GENERAL DATA PROTECTION REGULATION
OFF THE RECORD COUNSELLING SERVICE (NORFOLK) LIMITED
This policy sets out the information that Off The Record Counselling Service (Norfolk) Limited (“OTR”) collects, stores and uses data, and how this can be accessed.
What personal data does OTR collect, and what is it used for?
The data OTR collects includes Client, Counsellors, Consultants and Employees names, addresses, contact numbers and email addresses. This is collected directly from Clients / Contractors / Employees when they request to become a client or are hired as a Counsellor Consultant or Employee at OTR.
During the course of client therapy with OTR notes will be taken by the Counsellor which may contain personal data if disclosed by the client, and kept in confidential client / counsellor files.
During the course of employment or engagement with OTR notes on Counsellor supervision, disciplinary or grievance matters will be retained on confidential personal files.
OTR collects bank details for all Counsellors, Consultants and Employees to enable payment of fees, invoices and salaries. This information is confidentially stored electronically within our Online Banking system accessed only by the Treasurer who is also a Trustee.
Employees name, address, NI number and bank details will also be shared with Hines Harvey Woods Accountants who are responsible for processing the payroll and administering the pension scheme on behalf of OTR. A contract is in place and employees consent to this information being shared is obtained when employment commences.
What is this personal data used for?
Client information is used for the purposes of communicating information, arranging appointments, providing therapy, recording donations and managing Gift Aid payments.
Who is your data shared with?
Client data will be shared with the Counsellor they see for therapy. This data will be confidentially stored in the client / counsellor files.
Counsellors, Consultants and Employees name, address and contact details are shared within the team by way of a Contact List, where individuals have provided their explicit consent for this. This is to enable contact to be made with colleagues due to the infrequent contact that colleagues have with one another.
Where clients are referred to OTR from other agencies some communication between the agency and OTR will take place and limited information provided. A contract with each agency is in place and clients will provide consent at the start of therapy for this interaction.
Where does this data come from?
Data comes directly from Clients, Counsellors, Consultants and Employees directly when they register or are engaged, or when details are updated by individuals during the course of their therapy, engagement or employment.
How is your data stored?
Data is stored in confidential files in secure cabinets in the Administration office of OTR. Access to clients information is limited to the Administration team and the Counsellors involved in the clients therapy. Counsellors, Consultants and Employees data, other than contact information, is limited to the Head of Administration, Heads of Service and Trustees where necessary for the management of contracts, employment and performance and is stored electronically by way of passwords protected computer and documents or in confidential files in secure cabinets accessed only by the Senior Management Team.
Who is responsible for ensuring compliance with the relevant laws and regulations?
Under GDPR we do not have a statutory requirement to appoint a Data Protection Officer. The responsibility for ensuring OTR discharges its obligations under GDPR lies with the Senior Management Team.
Who has access to your data?
Counsellors have access to their clients data for the purposes of providing therapy.
The Administration team have access to all clients data for the purposes of organising client appointments, recording donations and managing Gift Aid payments.
The Heads of Service and Head of Administration have access to Counsellors, Consultants and Employees files for the purpose of contract, employment and performance management.
The Trustees have access to Counsellors, Consultants and Employees details as required for managing contracts, employment and performance.
The team (Counsellors, Consultants, Employees and Trustees) have access to other team members contact details (where consent has been explicitly provided by each individual) for the purposes of communicating, discussing appointments and arranging meetings.
What is the legal basis for collecting this data?
OTR collects personal data necessary for the purposes of its legitimate interests as a Counselling organisation.
Regarding financial data, the basis of collecting and retaining information is to comply with our legal obligations.
How you can check what data we have about you?
If you would like to see the personal data we hold about you, you should contact our Senior Management Team at the registered office in writing. Upon receipt of a written request, and proof of identification (if required) the requested information will be provided within one month at no charge.
Client’s who consider there is an inaccuracy in the records may ask for this to be corrected with the agreement of the Counsellor. If there is disagreement about what would be a correct record, a record of the client’s objections will be included in the notes.
Any counsellor who is concerned about the client’s response to seeing their records may offer to be present and explain the records or to arrange for another suitably qualified person to be present. If the Counsellor is concerned that access to the notes would cause serious harm to the physical or mental health of the client and that access to the notes may constitute a health risk, it may be possible to refuse or defer access with the authorisation of the health professional who is currently or was most recently responsible for the clinical care of the person concerned (Data Protection – Subject Access Modification (Health) Order 2000 section 7). The legal presumption in favour of access to personal data makes this an exceptional provision that ought not to be sought or granted lightly.
Does OTR collect any Sensitive Personal Data (Sensitive Data)?
Most information held by Counsellors providing therapy will be regarded as sensitive personal data or sensitive data under GDPR. The use of sensitive data requires Client’s explicit consent. Clients are required to actively state they are agreeing to a record being kept and used in the knowledge of the purposes for which the record is being made, how it will be used and any limitations on confidentiality.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing and the new Data Protection Bill sets out specific conditions providing lawful authority for processing it which mean that this type of data is dealt with in a very similar way to the special categories of data outlined below:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
Children’s Personal Data
GDPR contains provisions intended to enhance the protection of children’s personal data. As OTR provides therapy to young people we have written this policy in a clear way that we believe a young person can understand.
Processing Personal Data
As well as consent, there are lawful grounds for processing personal data. These are:
- processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- processing is necessary for compliance with a legal obligation
- processing is necessary to protect the vital interests of a data subject or another person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Counsellors will obtain the consent of a client, as required, to process client’s personal data in this way, but there may be occasions (for example to prevent harm to the client or someone else) when one of the above grounds will be required.
All personal data in a Counsellor’s possession will be:
- Processed fairly and lawfully
- Obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes
- Adequate, relevant and not excessive
- Accurate and, where necessary, kept up to date
- Not be kept longer than necessary
The clients rights will be respected.
Personal data will be securely stored and only transferred to other people as detailed in this policy, clients consent, or as required by law.
How can you ask for data to be removed, limited or corrected?
Please contact the Senior Management Team at our registered office.
How long we keep your data for, and why?
Client details will be retained for a minimum of one year after the end of therapy for the purposes of Gift Aid administration and should clients wish to return for additional therapy.
Your rights as a Data Subject
Data subjects have the following rights:
The Right to Erasure which does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected / processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
- The exercise or defence of legal claims.
The Right to Data Portability
This right allows you, as a data subject to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer your data easily from one IT environment to another in a safe and secure way.
It applies when:
- Data has been provided from an individual to a controller.
- Where processing is based on consent or for the performance of a contract, and
- When processing is carried out by automated means.
If a Counsellor receives a request to transfer a clients personal data, he or she will provide the personal data in a structured, commonly used and machine readable form and the information will be provided free of charge.
If the client requests it, we can transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.
If the personal data concerns more than one individual, we will consider whether providing the information would prejudice the rights of any other individual.
The Right of Access
The data protection legislation gives the data subject a right to access the information which is being held about them a ‘subject access right’ – see “How you can check what data we have about you?”
Can your data be downloaded to use it for other purposes?
No, your data is used only for the purposes set out in this policy.
Off The Record Counselling Service (Norfolk) Limited
1 Trinity Street