The EU's General Data Protection Regulation (GDPR) is changing how companies and individuals collect, store and share data about us. The new law will apply in all EU states from 25 May 2018. It includes changes in relation to privacy rights.
I, Peter Eldridge, used to offer counselling and related mental health services as a self-employed service provider, under the service names ‘3 Counties Counselling Service’ and ‘Objective Reach Counselling Services’ and I was aware of, and compliant with GDPR requirements.
I made notes during session, sometimes, written on paper, to help me understand my clients, review their progress and prepare for their further sessions. In addition I exchanged e-mails and mobile texts and voicemails with clients where they communicated with me in these ways.
I kept any contact information (Name, Address, Telephone numbers, E-mail ids, etc.) that my clients give me separate from the handwritten notes I made after a session. They were linked by a code. The notes were kept under lock and key when not in use. The contact information was kept in a separate location. I will keep client data for at least seven years (to comply with the law). However, a client can ask me to destroy any data I have about them at any time. In the event I eventually cease practice all such records will be destroyed after seven years.
I never provided information about a client to other organisations and did not contact the client for purposes other than in connection with Counselling, Psychotherapy, EMDR or Supervision services they had asked me to provide.
Client confidentiality and right to privacy still matters to me both professionally and ethically.
However, I reserved the right to contact others (e.g. a client’s GP) if the client should ever tell me they intended to harm themself or another - to try to prevent that harm - or the police if the client tells me they intend to commit an act of terrorism – as the law requires me to do.
In addition, where another organisation responded to a client’s request for help by contracting me to provide that client with therapy at the organisation’s cost, I would supply the organisation with minimal, non-confidential information they may have requested to assure themselves that I was delivering that therapy (e.g. names and dates, times, and durations of sessions delivered).
Rarely, a client might ask me to disclose session content to a third party at the client's own request, to help them achieve their objective. The above information sharing would only be done after I had sought the client’s permission to disclose, in writing.
Finally, I keep records of counselling and supervision sessions delivered, and annual financial accounts of fees paid for tax purposes, but they merely refer to clients using a code, so the clients cannot be identified.
I have been registered annually with the Information Commissioners Office as a holder of personal data since first discovering that obligation in February 2012. GDPR Classification: My lawful bases for processing personal data are Consent, Contract, Legal Obligations and Vital Interests (of my clients). I shall continue that registration until all client records are eventually destroyed.