you choose to use and whether or not you choose to password protect information you send to me.
Your information does not get shared with anyone else within my private practice, as I manage my practice myself, and operate my business as an independent ''sole trader''.
I will never try to obtain information about you from any third party without your knowledge and consent.
Who will you share my information with?
I will never share your information with any third party - unless you have explicitly told me that you would like me to, in order to help you get additional support.
If you are claiming the cost of your sessions through your insurance company, they may request details of your treatment and progress from me in order to authorise further funding for your treatment. I will share the minimum amount of information necessary with your insurance company.
There are some exceptional situations where I would be legally required to share your information with third parties, without your consent:
• If I am required to disclose data about you under a Court Order.
• If I am concerned about the welfare of a child, i.e., where there are child protection issues relating to potential physical, mental, sexual abuse or serious neglect
• In the case of risk of serious harm to self or others.
How long will you store my personal information?
According to the GDPR, your personal information should be stored for no longer than is necessary. In practical terms, I will usually store your information for a minimum of 7 years following the termination of your treatment. However, I may need to store your information for longer than this in order to to comply with terms set out by third parties such as health insurance companies.
Can I ask for a copy of the personal information that you store about me?
Yes. The DPA gives you the right to find out what information that I store about you by requesting a copy of it. Any request that you make to obtain a copy of the personal information that I hold about you is called a ‘Subject Access Request’.
Can I request that you delete my personal information?
You have the right to request the correction or deletion of any inaccurate personal information.
Your rights under the DPA should be exercised in writing to me at:
I hope this addresses any privacy concerns you may have. I’m always happy to discuss this further.