GDPR is Data protection by design and by default. Privacy and data protection compliance have always been a high priority and now GDPR makes it a legal requirement.
Sue Smith is data controller and processor for Sue Smith Counselling Ltd and Managing Director of Specialist Support Solutions C.I.C.
The General Data Protection Regulation is an EU legislation 2016 affecting Data Protection and how we collect store and use it – providing us with a framework.
It is similar to but enhances the Data Protection Act 1998 and changes the focus to enhance your rights-taking account of advances in technology and storage devices etc. GDPR states that data should be processed fairly and lawfully obtained for lawful purpose adequate and not excessive, accurate and retained for no longer than necessary.
Data should be processed in accordance with the rights of the data subject and secured against breaches loss or destruction. It won’t be transferred outside the jurisdiction (Europe).
What you need to know
You have a right to know what I do with your information in my role as Counsellor and Data Controller and Processor for Specialist Support Solutions C.I.C.
I need to explain why I store your data how I hold this and for how long and your right to complain to ICO if you feel there is a problem in how you feel I store your data.
I am a data controller under GDPR and registered with ICO https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/documentation/what-s-new-under-the-gdpr/
GDPR relates to EU Citizens information it’s a new EU privacy Law which is enforceable from May 25 2018.
It concerns data- in ANY form e.g. on paper, drives or devices.
As a data controller I gather, record, process -store and destroy personal data and by doing so I need to meet some requirements.
Information Commissioners Office (ICO) states that accountability is central to GDPR (General Data Protection Regulation).
Data controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator (ICO).
The information I am collecting-
Data is personal information which can identify an individual.
As a counsellor I collect sensitive personal data – client information contact information personal detail and story e.g. on mental health history or relational or sexual history criminal offences or convictions.
This means there are enhanced requirements to add regarding security and consent.
I hold contact data on laptop and phone (email address telephone number) using a spreadsheet to collate data. The information is stored using encrypted cloud storage and the lap top is password protected.
I hold anonymised session notes on paper only.
All client information is regarded as confidential.
Client information will not be used for any purpose other than authorised.
Only information whose need can be justified is accessed e.g. for the purposes of administration assessment and treatment.
Passwords are not shared e.g. email access or mobile phone access.
Contact information is assigned a Case Number and anonymised (paper) clinical notes will be held under this number.
Serious breaches of confidentiality involving sensitive personal information may result in legal proceedings being instigated by data protection legislation (ICO).
Consent to data collection and processing by a client needs to be explicit and signed so you will be asked to read and agree for me to process your data to provide counselling.
GDPR states Personal data should be:
A - Processed lawfully, fairly and in a transparent manner.
B - Collected for specified explicit and legitimate purposes.
C - Adequate relevant and limited to what is necessary.
D - Accurate and where necessary kept up to date.
E - Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.
F - Processed in a manner that ensures appropriate security of the personal data. This includes retention and destruction processes for information.
Why I’m collecting your data/ My legal basis for data processing. (Contract & Consent)
My justification (legal basis) for gathering data is that I need to gather data necessary for the fulfilment
of a contract (please also see Counselling Agreement).
I also hold data as long as needed in order to contact you to set up a session or change any arrangements, to take a history of relevant information to develop a treatment plan for counselling with you.
I need your explicit consent for this managing of data.
You have the right to expect the highest level of confidentiality regarding your information.
How I will use your data- in carrying out what is required to provide my counselling service to you.
This information refers to the acceptable use of systems, my responsibility and any possible consequence of a breach of confidentiality.
I don’t do any marketing re a client database. I don’t sell on private information and won’t share with third parties unless there is a safety/ethical risk issue. (See Agreement/Contract)
I don’t share with third parties unless there is a risk issue and we will discuss this first please (see contract for disclosure of confidentiality /safety issues only).
You will see and sign this in our agreement at the beginning of any work we do together.
Your 6 Rights under GDPR
You have the right to be informed of how data is collected stored and managed (protected and processed)
You have the right to access stored and used.
You have the right to correct personal data.
You have the right to rectification /review data and understand how it is
You have the right to restrict processing
The right to stop data processing
The right to data portability (refers to personal data by automated means-devices)
The right to object
The right not to be the subject of automated decision making including Profiling
You have a right to access data within a month of request this will be free of charge
You have a right to complain to ICO if you think there is a problem with the way I handle your data.
How will your data be recorded and stored?
(And what happens re Data Breaches)
I will have systems in place to ensure as much safety as possible for no data to breach.
Laptops and electronic devices are password protected.
Paper notes are none identifiable by way of reference numbering and held in a locked filing cabinet accessible by a key I keep.
Texts and emails are not currently encrypted I endeavour only to use text and email for practical purposes e.g. to arrange appointment or sometimes send self-help material or links but I will check with you beforehand to ensure this is okay with you.
If I discover a data breach I will inform ICO within 72 hours and/or affected individuals if a breach happens, going on ICOs recommendations.
A counsellor needs to retain clinical notes for defensive purposes in case of a complaint according to my professional/clinical insurance guidance. (Up to 7 years).
You have the right not to be contacted by me after our work together has ended which I do not normally do.
I keep clinical notes in paper form which I hold for up to 7 years from the end of our work together.
Any enquiries by phone or email that do not progress to an assessment I shall keep for 6 months.
If you wish to complain about how your data is stored or used you can access more information here.