Counselling Privacy Policy
Overview
This privacy policy outlines your rights, and my obligations to you, with regard to the recording and storage of your personal information. In this privacy policy I will let you know what information I need to collect from you before we begin counselling, and what information I need to collect from you during counselling. I will also set out how I will look after your personal information, for how long I will store it, and who I will share it with. In addition, I will let you know what you are able to request from me with regard to this information.
What is personal data / information?
The General Data Protection Regulations (GDPR) state that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Why do you want to process my personal information?
I need to process your personal information in order to fulfil my contractual obligations to you as a therapeutic counsellor, for example to assess whether I am able to offer you counselling in the first place, and then to deliver effective counselling to you if therapy commences. Your personal information helps guide both my assessment process, and my clinical decision-making during counselling. I will also use the information that I collect about you in order to develop a better counselling website service. My contractual obligations to you as a therapeutic counsellor are the lawful basis for my processing of your personal information.
What are the laws that protect my personal information?
The General Data Protection Regulations and Data Protection Act (DPA) require that all organisations that store personal information about people may only do so provided that the information is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept in a form that permits identification of information subjects for no longer than is necessary for the purposes for which the personal information are processed; and processed in a manner that ensures appropriate security of the personal information.
How will you collect my personal information?
I may collect your personal information in the following ways: via websites, over the telephone, in writing, by email and in person during our meetings.
How will you treat my personal information?
I will treat your personal information in a way that is compliant with the DPA and the GDPR. The lawful and proper treatment of your personal information is important to me, not least in order to maintain your confidence in me, but also to maintain the confidence of other clients and staff.
How will you store my personal information?
I will store your personal information both electronically and physically. Personal information that is stored electronically on devices that are password and/or fingerprint I.D. protected, and in files that are further password protected and only accessible by me. Names and contact details are stored separately to other personal information (anonymised format). Personal information that is stored physically using paper records held securely in locked storage in an anonymised format. These records are also only accessible by me.
How long will you store my personal information?
According to the GDPR, your personal information should be stored for no longer than is necessary. In practical terms, I will usually store your information for 5 years following the termination of your treatment. However, I may need to store your information for longer than this, for instance in order to defend myself in a claim situation, or to comply with my insurance terms and conditions. Financial records will be kept for 7 years as per HRMC guidelines.
What types of information will you collect about me?
I will collect several types of information about you and in several different ways. For instance, when you visit my website I will collect the following information about your visit: I.P. address, location, search engine, date, time, web pages visited, operating system, and device.
If you request a call-back via email I will collect the following information: name, telephone number, date, and time.
Before committing to provide you with counselling services, I will ask you to provide me with the following information: name, email address, telephone number, home address, availability, the psychological issues that you would like to address, GP contact details, emergency contact details, health information, current medication, occupation, previous periods of counselling / psychotherapy and details about any psychiatric diagnoses.
Once we have agreed that that I am eligible to work with you I will invite you to an introductory counselling session where we will confirm that I am the most appropriate counsellor for you. During this introductory counselling session I may collect further information from you such as: goals for therapy, network of support, overview of family structure and situation, past and present relationships, and memories of early caregivers and significant experiences in your life.
What is ‘special category’ information, and why do you need to process this too?
Special category information is defined by the GDPR as being information that is more sensitive than other personal information, and therefore requiring of higher levels of protection. Examples of this type of information could include information about your health, race, sexuality, sex life, or religion. In order to lawfully process special category information, I am obliged to identify a specific condition for processing it under Article 9 of the GDPR and communicate this to you. With this in mind, the condition of the GDPR that I apply to the processing of your special category information is that it is ‘pursuant to contract with a health professional’. This means that, if you begin counselling with me, or ask me to assess whether or not you are eligible for me to offer counselling to you, then I will likely need to process some special category information about you. Usually, this is information about your mental health, and I need to process it in order to fulfil my contractual obligations to you in delivering safe, effective counselling.
What is a ‘data controller’, and who is the ‘data controller’?
The GDPR defines a ‘data controller’ as the person in an organisation who: ‘determines the purposes and means of processing personal data’. For the purposes of the GDPR, the ‘data controller’ is myself, Martin Stokley.
Who else will you collect information about?
I collect and process information about the individuals with whom my business operates. These include clients, staff, suppliers and other business contacts.
Who will my personal information be shared with?
Some of your personal information may be shared with your G.P., the emergency services, another healthcare or mental health professional or your emergency contact. Reasons for this sharing will include the requirements of a court of law, the threat of serious physical harm to you or to others, or during regular consultations with my clinical supervisor. Some of your personal information such as website visits, telephone call data, or payment information, is shared with third party providers such as a mobile phone operator, or card payment provider respectively. These providers operate under their own privacy policies, and these can be provided upon request.
If I were to die or be incapacitated I have a clinical will and I have designated a specific person (who is also a professional counsellor) to contact you. You understand that should this situation happen they would be given access to your records and contact details for express purpose of facilitating this process. They would also manage the secure disposal of your client records and the closing down of my counselling practice if necessary.
Can I ask for a copy of the personal information that you store about me?
Yes. The DPA gives you the right to find out what information that I store about you by requesting a copy of it. Any request that you make to obtain a copy of the personal information that I hold about you is called a ‘Subject Access Request’. You can email me at martinstokley@protonmail.com and ask for a copy of the information that I hold about you. I must respond to your request without delay, and usually within one month at the latest. I may charge a fee for providing this information based on the administrative costs involved.
Can I request that you delete my personal information?
Yes. This is known in the GDPR legislation as the Right to Erasure. You can request for your personal information to be deleted either verbally, or in writing. You can address this request to me at: martinstokley@protonmail.com. There may be an administrative charge for this. I may also have the right to refuse to comply with your request, for example in order to defend myself in a claim situation, or to comply with my insurance terms and conditions, and I will let you know my response to your request within one month of receiving it.
Can I object or complain about the processing of my personal information?
Yes. Whilst I hope that the policy outlined above will be sufficient to reassure you of the security of your personal information, should you wish to object or complain about the way that your personal information is being handled by me, then do please feel free to communicate this to me at the earliest possible opportunity. I will do my best to address your concerns and take steps to try and resolve whatever issues you may raise. You can email me at: martinstokley@protonmail.com. Should you wish to take the matter further, please contact the Information Commissioner’s Office on 0303 123 1123, or visit https://ico.org.uk/concerns/ for more information.