What are the General Data Protection Regulations, 2018 (GDPR) and how do they affect me?
- GDPR stands for General Data Protection Legislation that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). Therefore it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations. Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services.
How long will you hold my information for?
- If you are an adult your data is kept for 7 years after your counselling, psychotherapy and/or supervision sessions have finished for insurance purposes. After 7 years your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine owned by Paul West Counselling and Therapy.
What rights do I have over my data?
You can ask for any information you think a public authority may hold. The right only covers recorded information which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.
If you wish to see a copy of your data then you need to request this clearly in writing. The data controller will check whether there is specific data that you wish to see or whether you wish to see all your data. A copy of your data will be provided within one calendar month. There is no monetary charge for this. If you wish to make a correction to any of the data you believe to be inaccurate, you can do so by informing the data controller. If you do not want your data to be collected in the manner described in this document you can discuss this with your counsellor.
- You can ask for all your data to be deleted if you don’t want it to be stored for 7 years. Again, you need to make this request in writing to Paul West Counselling and Therapy. Once your identity was confirmed, all your paper records will be shredded with a cross-cut shredding machine and any electronic data such as emails or text messages will be permanently deleted from the devices they are stored on. I will have to save the request for deletion you made but would not save any other data. Please note that in some circumstances my insurance company’s legal team may want to verify the information I process and I may by law be unable to delete data if it is subject to a police or legal investigation.
Why do you need to record information about me?
- I collect information about; why you are using the service, a small amount of medical information and a small amount of information about your significant others, alongside brief sessional notes. This information enables me to provide a high-quality service to you, ensuring Paul West is equipped with the knowledge of our previous discussions prior to each session. Your contact details will only be used for purposes other than scheduling sessions with your explicit signed consent.
- Vistaprint is a third-party service that hosts Paul West Counselling and Therapy’s website. Vistaprint uses anonymised data to collect visitor information such as how long an individual remains on a page of a website. Vistaprint also hosts the Contact Us form on Paul West Counselling and Therapy’s website and a copy of any data sent via this form is stored by Vistaprint. Vistaprint hosts the online session booking function on Paul West Counselling and Therapy’s website and a copy of any data given when booking a session online will be stored by Vistaprint. Vistaprint’s privacy notice can be found here for further information: https://www.vistaprint.com/about/privacy
What do you do to ensure my information is held securely?
Hardcopy documents – These are all stored in a locked filing cabinet behind a locked door. They are stamped as “Private and Confidential”.
- Text messages and Telephone Calls – Paul West Counselling and Therapy uses a dedicated mobile phone which is secured with a pin code.
- Emails – Paul West’s email account requires a username and password, and two-step authentication is enabled. The account is only logged on to from devices which are the sole property of Paul West. All emails sent are encrypted in transit. I use SignRequest software to encrypt emails which contain sensitive personal information. This software includes the option for you to reply by encrypted email without having to install or register for software yourself.
- Online Agreement documents – Online contracting documents are sent to you via SignRequest to sign electronically. This software offers full encryption and a verified electronic trail confirming the identity, date and time of the signature.
- Electronic documents – Electronic documents are stored on a password protected and encrypted external hard drive which is stored in a locked filing cabinet behind a locked door when not in use. A back-up of all electronic documents is made regularly and is stored in a separate password protected and encrypted external hard drive which is stored in a separate locked filing cabinet behind a separate locked door when not in use. The computers used to access this data are password protected and are the sole property of Paul West Counselling and Therapy or Paul West.
- Everything you talk about during your sessions is strictly confidential between you and Paul West. In accordance with the BACP Ethical Framework, all counsellors consult a supervisor on a regular basis to ensure their practice is ethical and that they are working in the best interests of their clients. Your counsellor’s supervisor is verbally told broad overarching themes of your counselling sessions. The supervisor is not told your name nor contact details and does not have direct access to written records of your electronic or hard-copy data. The supervisor also adheres to the GDPR.
What if I see you outside of the session?
- If you see Paul West outside of a session (E.g. you shop at the same location) he may smile but will not engage in any further conversation to ensure your confidentiality, unless you approach him. You are welcome to talk to other people about the therapy you are receiving, but Paul is obligated by GDPR law to ensure your confidentiality is protected. He requests that in order to ensure the success of your therapy, that you refrain from discussing your therapy with him outside of your sessions. This extends to the online world where Paul is obliged by ethics to protect your confidentiality. Therefore, he is unable to respond directly to any client interaction via social media, blogpost or other public internet forum.
What about other Health and Social Care Professionals?
- As Paul adheres to the GDPR any contact, relating to you, with other health care professionals would only be made with your signed consent. For example, if he were to write to your GP to notify them of your treatment with him, and then notify them of the treatment ending, he would only do this if you were to sign the specific consent for this at the end of treatment.
- In order to safeguard you and the people around you, if you were to disclose that you were going to carry out significant harm to yourself or somebody else, then Paul is obligated by law to inform the relevant authorities. If this happens your counsellor will make every effort to discuss the situation with you first before sharing information in order to agree what information to share and to whom.
- Paul may contact relevant authorities if he believes children or vulnerable adults are at risk of significant harm in order to safeguard their development and wellbeing. If this happens, he will make every effort to discuss the situation with you first to agree what information to share and to whom; unless to do so would be to endanger the children or vulnerable adults concerned.
- Your data must be shared with another professional or organisation if it is legally necessary to do so. This could happen if Paul becomes aware that you are planning, or have participated in, an act of terrorism or serious crime (e.g. money laundering). Likewise, if Paul is subpoenaed to give evidence in court then he is legally required to do so and to discuss your data if necessary.
- In the event that Paul becomes incapacitated due to an unforeseen emergency then contact details of current clients will be passed to Paul’s supervisor. If you were seeing Paul for therapeutic sessions at that time, this person would contact you to explain the situation and discuss alternative support. They will archive any client files (both current and past) in accordance with General Data Protection Regulations.
My Information Governance Policy and Procedure gives further details of all aspects of compliance with GDPR.