Data Protection & Data Security
Statement and purpose of policy
A. Donna Webb (here after will be referred to as I) trading as Dee Estuary Counselling & Support ( the Therapist) is committed to ensuring that all personal data handled by myself will be processed according to legally compliant standards of data protection and data security.
B. I confirm for the purposes of the data protection laws, that I the Therapist am the data controller of the personal data in connection with Client/Therapist contract. This means that I determine the purposes for which, and the way, your personal data is processed.
C. The purpose of this policy is to help me achieve my data protection and data security aims by:
1. notifying you the client of the types of personal information that I may hold about you, and what I do with that information.
2. setting out the rules on data protection and the legal conditions that must be satisfied when I collect, receive, handle, process, transfer, and store personal data and ensuring clients understand these rules and the legal standards; and
3. clarifying the responsibilities and duties of clients in respect of data protection and data security.
D. This is a statement of policy only and does not form part of our contract of therapy. I may amend this policy at any time, at my absolute discretion.
E. For the purposes of this policy:
1. Data protection laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the General Data Protection Regulation (Regulation (EU) 2016/679).
2. Data subject means the individual to whom the personal data relates.
3. Personal data means any information that relates to an individual who can be identified from that information.
4. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
Data protection principles
1. I, the Therapist whose work involves using personal data relating to clients must comply with this policy and with the following data protection principles which require that personal information be:
a. processed lawfully, fairly and in a transparent manner. I must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (the Therapist), the purpose(s) for which I am processing the information and to whom it may be disclosed.
b. collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If I want to change the way I use personal data, I must first tell the data subject.
c. processed only where it is adequate, relevant, and limited to what is necessary for the purposes of processing. I will only collect personal data to the extent required for the specific purpose notified to the data subject.
d. The Therapist takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. I will make reasonable efforts to rectify or erase inaccurate information.
e. kept only for the period necessary for processing. Information will not be kept longer than it is needed, and I will take all reasonable steps to destroy information safely and securely when I no longer need it.
f. secure, and appropriate measures are adopted by me the Therapist to ensure as such.
Who is responsible for data protection and data security?
2. I the Therapist.
What personal data and activities are covered by this policy?
3. This policy covers personal data:
a. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information I possess.
b. is stored electronically or on paper in a filing system.
c. in the form of statements of opinion as well as facts.
d. which relates to Clients (present, past, or future)
e. which I obtain, is provided to me, which I hold or store, organize, disclose, or transfer, amend, retrieve, use, handle, process, transport or destroy.
4. This personal data is subject to the legal safeguards set out in the data protection laws.
What personal data do I process about Clients?
5. I collect personal data about you which:
a. you provide.
b. is provided by third parties, such as referrals from other Therapists or information from EAPs (Employment Assisted Programs)
6. The types of personal data that I may collect, store, and use about you include records relating to your:
a. home address contact details and contact details for your elected emergency contact.
b. telephone, email, internet, fax, or instant messenger use.
How I use your personal data
7. In general, I will use information to carry out the client/therapist contract, to administer your therapy and to deal with any emergencies that may occur during a therapy session. I will also use information if I feel the need to break confidentiality. Confidentiality is further explained in the Client/Therapist contract.
Accuracy and relevance
8. I will:
a. ensure that any personal data processed is up to date, accurate, adequate, relevant, and not excessive, given the purpose for which it was collected.
b. not process personal data obtained for one purpose for any other purpose unless you agree to this or reasonably expect this.
9. If you consider that any information held about you is inaccurate or out of date, then you should tell me, the Therapist. If I agree that the information is inaccurate or out of date, then I will correct it promptly. If I do not agree with the correction, then I will note your comments.
Storage and retention
10. Personal data (and sensitive personal information) will be kept securely for 5 years and there after destroyed safely and securely.
11. You have the following rights in relation to your personal data.
12. Subject access requests:
a. You have the right to make a subject access request. If you make a subject access request, I will tell you:
i. whether or not your personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you.
ii. to whom your personal data is or may be disclosed.
iii. for how long your personal data is stored (or how that period is decided).
iv. your rights of rectification or erasure of data, or to restrict or object to processing.
v. your right to complain to the Information Commissioner if you think I have failed to comply with your data protection rights.
b. I will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically unless you agree otherwise.
c. To make a subject access request, contact me at deeestuaryCS@gmail.com.
d. I will normally respond to your request within 28 days from the date your request is received.
e. If your request is manifestly unfounded or excessive, I am not obliged to comply with it.
13. Other rights:
a. You have several other rights in relation to your personal data. You can require me to:
i. rectify inaccurate data.
ii. stop processing or erase data that is no longer necessary for the purposes of processing.
iii. stop processing or erase data if your interests override my legitimate grounds for processing the data (where I rely on legitimate interests as a reason for processing data).
iv. stop processing data for a period if data is inaccurate or if there is a dispute about whether your interests override the Therapist's legitimate grounds for processing the data.
b. To request that I take any of these steps, please send the request to deeestuaryCS@gmail.com.
14. I will use appropriate technical and organizational measures to keep personal data secure, and in particular to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
15. Maintaining data security means making sure that:
a. only people who are authorized to use the information can access it.
b. where possible, personal data is pseudonymized or encrypted.
c. information is accurate and suitable for the purpose for which it is processed; and
d. authorized persons can access information if they need it for authorized purposes.
16. By law, I must use procedures and technology to secure personal information throughout the period that I hold or control it, from obtaining to destroying the information.
17. Personal information must not be transferred to any person to process (e.g. while performing services for me on or my behalf, for example acting out my Clinical Will), unless that person has either agreed to comply with my data security procedures or I am satisfied that other adequate measures exist.
18. Security procedures include:
a. Any desk or cupboard containing confidential information must be kept locked.
b. Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
c. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
d. I must approve of any cloud used to store data.
e. Data should never be saved directly to mobile devices such as laptops, tablets, or smartphones.
19. Telephone Precautions. Particular care will be taken by myself, the Therapist when dealing with telephone enquiries to avoid inappropriate disclosures.
20. Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
Data impact assessments
21. Some of the processing that I the Therapist carry out may result in risks to privacy.
22. Where processing would result in a high risk to Clients rights and freedoms, I the Therapist will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
23. If I discover that there has been a breach of Client personal data that poses a risk to the rights and freedoms of individuals, I will tell the affected individual within 72 hours of discovery that there has been a breach and provide them with more information about its likely consequences and the mitigation measures they can take.
24. I will record all data breaches regardless of their effect.
25. Clients are responsible for helping me the Therapist keep their personal data up to date.
26. Clients should let me the Therapist know if personal data provided to me the Therapist changes, e.g. if you move to a new house or change your telephone number.
— Donna Webb, trading as Dee Estuary Counselling & Support