I, Donna Morgan, am a counsellor, providing counselling services to individuals. For the purposes of Data Protection Law (GDPR), I am therefore a data controller and am registered with the Information Commissioners Office (ICO).
This Privacy Notice applies to personal data held and used (“processed”) by me about current, prospective and past clients who I counsel. This document is intended to provide information about how I will collect, use and store the personal data relating to individuals and is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used.
2. What personal data I may hold
Personal data means any information about an individual from which that individual can be identified.
Generally, I receive personal data from individuals directly. This may be via a form, such as client details form or a consent form, or simply in the ordinary course of interaction or communication as part of our sessions.
The information I may collect includes, by way of example:
- name, gender, date of birth;
- address, telephone numbers, e-mail addresses;
- contact details of a third party or parent in case of emergency;
- medical details where relevant; and
- clinical notes taken during our sessions which will include comments of professional opinion;
- Occasionally, other information is received from other individuals or agencies, such as client’s relatives, the client’s school or CAMHS.
3. Why I need and how I use your personal information
The main reason I need personal data for clients is to provide you with the service for which you are paying, and as such I have a contractual obligation to use your personal data in the following ways:
- organising counselling sessions;
- providing you with the counselling service;
Relevant health information is required to ensure I understand how any possible medical conditions interlink with the areas that we may discuss as part of our counselling sessions.
I cannot provide the counselling service without the relevant personal information and therefore, I have a legitimate interest to this information.
4. How I store your personal data
I have taken appropriate technical and organisational steps to ensure the security of personal data about individuals, to prevent it being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
A unique reference code is assigned to each client, which is recorded on the basic client record. Subsequently all clinical notes are kept with only your unique reference code as an identifier so these notes are effectively anonymised for anyone other than myself.
Some of my third party providers, such as WhatsApp, my email and scheduling providers are based outside of Europe, in countries where data storage regulations may differ to ours. I am committed to making sure that data is protected as much as it would be within Europe and only use reputable companies who have relevant policies and procedures in place to offer maximum data protection.
5. Who has access to your personal data and who I share it with
In general, matters discussed during sessions will be treated as confidential and so any personal information that I hold on clients will not be shared with any other individual apart from in the following unlikely circumstances:
if there is a serious threat of harm to self, in which case I would contact the emergency contact;
if there is a serious threat of harm to others, in which case I would contact the relevant authority as this is a legal requirement; or
if I am legally required to provide information to a relevant authority, normally due to a court order of disclosure.
6. How long I keep personal data
I keep clients records for 7 years after they have ceased to be a client after which time, they are securely erased or destroyed.
7. Your rights
Under data protection law, individuals have the right:
- to request access to and understand what personal information I hold about them (this is commonly known as making a subject access request);
- to have incorrect information rectified;
- to ask for your personal data to be erased; or
- to ask for your personal data to be transferred to another.
These rights are subject to certain exemptions and limitations. The right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals or information which is subject to legal privilege. I will sometimes have compelling reasons to refuse specific requests to delete or stop processing your personal data: for example, a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice.
To exercise any of these rights, please contact me. Likewise, please let me know of any significant changes to important information, such as contact details, held about you.
The rights under Data Protection Law belong to the individual to whom the data relates.
8. This policy
I will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable. Minor changes will be made as needed, with the latest version always being available on my website and displayed within my counselling rooms.
9. Queries and complaints
Please contact me with any comments or queries on this policy, at email@example.com. If you believe that I have not complied with this policy or acted otherwise than in accordance with Data Protection Law, please let me know. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/.