Your privacy is a high priority. I am committed to being respectful of your personal information, handling it responsibly, and securely according to both insurance and governing body guidelines.
I will be transparent about what personal information I collect and process. I will use easy-to-understand language to describe my privacy practices to help you make informed choices
About me and the BACP
I am a registered member (378605) of the British Association for Counselling and Psychotherapy (BACP), operating remotely. The BACP is registered as a data controller with the Information Commissioner’s Office (ICO). It is a company registered in England and Wales (company number 02175320), registered address BACP House, 15 St John’s Business Park, Lutterworth, Leicestershire LE17 4HB.
I am required to keep your records for 5 years in-line with the terms of my indemnity insurance. After such time your records will be deleted and destroyed.
I update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was last amended on: 09.09.2021
2. How I use your information
a) Storage and management of personal information
Your personal data is anonymised, aside from your signed contract and any next of kin details that you supply to me within the contract document. Following that, you are then referred to by initials in all notes made following a counselling session. The purpose of any session notes is to allow your progress to be recorded and to provide a reminder of the session content. I am required by my insurance provider to keep client notes for a period of 5 years. After such time they will be deleted in soft copy and destroyed securely in hard copy. For the duration of the notes’ lifetime, they are protected by antivirus and privacy software and are password protected in soft copy format and kept in a locked box in hard copy format. Your contract information is kept separate to your client notes in both hard and soft copy to maintain confidentiality. Hard copy notes are stored anonymised in a secured locked box. Any information that you decide to send to me prior to sessions via email will only be viewed before your session and then deleted. I will not keep emails longer than is necessary in order to ensure security for my clients; this goes for any sessions that may need to be held via email in light of disaster planning/ business continuity or personal continuity (for the client or counsellor) where face to face sessions are unable to be held. The content may inform resultant notes but the original emails will be deleted after the notes have been produced.
Contact details will be stored under initials with regard to any telecommunication storage (phone book, contacts etc on a mobile device) the device is PIN protected and backed-up to a Google account. Text messages will only be kept for the length they are required and then deleted. Should sessions ever need to be held over the telephone for business continuity/ disaster planning or personal continuity (for the client or counsellor) then these communications will occur via Whatsapp to provide suitable
encryption and privacy that regular phone apps do not provide. This is in line with GDPR/ ICO and insurance requirements. Any information that you decide to send to me prior to sessions via email will only be viewed before your session and then deleted. I will not keep emails longer than is necessary in order to ensure security for my clients. Transactional information may be shared for audit and accountancy purposes and this will be limited to who paid, how much money was transferred and the date. Your personal banking details will not be used nor shared.
b) Visitors to my website and social media platforms
What your information is used for
I will never pass on your information to a third party to use in their own direct marketing. Your data is purely used to monitor website or social media traffic and enquiry data, nothing more. No data is stored on the website; anything transmitted from the website is sent to my secure email address accessed through Outlook to ensure security.
Sharing your information
I will not share your information with any third parties unless:
• It is as part of my duty to protect a child, a vulnerable adult, yourself or the public;
• It is for the prevention and detection of a crime;
• I am required to do so by any court or law or any relevant regulatory authority;
• Case information is relevant to Supervision sessions; the purpose of which is outlined in your Contract
I try to meet the highest standards when collecting and using personal information, and I take any complaints about this very seriously. I encourage you to let me know if you think that my collection or use of information is unfair, misleading or inappropriate. I also welcome any suggestions for improving my procedures. I am happy to provide any additional information or explanation needed, and further details can be obtained from the BACP website in terms of how counsellors need to behave in regards to data collection.
If you want to make a complaint about the way I have processed your personal information, because you feel we were unable to resolve it together in the first instance, then you can contact the ICO which oversees data protection law https://ico.org.uk/.
When people make complaints against a counsellor to the BACP, they will hold data relating to the complainant as well as details of the complaint and witnesses or interested parties. They may share information with panel members and external clerks. All data relating to the process is kept secure.
4. Audit and regulatory requirements
I may share any data about my operations with:
• my accountant
• Information Commissioner’s Office (ICO)
• My Indemnity Insurance provider
• BACP if my practice is audited
I am contracted to these third parties and as per my duty to them would be required by law to comply with their instruction.
5. Your rights
Under the General Data Protection Regulation (GDPR) you have rights as an individual data subject, which you can exercise in relation to the information I hold about you. You can read more about these rights on the https://ico.org.uk/
Access to your information
I try to be as open as I can in terms of giving people access to their personal information. You can find out if I hold any personal information about you by making a ‘subject access request’ under GDPR. If I do hold information about you, I will:
• give you a description of it
• tell you why I am holding it
• tell you who it could be disclosed to
• let you have a copy of the information in an accessible format.
If you agree, then I will deal with your request informally, for example by providing you with the specific information you need over the telephone or in writing.
You can ask me to correct any mistakes in any factual information that I might hold about you, such as your address, date of birth, contact details etc.
Erasure or right to be forgotten
The GDPR also gives you the right to have the data I hold about you deleted in some circumstances. This is called the ‘right to erasure’ or the ‘right to be forgotten’. The right applies in the following circumstances:
• I no longer need your data
• You originally provided consent and have now withdrawn consent
• You have objected to the use of your data and your interests outweigh mine
• I have collected your data unlawfully
• I have a legal obligation to erase your data
Please be aware that I am unlikely to delete financial transactional data.
If you would like to exercise your above right, please contact me directly via email on firstname.lastname@example.org.
Disclosure of personal information
In many circumstances I will not disclose personal data without consent, but there are circumstances where I am compelled to do so. The list below provides some scenarios in which I may personal data has to be disclosed; please note that this is not an exhaustive list:
• When I investigate a complaint, I will need to share personal information with the individual or organisations involved.
• During the introduction and contracting process, or any assessments we undertake, I collect personal data about you. If I am concerned about unsafe behavioural practices, I may share that data externally with my Supervisor so appropriate action can be taken.
• I will share personal data with external legal professionals if a court requests me to do so.
• I may share personal data with law enforcement agencies or government departments where appropriate or where I am subpoenaed to do so.
I will only share information that I consider to be necessary and balanced and will inform you when I am doing so, in order to remain transparent. Where it involves court proceedings then I will require your approval of the content before my submission.
I recognise that the information you provide to me may be sensitive and I will respect your privacy. I keep information about you confidential. This means I store it securely and controlled so that it is purely myself that has access to it.
I am committed to holding all personal data on a secure system. I keep any paper-based personal data in a locked cabinet to which only I have access. I am working to reduce the amount of paper-based information I hold as it is easier to secure data if it is only held electronically. The majority of personal data is held electronically on my system that is hosted by Microsoft and is protected by anti-virus and privacy software.