Introduction
On 25th May 2018, it became a legal requirement under the GDPR (General Data Protection Regulation) 2016 for your counsellor/psychotherapist to make their data processing procedure clear to you. Most importantly, the GDPR made it a legal requirement for you to actively opt-in and consent to these arrangements and the handling of your data. I collect information for the purposes of running therapy whilst providing an ethical service in accordance with the British Association of Counsellors and Psychotherapists (BACP) and the National Counselling Society (NCS) Code of Ethics. I abide by the General Data Protection Regulation (GDPR) 2016 and the UK Data Protection Act 2018 and am the data controller and processor for Vanessa Zopp. You can learn more about the GDPR and the UK Data Protection Act from the ICO (Information Commissioner’s Office) – https://ico.org.uk/. I am registered as Data Protection Officer ZA405483.
What information is collected
Personal details include name, address, DOB, contact details, and GP details. Therapeutic information provides background information, psychological and physical health, and previous and current social and family circumstances during your appointments. Those may include personal information defined as ‘special category data’ such as your sexual orientation or behaviour. I also collect information when you complete the questionnaires. I also keep brief, minimal as possible session notes as per BACP good practice; they enable me to follow the topics of our conversation; this is a widespread practice.
Why is this information collected?
I collect relevant personal information from clients as ‘Legitimate Interest’ as defined under GDPR. To enable a working record of contacts in case of emergencies and for the ongoing work to deliver the services that clients have requested. To maintain my accounts and records.
How this information is used
Personal details are used for contacting you directly. I will keep your mobile number on my phone if I need to contact you via text or call. I also store your email address in my contacts on my PC, tablet, and phone (unless you explicitly express that you do not want me to do so) and on platforms, I use for my work with you. My devices are all password and face/fingerprint recognition protected. I must discuss aspects of my work in supervision with a supervisor who is a counsellor and psychotherapist. The information is treated with strict confidence and in compliance with GDPR; your identity is protected, and any details that might identify you are not disclosed. The duty of confidentiality extends to my supervisor, who is also a qualified and accredited professional. I also produce invoices for remittance.
How is this information stored, and how long
I keep your information in an online practice management tool called https://www.powerdiary.com/uk/ (Our Security: https://www.powerdiary.com/uk/security/; Privacy Policy available at https://www.powerdiary.com/uk/privacy-policy/). : All collected data abides by Power Diary’s Privacy Policy, which complies with international legislative and regulatory requirements, including UK & EU GDPR, US HIPAA and the Canadian PIPEDA. Any data entered is encrypted end to end from browser to server. Power Diary’s security monitoring is in place to ensure any suspicious or unusual activity is flagged for immediate review.
I also use https://quickbooks.intuit.com/uk/ (Privacy statement available at https://www.intuit.com/privacy/statement/).
I access the information stored in both systems using devices protected by password/facial/fingerprint recognition. I keep the data for seven years, at which point it will be permanently deleted. Website: none of your personal information is stored on my website, other than to momentarily collect & send it to my mail account for the purposes of our initial contact.
We may decide to use different platforms for Video Calls (Zoom, Skype, WhatsApp, Telehealth), mainly depending on your preferences and needs. Please note that Zoom, Skype, and WhatsApp, are third-party applications and potentially introduce privacy risks. A better, safer way is to use Telehealth, which uses end-to-end encryption with peer-to-peer connections; the call does not pass through any third-party servers. It is secure and compliant with all health standards (including HIPAA). We will discuss this during our first meeting. However, you are always welcome to switch at any time.
Sharing your information with third parties
I take confidentiality very seriously, and I will not discuss with anyone what is said to me unless you ask me to, with the following exceptions.
Supervision
I am required by the British Association for Counselling and Psychotherapy (BACP) to engage in regular supervision, and the duty of confidentiality extends to my supervisor. When discussing your case, your identity will remain anonymous. Your identity is not disclosed and will be referred to with your first name.
Therapeutic will
Your personal details may be passed on to my Therapeutic Executor so that they can inform you in case anything happens to me that prevents me from attending the session and from communicating with you directly (death, illness).
Emergency
I am required to breach confidentiality by law if I assess that there is serious grounding to make me believe that there are severe life-threatening risks to you or others or in cases in which children are put at risk (such as by sexual or physical abuse or neglect). I may disclose such information with the most appropriate person/body in the circumstances. If, therefore, an issue arises where I believe it necessary to disclose session content because I feel that you are a danger to yourself or others, or if there is sufficient evidence to raise a concern about the health, welfare or safety of children or vulnerable adults, I will try to discuss beforehand. I will initially encourage you to contact an appropriate source of support/help. Yet, if I feel you cannot do so, I will have to make this contact myself. Whilst I will try to discuss this with you first before passing any information on to others and explaining why I am taking this course of action, this might not always be possible.
Law
Under the GDPR, the counsellor/psychotherapist/supervisor also has a legal requirement to disclose data if you are involved in drug money laundering, planning terrorist offences or a Court Order has been made. Counsellors/psychotherapists/ are not able to guarantee confidentiality in these circumstances.
Public Health – COVID
Should you, another client, a person in the building, or I, the therapist, test positive for Coronavirus, then confidentiality will be broken if necessary for reasons of public interest in the area of public health. I may need to share your name and contact details with the NHS/Track Tracer, who will contact you to offer support and testing. However, there will be no information sharing about what you were doing and why you were on the premises.
Risks
I want to acknowledge that electronic intrusion by the online communication provider, practice management and invoicing system is to some degree unavoidable. I am not using an encryption program for my email communication; this means they can be vulnerable to viruses and human error. Please be mindful of this when it comes to what information we might exchange through email and what material you choose to include in emails to me. When sending mail/texts, be aware that also with phones, there is always a possibility for confidentiality to be breached, for example, shall my phone be stolen, even if passwords or fingerprints lock it, so you may wish to ask me to delete your communication after having read it. Risks related to third-party applications (Zoom, Skype, WhatsApp) have been highlighted in the previous section.
Your rights and your data
Unless subject to an exemption under the GDPR, you have the following rights concerning your personal data:
The right to request a copy of your personal data which I hold about you;
The right to request that I correct any personal data if it is found to be inaccurate or out of date;
The right to request for your personal data to be erased
The right to withdraw your consent to the processing of your data at any time
The right to lodge a complaint with the Information Commissioners Office about the processing of your personal data: www.ico.org.uk although I trust that you will try to discuss with me in the first instance
On Social media & Session Recordings
Social Media
I do not accept friend or contact requests from current or former clients on any social networking site (Facebook, LinkedIn, etc.). I believe that adding clients as friends or contacts on these sites can compromise your confidentiality and your respective privacy. I also think that it is best if I learn about you and your life directly from yourself within the therapeutic context, apart from a few exceptions such as referrals. Also, note that I will not follow you back or search for you online. If you wish to share something with me, please bring it into our sessions, where we can view and explore it together. You are welcome to follow my Practice on Facebook or other media.
Session Recordings & Case Material
I will never record a video/phone session, and I ask that the agreement is mutual unless we discuss and agree otherwise. It is not permissible to publicise the content of our exchanges or share them with a third party using social media or any other means.
Consent
Your written consent acknowledging that you fully understand and accept this Privacy Policy for records held, and use of personal and sensitive personal data for the stated purposes will be required prior to the commencement of therapy.
This Policy is reviewed regularly and kept up to date. Last review dated 13 February 2022
