Choices Counselling Buxton Privacy, Data Protection & Retention Policy Statement
In its use of client and personal data in the exercise of its functions, Choices Counselling paid staff and volunteers must comply with the requirements of the Data Protection Act 1998 [DPA] as amended by the General Data Protection Regulation 2018 [GDPR]. This Statement sets out the policy by which Choices Counselling will ensure that compliance is achieved and maintained.
In this document, the terms ‘client data’ and ‘personal data’ cover data held both in computerised systems and in structured manual records, including client notes.
The term ‘client’ means any person receiving the services of a Choices Counsellor.
- Compliance with Data Protection Principles
Choices Counselling fully supports the objectives of the DPA and GDPR. It will comply with their principles. This requires that client and personal data will be:
- obtained for one or more specified and lawful purposes and not processed in any manner incompatible with those purposes;
- adequate, relevant and not excessive;
- accurate and kept up to date;
- kept safe from unauthorised or unlawful access or processing, and protected against accidental loss, destruction or damage:
- Clients will be assigned numbers, and records containing client numbers will be stored separately and securely away from other client information in a locked cabinet; and
- kept secure if taken off the premises until they can be returned to the locked filing cabinets in the Choices Counselling office.
- not transferred to a country outside the European Economic Area unless that country has equivalent levels of data protection for client and personal data.
- Data Retention
Data will not be kept longer than necessary:
- Written client data will be kept for a period of 7 years after final contact and then securely destroyed;
- Electronic client data will be kept for a period of 4 years after final contact and then securely destroyed;
- Written and electronic data held for Gift Aid purposes will be kept for 6 years after the data subject’s final donation and then securely destroyed; and
- Written and electronic data held for the purposes of maintaining contact with a data subject will only be held with the data subject’s prior consent and only maintained whilst that contact is necessary or until the data subject withdraws consent.
Choices Counselling will hold no more client or personal information than is necessary for the performance of its functions and this information will be retained only for as long as is determined necessary or required by law.
In order to ensure that the client and personal information it holds is accurate and up to date, Choices Counselling will correct identified inaccuracies without undue delay.
- Client Consent
As part of their initial agreement, clients must actively consent to their data being held by Choices Counselling in accordance with GDPR Guidelines when they contract to work with Choices Counselling. This consent document is separate from other terms and conditions and:
- explains our lawful basis for processing data;
- explains our data retention periods; and
- explains that individuals have a right to complain to the ICO if they think there is a problem with the way their data is being handled.
- Client Confidentiality
Choices Counselling client confidentiality is outlined fully in the Choices Counselling Confidentiality Policy. This Policy, including exceptions to confidentiality, will be explained verbally to clients as part of the initial contracting at their first meeting with the Counsellor.
- Staff & Volunteer Awareness
All staff and volunteers will be made aware of the GDPR, and of their obligations under it.
- New staff and volunteers will receive information about the GDPR as part of their induction process;
- All staff and volunteers will be asked to sign a Policy Agreement Form when joining the organisation;
- Staff and volunteers will be properly trained and competent to receive confidential information and able to deal with the issues raised; and
- Staff and volunteer induction will involve familiarisation with the Confidentiality, Safeguarding & Data Protection Policies and instruction in implementation.
- Storage of Client Records, Statistics, Publicity, Phone calls and Correspondence
- All client records will be kept securely. It is the responsibility of those on duty to ensure that all written records are locked away at the end of each session;
- All letters and printed emails that disclose personal details of clients will be kept in a locked filing cabinet, separate to the filing cabinet containing their notes;
- If a letter or email containing feedback is received from a client, and which could be used in publicity, prior permission will always be sought from the writer;
- Texts to clients’ mobiles must be discreetly worded. Any client numbers left on the voicemail service must be removed as soon as possible and any notes made during the conversation, revealing clients’ details, must be shredded or stored in a locked filing cabinet;
- Any email regarding an appointment or personal client information will be deleted as soon as possible. If the correspondence is such that it needs to be kept with their records, it will be printed and stored in a locked filing cabinet and then deleted from the email account;
- All data will be kept safe from unauthorised or unlawful access or processing and protected against accidental loss, destruction or damage. All staff and volunteers will be aware of, and follow, the security requirements applicable to the personal data upon which they work and will ensure that personal data is disposed of in accordance with the Choices Counselling Data Retention Policy; and
- All staff, volunteers and visitors are required to sign in to the Choices Counselling office upon entry and exit to further ensure security of the office space.
- Processing of Data
Staff and volunteers will process data only in accordance with the requirements of the DPA and GDPR.
- Data Subject Access Requests
All data subject access requests for personal information made to Choices Counselling under the GDPR will be dealt with by the Trustee with responsibility for Data Protection [the Data Protection Officer].
Choices Counselling will provide copies of the information it holds, by post, free of charge, subject to the provisions of GDPR.
- Right to be Forgotten
All data subject requests made to Choices Counselling under the right to be forgotten will be dealt with by the Data Protection Officer.
Client and personal data obtained and processed by Choices Counselling are confidential. They will only be disclosed:
- as required or permitted by the DPA and GDPR;
- where there is a legal obligation or requirement to do so; or
- with the consent of the data subject.
Individual members of staff or volunteers may be personally liable for breaches of the DPA and GDPR if they act outside their authority in disclosing client or personal information.
- Data Protection Registration
An annual review of the need to notify the Information Commissioner will be undertaken by the Trustees.
- Disciplinary Action
Disregarding this policy, or failure to comply with the requirements of any Code of Practice or instruction issued in order to implement it, may result in disciplinary action.
- Information Audit
The Choices Administrator will undertake an Information audit across the organisation to map data flow on a quarterly basis, reporting to the Data Protection Officer.