General Data Protection Regulation (GDPR) Policy.
The General Data Protection Regulation (GDPR) is concerned with your personal data that I collect, store, and share.
This page details my GDPR policy.
Personal Data I will Collect.
- Name.
- Gender (birth gender, or your corrected identity, whichever you prefer).
- Age.
- Date of Birth.
- Relationships & Progeny.
- Occupation.
- Address.
- Telephone/SMS number (plus permission to send SMS & leave voice message).
- Email address.
- Counselling History.
- Medical conditions relevant to counselling.
- Prescribed medication, relevant to counselling.
- Difficulties.
How I will store your Personal Data.
Storage Methods.
- Paper: written notes (described below).
- Smartphone: I will store your contact data (Name, mobile #, email address) in a plain-text note app that backs up to my private Google Drive. This allows me to contact you in case of emergencies, but keeps from revealing this data to other applications (i.e. not using a Contacts app).
- Email/SMS/WhatsApp: your email address and correspondence will be stored in my email account (currently GMail) by nature of you contacting me. Your telephone number may be stored in my SMS or WhatsApp app should we exchange messages this way. Electronic correspondence will also be held by the corresponding app (Gmail, Phone's SMS, WhatsApp).
- Website: none of your personal data is stored on my website, other than to momentarily collect & send it to my Gmail account for the purposes of our initial contact, after which is automatically erased.
A note about GMail (Outlook etc) and Electronic Messaging Systems - free electronic email & messaging services (Gmail, Outlook, Facebook, WhatsApp etc) regularly read incoming & outgoing messages electronically. One of the reasons for this is that the service gains knowledge about the messaging user for the purposes of selling advertising to other companies. To put it plainly: if you email me about the topic of, say, your sexuality using your GMail address it's very likely sexuality will be associated with your email account... which will possibly attract associated advertising topics wherever you're logged in with that same account (eg Google.com).
Best advice I can give is (a) to read the terms of service your free messaging provider and (b) to be cautious in what data you include when communicating electronically.
Documents Held.
Paper...
- Contact Sheet
- Contract/Agreement
- Assessment Record
- GDPR Agreement
- Client Code (linking documents)
- Brief Session Notes*
Electronic...
- Contact name & telephone
- Email/SMS/WhatsApp.
How I may Process/Share your Personal Data.
Consultation.
I seek a monthly consultation with another therapist qualified in this process. The consultation process is for my practice (rather than seeking instruction on working with you). In order to protect your privacy, my consultant will not know you personally nor professionally. I will refer to you by your first name, and I may refer to your data verbally when it's helpful to my professional processes.
*Session summaries are my aide mémoire to assist me in my consultation processes; they are my property.
Therapeutic Will.
Your name and contact details will be shared with my Therapeutic Executor. This is so that you will be contacted on the event of my death, should you still be in therapy with me.
Emergencies.
If your health is in jeopardy (provided I have your consent) I may share your contact data with an emergency healthcare service (e.g. Mental Health Crisis Team).
If I have become aware of your intent to cause harm to another person/organisation (e.g. terrorism), the law may require that I inform an authority without seeking your permission. In such a situation, the law may require that I share your personal data without your knowledge (known as: whistle-blowing).
Erasing your Data.
When we have finished working together, I will erase electronic copies of your data & correspondence within one month.
I will hold onto your written/printed data for up to seven years past the end of our working together. This is so that I have a reference of our work in situations such as you returning to counselling in the future. After this time has passed, I will destroy the written/printed data.
Your Rights.
You have the following rights...
- To be informed about what data you are giving me which I will record / have recorded (i.e. to be given this document).
- To see the data you have given me about yourself** (free of charge for the initial request only).
- To rectify any inaccurate or incomplete personal data about you**.
- To withdraw consent to me using your personal data about you**.
- To request your personal data be erased** (however I have the exception right to decline your request whilst the data is required for me to practice lawfully & under insurance (around 7 years) - see example titled "Healthcare Provider" - ICO.org.uk ).
** With individual counselling "you/your" refers to yourself alone. With couple and group counselling "you/your" refers to you as an individual and therefore you may only make a GDPR Data Request for data held about you as an individual; you may not request data held on your partner (couples) and you may not request data held on any other member of the therapy group (groups). *With respect to my session notes they reference either the individual (individual counselling), the couple's relationship (couple counselling) or the group dynamic (group counselling) depending on the counselling service contracted. Therefore, to request a copy of my notes under GDPR: as a couple both your permissions will be required (and a copy will be sent to both partners simultaneously), and for a group every group member's permission will be required (and a copy will be sent to all group members simultaneously).
NB: A printed copy of this statement will be given to you when we first meet for counselling. If we agree to continue working together, we will both sign the printed copy of this statement to indicate our agreement.
Request to be "Forgotten".
This section references information from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
The right (to have all data erased) does not apply to all lawful bases and may be refused in some circumstances.
- The UK GDPR introduces a right for individuals to have personal data erased (the right to erasure is also known as ?the right to be forgotten?).
- The right is not absolute and only applies in certain circumstances.
Whilst clients of counselling have the right to have their personal data erased if the personal data is no longer necessary for the purpose which (the counsellor) originally collected or processed it for, the right to erasure does not apply if processing is necessary for one of the following reasons:
- to comply with a legal obligation.
- for the establishment, exercise or defence of legal claims.
The UK GDPR [...] specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for the purposes of preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services. This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional - see example under: ICO.org.uk).
Example:
- A healthcare provider (e.g. a counsellor) receives a request from a previous patient to erase all of their personal data.
- The provider?s liability insurance requires them to retain patient records in case of complaints or legal claims.
- The organisation (e.g. the counsellor) can refuse the request to erase the individual?s data, as they are processing the data for the establishment, exercise or defence of legal claims.
In short:
Whilst GDPR gives you the right to request that you be forgotten after our counselling work is no longer taking place, GDPR gives me the obligation to decline the request due to my insurance provider requiring I keep notes/records on file for up to seven years due to the potential for case complaints or legal claims. After seven years have passed, following the end of our work, I will destroy all notes and records of our work.
Page copyright Havant Counselling & Dean Richardson 2018.
If you’re a counsellor or other therapist, you may use this page as a reference to forming your own policy. Please think… don’t just copy!
Policy formulated from Karen Emery’s website: Counselling in Notts –Â GDPR Made Easy for Counsellors:-Â http://www.counsellinginnotts.co.uk/gdpr-made-easy-for-counsellors-part-1 which references the ICO’s pages on GDPR.
PDF Version:Â GDPR Compliance Statement for Havant Counselling
Got a Question? Don't Hold Back…
Got a question about Dean Richardson's counselling services in Havant (Hampshire)? Want to make contact, maybe asking about a first appointment? Send Dean a message any time…