Rachel Yates Counselling
Under the General Data Protection Regulation (GDPR) 2018, I am required by law to inform you about what personal information (data) I collect and hold about you, why I collect this information, how I process and keep safe this data, how long it is stored for and your rights over your personal data.
Security, and Data Protection
Rachel Yates Counselling has a legitimate interest in processing personal data to provide counselling services. I make every effort to keep all personal information confidential. Your personal information is stored securely and confidentially, and I am bound by the National Counselling Society (NCS) Code of Ethics (available to view online at https://www.nationalcounsellingsociety.org/about-us/code-of-ethics/).
I regularly see a confidential clinical supervisor to support my work. I have full professional insurance and have a current Enhanced Disclosure and Barring Service (DBS) check. I am a registered Data Controller and Data Processor and abide by the regulations imposed by such procedures. My Information Commissioners Office registration number is: ZA556485. If I discover there has been a breach of your personal information, I will tell you as soon as possible and inform the ICO if necessary.
If we are working online there may be limits to the security and confidentiality of our sessions dependant on the encryption of the online platform we use. I use Zoom (pro) for online work and Protonmail for email counselling. Please ensure you use encryption and security in your computer / phone and emails. I use WriteUpp record keeping software which is ISO27001 certified and GDPR compliant and uses two-factor authentication login and data encryption to keep records safe.
Personal information I hold
You have the right to know what personal information I hold, why I hold it, how it is stored, who has access to it, and for how long I hold it. I will keep the following personal information so that I can work safely and professionally with you, in line with the guidelines of the NCS.
- Your name, address, age, gender and pronouns – I keep this information in paper form in a locked filing cabinet and in WriteUpp. Only I will see this information. I will keep this personal information for 7 years from the end of our work together and after that time it is destroyed. This is required by my professional liability insurer and by my professional organisation (NCS). The Appropriate Person in my clinical will has your name, phone number and email kept securely so that you could be contacted in case I became suddenly ill / other emergency. They will destroy the personal information when you and I finish our work.
- Your phone number and email address – I keep this information in paper form in a locked filing cabinet, in WriteUpp, and in my mobile phone. My mobile phone is locked with a passcode when I am not using it. Your email address is held in my Gmail account. Neither my computer or my mobile phone are shared with anyone else. This is needed in case I have to contact you. I also keep your email address in case we agree to work therapeutically via email, either as a regular arrangement or just occasionally. I will remove this personal information from my phone and email account when we have finished our work. I will delete the information from WriteUpp and paper form after 7 years from the end of our work together.
- Emergency contact’s name and phone number (if you wish) – I keep this information in paper form in a locked filing cabinet along with your name and contact details and in WriteUpp. It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you. You and I may agree together on some other reason that I might contact this person. Only I will see this information. I will delete the information from WriteUpp and paper form after 7 years from the end of our work together.
- Relevant medical information – I keep this personal information in paper form in a locked filing cabinet and in WriteUpp along with your name and contact details. It may be relevant to keep or share certain medical information if you have any health conditions such as seizures, asthma, diabetes which may impact a session, or you have any allergies that I should be aware of. Only I will see this information and I will delete the information from WriteUpp and paper form after 7 years from the end of our work together.
- Session notes – My notes may include dates and times of attendance and brief notes on important themes from the session. I do not keep detailed session notes. I keep brief session notes electronically in WriteUpp. Only I will see this information. The notes will be destroyed 7 years after our work finishes.
- Payment information and invoices – I make a note of payments you have made and invoices on a password-protected financial spreadsheet for my business. I am required by law to retain certain financial information for tax purposes. I keep financial information for 7 years as advised by HMRC. Payment by BACS (bank transfer) or cash will be processed by my bank, and transactions may be viewed by employees of the bank and tax office HMRC. When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements. You have the right to discuss alternative payment options with me.
- My emails/texts to you, and yours to me – I may delete emails / texts after I have noted the contents (for example, emails around scheduling). Electronic correspondence will also be held by the corresponding app (Gmail, Phone’s SMS, WhatsApp). I may keep emails/texts if I consider them necessary to our work. I will delete emails/texts when our work ends, and only I will see the information.
- Website – My website is hosted by WordPress, who adhere to requirements of GDPR. None of your personal information is stored on my website, other than to momentarily collect and send it to my Gmail account for the purposes of our initial contact.
All information disclosed during counselling is confidential. However, there are legal exceptions. For example, if you reveal a threat of harm to yourself or to others, or information relating to terrorism or harm of a child, or if a court order is received and a legal obligation arises. In such a situation, the law may require that I share your personal information without your knowledge. If your health is in jeopardy (provided I have your consent) I may share your contact information and relevant medical information with an emergency healthcare service (e.g., ambulance).
Your rights under GDPR
- To be informed what personal information I hold (this document).
- To see the personal information I hold about you (free of charge for the initial request). This will be within 30 days in electronic format.
- To rectify any inaccurate or incomplete personal information.
- To withdraw consent to me using your personal information.
- To request your personal information be erased. Though I can decline if the information is needed for me to practice lawfully and competently
- To receive the personal information which you previously provided, and the right to transfer that information to another party.
For the purposes of the General Data Protection Regulation (GDPR) 2018, the personal information “controller” is Rachel Yates.