The purpose of this document is to demonstrate:·
- My understanding of data protection (the collection, use and storage of personal information)
- My compliance with relevant legal frameworks (DPA in the UK, GDPR in the EU – see below)
- Muneeza Khimji (the data controller) complies with her obligations under the General Data Protection Regulation (GDPR) by keeping personal data up to date; by storing (and destroying it) securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. This is a ‘live’ document and may change from time to time to reflect changes in legislation, or the needs of my business (for example).
- As a professional counsellor, I place an emphasis on my clients’ confidentiality
- I am committed to complying with the letter and the spirit of the law (e.g. DPA, GDPR)
- I respect that individuals have a set of moral and legal rights relating to how their personal data is processed
- I am registered with the ICO and comply with their requirements.
The DPA (Data Protection Act) 1998 has been supplemented by the GDPR (General Data Protection Regulation) 2016 (enforced from 25 May 2018). These regulations cover the processing (collection, use and storage) of personal data.
The GDPR refers to ‘controllers’ and ‘processors’. For the purposes of my business (Counselling Intentions) I will hold roles of data controller and of data processor. I may also use third party intermediaries as data processors – including (but not limited to): my webhost and email providers; my webform providers; my phone company; my business bank.
How I’m collecting, using and storing data:
Third parties may send information to me using webforms. This information may be processed and held by intermediary services (e.g. Google) as well as being sent to my own business email accounts. This is consistent with the Lawful Basis of ‘Legitimate Interest’ in that a third party using a webform to contact me, knows that that information will be transmitted and stored electronically and expects that I will respond to, or otherwise action, their communication.
Accounts will be securely password-protected. Collecting and storing client notes in this way is consistent with the Lawful Basis of ‘Legitimate Interest’ – as a Counsellor I am ethically bound to keep accurate notes of my sessions. I have considered whether it is desirable to keep electronic notes (versus paper notes). I have concluded that electronic notes are at least as secure, and at least as durable, as paper notes. This is consistent with advice from the ICO.
Nevertheless I may still keep paperwork relating to my business – for example, signed copies of contracts. This is consistent with the Lawful Basis of ‘Legitimate Interest’ – I may need to provide copies of physical paperwork for example in order to support a client’s claim for insurance expenses, or, in relation to legal proceedings. As a counsellor, I am ethically bound to keep such records.
I will also process personal data relating to the Assessment of prospective clients. This includes (for example) family and medical histories, and emergency contacts/next-of-kin. This has a Lawful Basis of ‘Legitimate Interest’ in that processing of assessment data helps ensure safe, ethical and appropriate therapy. It is a professional requirement that I process such data, and I may need to refer to it at any time during or after therapy (for instance, in relation to legal proceedings). I will store such data securely, whether in electronic or paper format (or both).
I will be particularly mindful of the rights and interests of third parties such as family members and significant others, regarding whom my clients may provide personal data (such as medical history; criminality) without the knowledge or permission of those third parties. I will undertake to process (collect, use and store) only a viable minimum of such information, consistent with me discharging the Legitimate Interests detailed in this document – for example, the collecting of family members’ mental health history at the point of client Assessment, which is required in order to provide a safe, ethical and appropriate service to the client.
I may use online communication platforms provided by third parties (e.g. Skype) in order to deliver Online Counselling sessions. This will be by agreement with my client(s). Such use is consistent with the Lawful Basis of ‘Legitimate Interest’ in that the provision of Online Counselling requires the collection, use and storage of personal data – e.g. the client’s username, and IP address.
Likewise, I may use business and personal phone services to deliver Telephone Counselling, and in any case to collect, use and store personal information (e.g. client names or codes, phone numbers, text messages). I will password-protect or otherwise secure any personally identifiable information. Clients and other enquirers should know and accept that by sharing telephone contact information with me, and by using telephones to contact me (including by text message), their personal data will be collected, used and stored. This is consistent with the Lawful Basis of ‘Legitimate Interest’ in that, as a counsellor I will need to contact clients at short notice (such as to arrange sessions, handle cancellations etc.) and, that I also make a valid commercial decision to offer a Telephone counselling service to those clients who wish to use it.
Where a client wishes to use electronic or online payments, or pay by cheque, my bank (and any third party intermediary) will collect, use and store personal data – e.g. the client’s name and account number. This is consistent with the Lawful Basis of ‘Legitimate Interest’ in that I make a valid commerical decision to offer electronic or online payments, or payment by cheque. Clients paying by these means should know and accept that such payments require personal information to be collected, used and stored.
I am professionally bound to share relevant information about my counselling clients, with other counselling professionals (my clinical supervisor(s) and other trusted colleagues). Usually this information will be anonymized and only a minimum of personally identifiable data will be shared, in order to protect the confidentiality of my clients and any third parties. Counsellors share information in this way in order to promote safe, effective, ethical therapy.
Under exceptional circumstances, personal data may also be shared under the terms of a ‘professional will’ whereby I will pre-authorise certain trusted colleagues to act on my behalf, to ensure ethical and appropriate care of my clients, in cases where I am unable to exercise my own duties directly (for example death, illness or injury). This is consistent with the Lawful Basis of ‘Legitimate Interest’ in that such arrangements are considered best practice amongst counselling professionals. My contractual terms will make this arrangement clear to clients.
Sensitive personal data
Under the GDPR, sensitive personal data includes data about:
- Racial or ethnic origin
- Political opinion
- Religious belief or belief of a similar nature
- Trade union membership
- Physical or mental health condition
- Sex life
- Criminality, alleged or proven
- Criminal proceedings, their disposal and sentencing
It is in the nature of counselling that clients will reveal, and counsellors will process, such sensitive data. Usually this data concerns the client themselves, but it may also concern a third party such as a family member. I shall process sensitive data under a Lawful Basis of ‘Legitimate Interest’ in that the commercial and therapeutic services I provided, would not be viable without collecting, using and storing such sensitive data. For instance I am ethically bound to conduct appropriate client Assessments, which consider clients’ physical or mental health with a view to the safety and appropriateness of any service I may offer. I am also ethically and professionally bound to keep appropriate client notes, which may include details of sensitive data. I will only process a viable minimum of such data.
Whilst holding a Lawful Basis of ‘Legitimate Interest’ for processing sensitive data, I will also seek clients’ explicit and informed permission (the Lawful Basis of ‘Consent’) within my Assessment and Contract documents.
Third parties about whom I hold personal data, have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Third parties should consult the relevant legislation for a full understanding of their rights.
My understanding is that these rights are not absolute. For example: I may refuse a request to access data, on the basis that the request is unfounded or excessive – and/or I may charge a reasonable administration fee. Where a client requests data concerning a further third party, I may refuse the request in order to protect the rights and interests of that third party (for example, where a client seeks session notes which refer to a third party they had discussed with me in session).
That said, I aim to comply with the spirit of the legislation and I will seek to fulfil any reasonable request to the best of my abilities.
Erasure, Retention and Disposal
Third parties have an in-principal right for their data to be erased upon request, and to be held no longer than is necessary.
Where this concerns clients of Counselling Intentions, I reserve the right to preserve data securely in order to exercise or defend legal claims, and to comply with professional counselling standards (the principle that counsellors will keep accurate client notes, and retain these for a minimum of six years in order to facilitate professional conduct enquiries, legal proceedings etc.).
Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
I undertake to record any data breaches I am aware of, and to promptly inform the subject of the data, the ICO and other relevant authorities where appropriate.