DATA PROTECTION & DATA PRIVACY POLICY
Counsellors and psychotherapists are required to comply with the directives as set out by UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). In my job as a counsellor and psychotherapist I will collect, store and process personal information (‘personal data’) about you, with your consent and in accordance with GDPR guidelines, so that I am able to work with you and so that I am able to run my counselling and psychotherapy practice.
I am registered as a Data Controller with the Information Commissioner’s Office (ICO) and my registration number is ZA636569. Any personal data I process will be processed lawfully and fairly and in a transparent and proportionate manner.
Your privacy is important to me and I can assure you that your personal data will be kept safe and secure and will only be used for the purpose for which it was given to me. I follow guidance from my professional governing body - the British Association for Counselling and Psychotherapy (BACP) - on how to collect, store and process your personal data ethically and sensitively and I adhere to current data protection legislation under UK GDPR and the DPA 2018, as relevant to all workforce sectors who hold sensitive information about their clients. For more information please visit: www.gov.uk/data-protection
This Data Privacy Policy explains what I will do with your personal information from the point of initial contact through to after your therapy has ended.
Lawful basis for holding and using your personal data
The GDPR states that I must have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which I am processing your data:
Processing personal data is lawful where it is done with the subject’s consent. In addition:
If you are currently having therapy with me, or are in contact with me to consider therapy, I will process your personal data where it is necessary for the performance of the therapy contract between us.
If you have had therapy with me and it has now ended I will rely on ‘legitimate interests’ as the lawful basis for continuing to process your personal data.
The GDPR requires that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category data’ which can include information about a person’s health, including any medical condition and race, ethnicity, faith and sexual orientation. The additional lawful basis for me processing any special category of personal information that you may disclose is that it is for the provision of health treatment (in this case counselling or psychotherapy) and necessary for a contract with a health professional (in this case, a contract between me and you) and that you have given me your explicit consent.
Personal Data – Collection and Use
Initial contact:
When you contact me with an enquiry about my counselling and psychotherapy services I will collect information about you to help me deal with your enquiry. This will include your name, location, email address and phone number and also some brief details about why you have decided to contact me. The collection of this information will take place during any initial email or telephone communication ahead of an appointment being arranged.
If you decide not to proceed, and an appointment is not arranged, I will ensure all your personal data is deleted within four weeks. If you would like me to delete this information sooner please let me know.
While you are attending counselling or psychotherapy appointments:
I will collect and keep a record of your personal data for the purposes of offering a counselling or psychotherapy service. This data may include (in addition to your name, location, email and phone number collected at ‘initial contact’) your home address, date of birth, ‘emergency’ contact details, GP details and information about any medication you are taking. You will also share personal details about your life. This information will be collected from you with your explicit consent.
I will keep secure all personal data you share with me by storing it either in locked paper files or electronically in password and firewall protected systems. Any personal data I hold on paper is stored in a locked filing cabinet to which only I have access. Any additional notes I may take after each session, to help me carry out my role as a counsellor and psychotherapist, will be entirely anonymised and stored securely and separately from any identifiable information.
After your counselling or psychotherapy has ended:
Once your counselling or psychotherapy has ended, your records, including personal data, will be kept for seven years from the end of our contact with each other, after which it will be securely destroyed and/or deleted.
Sharing your information with third parties:
Clinical supervision: In compliance with my professional body (the BACP) I engage in regular clinical supervision with a supervisor (who is also a psychotherapist). All registered members must agree to engage in supervision appropriate to their practice. Supervision offers a reflective space to look at individual clients to develop practice and so benefit client safety. When I share information about my clients in supervision this is done confidentially and sensitively, in order to protect your identity.
In case of an emergency or where required by law: Confidentiality is the basis of trust in our work together and disclosing information to a third party is unlikely. However, there may be a situation where it becomes necessary to break that confidentiality should I believe that either you or another person are under ‘serious risk’ of harm. Serious risk might include: where a child’s welfare, your welfare or the welfare of another adult are at risk or where you are at serious risk of harming yourself or someone else. Or if necessary for reasons of public interest in the area of public health.
Where I consider that others may be at serious risk I may have to contact a third person or body such as the emergency services. If this becomes necessary, where reasonably possible I will attempt to discuss with you beforehand. I may also be required to break confidentiality if I am required by a court order or summons to give evidence for court proceedings, or where I am otherwise legally obliged to disclose information.
Clinical Executor: In case of something happening to me rendering me unable to continue our work together (such as serious accident, illness or death) I have appointed a professional clinical executor – also a registered psychotherapist – who will be responsible for contacting my clients and considering their welfare.
Bank Statements: If you pay for your counselling or psychotherapy session via BACS, your name may appear on my bank statement when accessed electronically. I am not in receipt of printed bank statements. These statements would only ever be disclosed if I were audited for tax purposes.
Post: To further protect your personal data you are advised not to send any post to the location(s) at which you attend your counselling or psychotherapy sessions, unless this has been agreed in advance with Hayley Smith.
Visitors to my website: My website may collect information about the type of device you use to access the website, the Internet Protocol (IP) address used to connect your device to the internet, and the date and time you accessed the website. This information is collected to monitor performance of the website. No user-specific data is collected by me. By accessing my website, you consent to this processing of data about you in this manner and for the purposes as set out
Your Rights:
You have the right to ask me to delete your personal information, to limit how I use your personal information, or to stop processing your personal information. You also have a right to ask for a copy of any information that I hold about you and to object to the use of your personal data in some circumstances. You can read more about your rights at www.ico.org.uk/your-data-matters.
Access to your personal data: You have the right to request access to a copy of the personal information I hold about you, along with information on what personal information I use, why I use it, who I share it with and how long I keep it for.
Right of rectification: You have the right to ask me to correct personal data if it is inaccurate or incomplete in accordance with GDPR. If I have disclosed, with your consent, inaccurate or incomplete data to third parties, I will tell them of the correction where possible.
Right of erasure: In accordance with GDPR, you can ask me to delete your personal information where it is no longer necessary for me to use it, you have withdrawn consent or where I have no lawful basis for keeping it. The exception would be in exceptional circumstances such as where somebody may be at risk of harm, or where a court has made a legal order or a signed release has been obtained specifying with whom the information is to be released.
Right to restrict processing: You can ask me to restrict the personal information I use about you where you have asked for it to be erased or where you have objected to my use of it.
Right to object: Within GDPR you have the right to object to my processing of your personal information where I am relying on a legitimate interest or those of a third party and there is something about your particular situation which makes you want to object to processing on this ground.
YOUR CONSENT: Under GDPR regulations, I am required to ask your consent to use your personal data as stated above. By engaging with my counselling and psychotherapy services you are providing your consent. You may withdraw your consent at any time without detriment.
Any updates to this Data Privacy Policy will be published here.
Third party platforms and locations:
We may have a therapy session via a third platform such as online via Zoom, or in-person in a location managed by a third party. While I will select any third-party platform or location used for your therapy sessions with the privacy of my clients in mind, I am not responsible for ensuring that any third-party platform or location is complying with its obligations under GDPR UK and DPA 2018.
Remote sessions taking place via Zoom:
Here is a link to Zoom’s privacy policy: https://zoom.us/privacy
In-person sessions held at 39A Regent Street, Leamington Spa, CV32 5EE:
39A has informed me that it does not collect the personal data of visitors to its site, other than the collection of images by use of a CCTV system for security purposes in communal areas. These operate on a 24-hour live stream and record up to 30 days of data. Video recordings are held with Positive Mind Space Limited. www.39a.org.uk
Last updated July 2021