The EU's General Data Protection Regulation (GDPR) is changing how companies and individuals collect, store and share data about us. The new law will apply in all EU states from 25 May 2018. It includes changes in relation to privacy rights.
I, Peter Eldridge, offer counselling and related mental health services as a self-employed service provider, under the service names ‘3 Counties Counselling Service’ and ‘Objective Reach Counselling Services’ and am aware of, and compliant with GDPR requirements.
I make notes during session, sometimes, written on paper, to help me understand my clients, review their progress and prepare for their further sessions. In addition I exchange e-mails and mobile texts and voicemails with clients where they communicate with me in these ways.
I will keep any contact information (Name, Address, Telephone numbers, E-mail ids, etc.) that my clients give me separate from the handwritten notes I make after a session. They will be linked by a code. The notes will be kept under lock and key when not in use. The contact information will be kept in a separate location. I will keep client data for at least seven years (to comply with the law and because a past client returned for more help recently after that considerable length of time!). However, a client can ask me to destroy any data I have about them at any time. In the event I eventually cease practice all such records will be destroyed.
I will never provide information about a client to other organisations and will not be contacting the client for purposes other than in connection with Counselling, Psychotherapy, EMDR or Supervision services they have asked me to provide.
Client confidentiality and right to privacy matters to me both professionally and ethically.
However, I reserve the right to contact others (e.g. a client’s GP) if they should ever tell me they intend to harm themself or another - to try to prevent that harm - or the police if they tell me they intend to commit an act of terrorism – as the law requires me to do.
In addition, where another organisation responds to a client’s request for help by contracting me to provide that client with therapy at the organisation’s cost, I will supply the organisation with minimal, non-confidential information they may request to assure themselves that I am delivering that therapy (e.g. names and dates, times, and durations of sessions delivered).
Rarely, a client may ask me to disclose session content to a third party at their own request to help them achieve their objective. The above information sharing will only be done after I have sought the client’s permission to disclose (in writing if disclosure is requested).
Finally, I keep records of counselling and supervision sessions delivered, and annual financial accounts of fees paid for tax purposes, but they merely refer to clients using a code, so the clients cannot be identified.
I have been registered annually with the Information Commissioners Office as a holder of personal data since first discovering that obligation in February 2012. GDPR Classification: My lawful bases for processing personal data are Consent, Contract, Legal Obligations and Vital Interests (of my clients).