General Data Protection Regulation
GDPR Privacy Notice
On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect, replacing the existing Data Protection Act, and ensuring that the people who handle personal data have a greater accountability. Ongoing Support have always taken data protection seriously, however we now have a greater transparency around what we do with client information, how it is stored and for how long, and what client’s rights are with any notes and information that we hold.
What is GDPR?
GDPR is a new data protection law which came into full effect on 25th May 2018. It sets out the main principles of data protection and the responsibilities organisations have when handling personal data. It protects individuals’ personal information and improves their control over how it is collected, stored, shared and used (BACP, 2018)
Who collects the data?
The Data Controllers are currently listed as Ongoing Support.
What information do we collect
On initial consultation bookings ‘personal data’ such as your name, address, contact number, and email address will be collected. Notes during or shortly following each appointment may be made and held by Ongoing Support, this may contain further ‘personal data’ such as age, gender, occupation, marital status, children, and date of birth, and ‘special category data’ such as your race, ethnic origin, religion, politics, health, sex life, and sexual orientation. Other information such as physical, psychological, or emotional presentation may also be recorded.
Why we collect personal data
We may need to contact client’s between appointments, or send information via email or post. We may need to send an invoice for services used. We may need to contact your GP in an emergency. We need to comply with recommendations made by BACP and other professional bodies such as our insurance company. We may use your ‘personal data’ and ‘special category data’ to form ongoing therapeutic assessments, diagnosis, and treatment plans.
The lawful basis on which we use this information
To collect and use any data shared with us, we must show the ICO that we have a lawful basis to do this, and also tell each client what this lawful basis is.
Ongoing Support’s primary lawful basis most appropriate for the collection of both ‘personal data’ and ‘special category data’ is ‘legitimate interests’, however, other lawful basis categories may be appropriate in certain circumstances.
Ongoing Support’s collection and processing of any ‘personal data’ and ‘special category data’ is primarily in the interest of the client. Both work in the therapeutic alliance towards an agreed outcome that is primarily for the health benefit of the client, the details of each session, along with short, medium, and long term outcomes may be held by Ongoing Support, along with assessments, clinical diagnosis, and treatment plans usually completed outside of the clinical sessions. Ongoing Support also recognise the wider implications of counselling and psychotherapy that may extend to the interest of others, especially children.
Special Category Data
Data collected and processed may include diagnostic and treatment planning elements for the purpose of treatment or management of mental health conditions (category ‘h’) which may or not be part of a contract with an external health professional.
We may ask for client’s consent to receive emails and updates about our services, workshops, and events.
We may need to disclose ‘personal data’ and ‘special category data’ held by us, if we are ordered by a court or the police to do so, or if required by law, such as in Child Protection disclosures, drug trafficking etc.
We may need to disclose ‘personal data’ in the event of protecting another person from harm, especially children, or risk of death to self or other.
How we will store collected and processed data
All collected and processed data will be held in a lockable cabinet, or held on a password protected server (based at ongoing Support), or on a mobile phone/ipad with touch ID enabled.
How long we will keep collected and processed data
All data (‘personal data’, ‘special category data’, sessional notes, diagnostic and treatment plans) will be kept for the duration of our work together. Sessional notes, diagnostic and treatment plans will be held for up to 7 years. Deleted data will be disposed of securely.
How data may be shared
We may use the data we hold for professional clinical supervision, or peer supervision, using first names only, or using fictitious names. Otherwise there are only certain circumstances where data may be shared with a third party, in all cases we will ensure we only share the data that is necessary, in line with ethical considerations and legal obligations.
- By Court Order for the release of client notes
- Following a request to share known information regarding a road traffic accident
- Through a well founded belief or disclosure that you may seriously harm or kill yourself, or another person
- Through a well founded belief or disclosure that you have, or intend to commit a crime such as terrorism, drug trafficking, or money laundering
- Through a well founded belief or disclosure that you have, or intend to harm a child
Clients have the right to:
- Be informed about what data we hold, the reasons we hold personal data, and how long we intend to hold the data for. Each client will be invited to read this privacy notice and will be asked to sign a statement that forms a working contract between us.
- Request access to their data held by us. This can be made at any time, verbally or in writing, and we will provide access within one month of the request.
- Request that their data held by us, be transferred to another psychotherapist or counsellor.
- Request that amendments be made to incorrect data held about them, verbally or in writing, at any time.
- Request that the data held about them be deleted. This may be declined in certain circumstances, and we will cite the lawful basis for this decision.
- Request that we do not process, or restrict certain processing of their data. This may be declined in certain circumstances, and we will cite the lawful basis for this decision.
We aim to maintain complete transparency with how we collect, process, and hold your personal information. If you have any concerns or questions about how we have used your information you can email us, and/or contact the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate). Website: www.ico.org.uk. Email Form: www.ico.org.uk/global/contact-us/email
BACP. (2018). GDPR. [ONLINE] Available at: https://www.bacp.co.uk/about-us/contact-us/gdpr/. [Accessed 24 May 2018].
ICO. (2018). ICO: Information Commissioner’s Office. [ONLINE] Available at: https://ico.org.uk/. [Accessed 24 May 2018].