Christian Counselling & Consultancy
Personal data is any information that reveals exactly who a living person is. Information about you that does not identify you is not personal data. By law I have to tell you when I collect your personal data, what I do with it, and what you can do about it.
I need to process information about you so that I can provide you with services, because the law says I must, or because it there is a legitimate interest to process it.
a) Providing services
I may process information about you to provide you, or an organisation you represent, with psychology services such as confidential psychological assessments, counselling, supervision and consultancy.
The lawful basis for this kind of processing is to fulfil a contract or to provide information before a contract is agreed. There may be an implicit contract between us even when it is not written. I will usually not be able to fulfil a contract unless I process your information.
b) Complying with the law
I may process information about you because the law says I must. Under GDPR, the lawful basis for this kind of processing is legal obligation.
When a child or adult is at risk of harm, the law says I must process that information and share as necessary to keep the person safe. The law says I must also process, and pass on as necessary, concerns that an identifiable person may have harmed others in the past.
The law also says I must use personal data to provide invoices to customers for services, and keep financial records of payments received.
I may also need to process your information to comply with other legal requirements, such as court orders.
c) Legitimate interests
I may process information about you for valid reasons to help us, you, or other people – or what GDPR calls the lawful basis of legitimate interests.
When I provide psychology services such as assessments, reviews, debriefing, and therapy, I may process information about persons who are not receiving those services from me. This is called third party information. I process third party information when it helps with the service I am providing. For example, in therapy you may expect me to remember information you have told me about other people in your family, and so I would record that information to remind me. You can share this privacy notice with other family members if they are concerned. Or if you wanted me to consult with other health professionals about your care, I would need to know their name and contact details. When I receive third party information about someone in confidence, I do not have to tell them, but they do have other rights over their information – see “What rights you have.”
If you contact me about my services or website, I may process your information so I can respond to your query, to make notes about any services I agree to provide for you, or to block you if I suspect you of phishing or spam.
When you email me or visit my website, information is routinely collected to trace which computer you connected from, making it possible to track any faults and maintain security.
I may ask you for feedback and process any feedback I receive so that I can improve my services.
If you are a professional colleague, I may process your personal information as part of my work with you, so that I can keep in contact, meet and communicate to share ideas, and keep and share records of meetings we have, to our mutual benefit.
d) Marketing and automatic decision making
I do not use your information for marketing or automatic decision making such as profiling.
I may collect any information you tell me. I may also collect information from other people about you. This may include:
basic personal information (e.g. name, date of birth, organisation, first language);
contact information (e.g. email addresses, phone numbers, postal addresses, Skype identities or other electronic contacts);
sensitive personal information (usually about your health, and sometimes also other sensitive information if it’s relevant to our work with you);
information about your network (e.g. your family relationships, friends, GP, professional and other contacts);
safeguarding information about any risks affecting you and action taken to protect you;
any other information that may be relevant to our work with you.
Where possible, I separate the personal information that would identify you from sensitive information and other information I process about you by keeping it anonymous. Information that does not identify you is not personal data.
As well as collecting information from you, I may collect information that other people give me about you. These may include:
People in your organisation or family, health professionals, or individuals who give me information about you before I have agreed to provide you a service, or to help me provide a service to you;
People who give me information about you in connection with a service I or they are providing for you or someone else;
Financial providers who display your identity when you make a payment;
Email and webhosting providers who automatically supply your IP address when you email me or visit my website.
I do not receive information about you from marketing companies or data harvesting, and I do not buy your data. I may collect names or contact details which are available publicly (e.g. full GP contact details when a client cannot recall them fully). But I do not otherwise collect information about you that is in the public domain (e.g. google searches or your website, blog or other web presence) unless you ask me to. Please ask me if you would like me to look at such information.
With your express permission, I may share information with your family members, medical and other health professionals.
Where necessary to safeguard a child or adult at risk of harm, I may share information with family members, police, statutory services, other professionals or responsible contacts in their organisation without getting your permission.
I do not share information that would personally identify you with supervisors or colleagues. But I may discuss you anonymously in supervision or in consulting with colleagues to ensure that I am providing you a good service. If I use examples from our work in training, I take special care to change or omit any information which could identify an individual.
I may share information with financial providers where necessary for billing and payment, and email and webhosting providers where that is necessary for email and website security.
I do not sell or pass on information to third parties to use for marketing purposes, data harvesting, or automatic decision making.
I keep information about training event participants for up to three months after the event. This allows me time to make sure there is no need to retain the information.
Where a contract is completed to provide counselling services to an individual, and I do not expect to work with the individual again, I keep information for up to five years after the end of a contract, the normal maximum time the HCPC allows for raising concerns. I also keep supervision notes for five years.
In other circumstances I keep information for longer. Many of the people who I provide health services to return to me many years later, perhaps after another term overseas, after another traumatic event or a new development, or for other reasons. Some have informed me that they find it helpful to come back to someone who already knows their story so that they do not have to spend a long time going over it again, especially when there are traumatic or sensitive details. Therefore, when I work with people who I am likely to see again, I keep information for up to fifteeen years after the last contact.
National and local guidelines say that I must keep information about alleged historical abuse until the natural retirement age of the abuser, or for ten years, whichever is the longer. If allegations are found to be malicious, or all information has been passed on to the police, I destroy our records within three months.
If relevant legal proceedings have begun but not been completed, including legal proceedings against an organisation, I may need to keep information about alleged abuse until the legal process is complete.
I keep financial invoices and receipts for seven years, to ensure I comply with HMRC requirements.
I may keep contact details for professional colleagues, and records of meetings and conversations with colleagues until my retirement, to maintain contact for archival purposes.
I delete spam and phishing emails immediately but may keep contacts indefinitely to maintain blocking arrangements.
You have certain rights in relation to the processing of your information. You have the rights:
To be informed about whether I am processing your personal information, and how I use it (you exercise this right by reading this privacy notice);
To ask for a copy of the information I have about you;
In some circumstances, for a copy of information you gave me to be passed on to another data controller (such as case notes to another therapist);
To ask me to amend information about you if it is incorrect or incomplete;
If particular conditions apply, to ask me to erase information about you or to restrict my processing of it; and
To object to my processing your information for reasons of legitimate interests.
If I make changes to your information, or how I process it, as a result of your request, I also must tell you about anyone else who I passed your information onto, and I must tell them about the changes.
If you want to exercise any of these rights, please contact me and make clear what you are asking for. Usually I have to act on your request within one month, without charging you a fee. I may need to ask you for more information about your request or to prove your identity.
There are exceptions to these rights. For example, if I received third party information about you in confidence, I do not have to tell you, but that does not affect your other rights. Or I may need to withhold personal information from you to protect you or others. In these and various other circumstances I may not have to comply with your request. If a request is unfounded or excessive, I may charge you a reasonable administrative fee to comply. If I refuse a request or charge a fee, I have to tell you why. If you are not happy with my response, you may complain to the ICO.
I may contact you by phone, by postal service, by email, by Skype, by text message, or by other electronic means. Email is not a secure way of communicating. I may use it to arrange appointments but do not use it to send unencryped sensitive personal data.
John Steley is the data controller. I am responsible for processing your information. If you have any questions about privacy, contact me through the contact page at http://johnsteley.co.uk/ .
If you are not satisfied with my response, you can contact the ICO at https://ico.org.uk. The ICO also provides further information on GDPR and other data protection laws that I must comply with, on how you can exercise your rights and how we must respond.
I gratefully acknowledge the help of Dr David Hawker in developing this policy.