GDPR Policy for counselling sessions
I am registered with the Information Commissioners Office (ICO) (security number CSN5986266) and adhere to the GDPR guidelines. As I am self-employed, I operate as the data controller for Nine Keys.
Personal information that I collect
When you contact me, and as part of our initial assessment, I will ask you for the following information:
- Name, telephone number, email address, address
- Gender, date of birth
- Key relationships, occupation
- GP name and address, plus any medical conditions relevant to counselling or that may present in the counselling room, including any prescribed medication
- Counselling history and current reasons for seeking counselling
How I will store your information
- Mobile phone
I will store your contact information (name, mobile number, email address and address – item 1 above) on a mobile phone that is reserved for counselling purposes. This allows me to contact you when necessary, but does not allow the information to be shared elsewhere. Your contact information will be stored along with a client code.
All other information collected during the assessment session (items 2-5 above) will be stored in a paper notebook that will be kept in a locked filing cabinet in my home or office. Apart from your client code and first name, there will be no contact details on this document, such that the information is anonymous.
I usually make brief notes after each session and sometimes during supervision (see section on supervision below). I will store your anonymised session and supervision notes in a file (identified only by your client code), along with the paper documents outlined above.
- Email/text messaging/WhatsApp
Any emails you send me will be stored in my email account until they are deleted. Any text messages or WhatsApp messages will be stored in my phone until they are deleted. Electronic correspondence will also be held by whatever method you use to contact me (e.g. by WhatsApp, by your email provider or on your phone).
- Virtual counselling
Should we use any virtual or distance methods of counselling, such as telephone or video conferencing, there will be a record of when the calls were made, but no information about what is discussed will be recorded or saved by me.
If we carry out any sessions via email, the content of the session(s) will be stored within my email account until deleted. I use a password-protected account on my computer for my counselling work, separate to my personal account. My email is dedicated to counselling work and only available via this password-protected account on my computer. This ensures no overlap between personal and professional use of my electronic devices.
None of your personal information is stored on my website.
How I may share your personal information
All counsellors and therapists are required to attend monthly supervision with another therapist who is qualified in supervision (a supervisor), and who adheres to the same ethics and confidentiality requirements as all counsellors.
The supervision process is to ensure the highest standards in my practice. It is about how I work with you. In order to protect your privacy, my supervisor will not know you personally or professionally. I will refer to you only by your first name, and I may refer to your information verbally when it’s helpful to my professional practice and to how I can best support you. None of the content of these conversations are recorded, though I may make paper notes for my own use.
- Therapeutic Will
Your name and contact details will be shared with my Therapeutic Executor. This is so that should I die unexpectedly while you are still in therapy with me, you will be contacted and offered alternative support.
With your consent wherever possible, if you or your health are at risk, I may share your contact information with an emergency healthcare service (e.g. Mental Health Crisis Team).
If you share with me your intention to cause harm to another person or organisation (e.g. terrorism), I may be legally required to inform an authority without seeking your permission. In such a situation, I may also be required to share your personal information without your knowledge.
How long do I hold your information?
When we have finished working together, I will delete electronic copies of your information and correspondence within one month. I will hold onto your written information for up to seven years past the end of our working together. This is so that I have a reference of our work in situations such as you returning to counselling in the future. After this time has passed, I will shred the written information.
You have the following rights:
- To know what information I hold about you (outlined on this page).
- To see the information I hold about you (free of charge for the initial request).
- To amend any inaccurate or incomplete personal information I hold about you.
- To withdraw consent to me using your personal information.
- To request that I delete any personal information I hold about you (though I can decline if the information is needed for me to practice lawfully and competently).
You can complain to the ICO if you are unhappy with how I have used your data. Please see below for contact information.
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF // 0303 123 1113
A copy of this statement will be emailed to you before we first meet for counselling, along with a counselling contract. I would be very happy at this point to explain anything that is not clear. If we agree to work together, I will ask you to confirm via email, before our first session, that you agree to the terms of this GDPR statement and to the terms of the contract.
This document outlines what I have done to ensure the confidentiality of your data and personal information, according to legal requirements. However, it is important to be aware that I do not have control over external software, apps or service providers, including those that you use. As such, it is important that you are happy with the services you use at your end. In addition, there are sometimes rare and unforeseen data breaches over which I have no control, such as hacking incidents.