Privacy and Data Protection security policy – Therapy
This policy outlines Horizons Counselling’s procedures for collecting, storing and processing personal data. (‘personal data’ means data which relates to a living individual who can be identified from the data or from other information from that data.) in order to comply with the Data Protection Act (‘DPA’) 2018
This policy covers all the principles under the DPA. These are known as the ‘data protection principles’ and ensures information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is necessary
- kept safe and secure
- not transferred outside the European Economic Area (EEA) without adequate protection
Contact details of the person responsible for taking the lead on compliance:
Horizons Counselling. firstname.lastname@example.org is also responsible for personal data, information on procedures dealing with both internal and external access requests and how the information collected is used.
What is meant by privacy:
Privacy, in its broadest sense, is about the right of an individual to be let alone. It can take two main forms, and these can be subject to different types of intrusion:
- Physical privacy – the ability of a person to maintain their own physical space or solitude. Intrusion can come in the form of unwelcome searches of a person’s home or personal possessions, bodily searches or other interference, acts of surveillance and the taking of biometric information
- Informational privacy – the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others. Intrusion can come in the form of collection of excessive personal information, disclosure of personal information without consent and misuse of such information. It can include the collection of information through the surveillance or monitoring of how people act in public or private spaces and through the monitoring of communications whether by post, phone or online and extends to monitoring the records of senders and recipients as well as the content of messages
Why I need the information I hold about an individual:
- I need to request and store your details in order to administer and deliver the service you have requested, and to comply with any legal or professional body responsibilities that ensue in the delivering of that service.
What I’m going to use it for:
- To make contact with you, to record the relevant personal contact details you give consent for me to hold, to record emergency contact information, where applicable to make clinical assessments and record clinical notes.
Is the information is being held securely:
- I record and store clients’ notes showing date, and a brief outline of session content in an electronic file which has an anonymized code system and is stored in a computer file on a removable hard drive with a backup hard drive. All files are encrypted and the removable hard drives are also encrypted. Both of these hard drives are stored in a locked cabinet. Your first name, a client reference number and phone number are stored in my mobile phone’s contact list. I do not store your whole name and my mobile phone is passcode locked. I use a first name and client reference number in my electronic bookings calendar.
- Any email address you contact me with is held in the address book of my password protected computer
- When we have ended our work I delete any email addresses I hold.
- Photos taken in sessions (with your express permission) i.e. to record sand tray work, any art works created and phone or email communications are also stored/noted in the anonymized client notes.
- The anonymized client notes are used for my own clinical supervision (to comply with my professional body and good ethical practice) I share details about the client case, but not the client’s personal details unless a legal or safeguarding requirement requires me to do so.
- Anonymized client codes are used to identify income source in my accounts for HMRC tax return
About the security of my website:
www.horizonscounselling.co.uk has an SSL certificate.
An SSL certificate shows that the data connection to an Internet page is secured with a Secure Sockets Layer (SSL). This ensures that the transferred data cannot be read or modified by third parties. (You can recognize the encrypted connection to the lock icon in the address bar of the browser.)
This also secures the content you send through any contact forms and emails via the web site.
How up to date the information is that I hold about you:
- The personal information stored is as given to me on initial contact, and updated as and when you inform me of any changes.
- Notes will be up to date usually on the day and no more than within fourteen days of delivery of such service.
When and how I delete the information, I hold about you:
On request, or at seven years after our last contact, I delete the electronic records I hold on you. For clients under the age of eighteen, notes are kept until your 26th birthday or seven years after last contact, whichever is the later.
When I pass on personal information:
I will only share personal information as follows:
- If, during my contact time with you, I become aware that there is a safeguarding risk to either you or another person I will contact the emergency contact given and/or emergency services where appropriate.
- My supervisor will be handed all my counselling related paperwork should I become indisposed, and will contact you and then destroy notes accordingly.
- Where you request me to do so, i.e. references or similar.
- Where I need to comply with a legal requirement to do so (a court order for example).
Personal information is limited only to those with a strict need to know.
I do not use CCTV or recording equipment on my premises.
How you can obtain a copy of information I hold about you or have it removed.
- You have a right of access to and deletion of your records, please see the guidance on: https://ico.org.uk/for-the-public/personal-information/