Counselling in Iver, Buckinghamshire and online

Introduction

My lawful basis for holding and using your personal information

The GDPR states that I must have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which I am processing your data. I have explained these below:

If you have had therapy with me and it has now ended, I will use legitimate interest as my lawful basis for holding and using your personal information.

If you are currently having therapy or if you are in contact with me to consider therapy, I will process your personal data where it is necessary for the performance of our contract.

The GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is consent initially. I will then retain any counselling records in case of the need to reference them in the future (the official legal basis is to defend against potential legal claims).

How I use your information

Initial contact:

When you contact me with an enquiry about my counselling services I will collect information to help me satisfy your enquiry. This will include client name, address, phone number and email address. Alternatively, your GP or other health professional may send me your details when making a referral or a parent or trusted individual may give me your details when making an enquiry on your behalf.

I take the security of the data that I hold about you very seriously. My email account is password protected, and mobile phones and laptops used to respond to your emails are password protected and have anti-virus software.

If you decide not to proceed I will ensure all your personal data is deleted within one week. If you would like me to delete this information sooner, just let me know.

While you are accessing counselling:

Your email address or phone number will be used to provide you with written confirmation of your appointment times if you have given consent for this. Your email address and telephone number will only be used to contact you regarding appointment times unless we have agreed that I will also use your email address to email you information that is relevant to your therapy sessions.

At the beginning of your first appointment I will ask you to complete a personal details form containing your name, address, date of birth, contact information and also contact information for your GP. Rest assured that everything you discuss with me is confidential. Confidentiality will only be broken if there are legal or ethical obligations to disclose, for example, if you reveal to me during our sessions that you or someone else is at risk, especially a child, I will encourage and support you to take necessary action (for example, to talk to your GP, go to A & E or inform Social Services). If you are unable or unwilling to do so, I reserve the right to break confidentiality and contact the relevant agency myself. I will not contact your GP or anyone else without your permission or knowledge, unless I believe you present a serious risk to yourself or others (for example, if you are psychotic or intentionally suicidal).

I will always try to speak to you about this first, unless there are safeguarding issues that prevent this.There are some situations that a professional therapist has a statutory obligation to disclose. These include money laundering, acts of terrorism and drug trafficking.

Please be aware that I will not routinely contact your GP to inform your GP of your attendance as your attendance is confidential. To fulfil my duty of care towards you while also maintaining your confidentiality I will only contact your GP if it is necessary and should these circumstances arise I would discuss this with you wherever possible before contacting your GP.

Rest assured that what is said in our sessions will be kept confidential.

As a professional therapist, I regularly discuss my casework in confidence with a supervisor (who also registered and upholds the same principles of confidentiality and code of ethics). Supervision helps therapists to offer as high a level of safety and quality of care as possible.

I will keep a record of your personal details to help the counselling services run smoothly. These details are kept securely on Kiku, a counsellor and therapy practice management software (see more details below) and are not shared with any third party and can only be accessed by me.

I will keep written notes of each session, these are kept within a GDPR compliant system Kiku.

For security reasons I do not retain text messages for more than one week. If there is relevant information contained in a text message I will make a note into the Kiku notes system. Likewise, any email correspondence will be deleted after one week if it is not important. If necessary I will save into the Kiku notes system.

If you don’t want me to use the digital Kiku system, I am happy to use a non digital based locked storage cabinet system with notes and details kept separately and annotated for further security. I keep your therapy notes separately to your personal details form. Only I have access to this storage system. Your therapy notes do not include any personal details that could be used to identify you and continue to be stored securely in a locked filing cabinet that only I have access to for seven years after therapy has ended. This time frame adheres with current industry guidelines. Seven years after therapy has ended your therapy notes will be confidentially destroyed.

Your personal details form is confidentially destroyed on ending your therapy sessions. Please note that I need to keep a record of your name, date of birth and your client reference number for seven years after therapy ends.

During remote working I will ensure that I am conducting online and telephone sessions in a quiet, private and confidential setting. I have selected video calling platforms that offer end to end encryption to ensure maximum privacy. Please note however that I cannot be held responsible for any breaches that occur due to failures in this technology.

After counselling has ended:

Once counselling has ended, your records will be kept for seven years from the end of our contact with each other and are then securely destroyed. Your therapy notes do not include any personal details that could be used to identify you and continue to be stored securely on Kiku or in a locked filing cabinet that only I have access to, for seven years after therapy has ended. This time frame adheres with current industry guidelines. Seven years after therapy has ended your therapy notes will be confidentially destroyed.

Your personal details form is confidentially destroyed on ending your therapy sessions. Please note that I need to keep a record of your name, date of birth and your client reference number for seven years after therapy ends. If you want me to delete your information sooner than this, please tell me.

Third party recipients of personal data

I sometimes share personal data with third parties, for example, where I have contracted with a supplier to carry out specific tasks. In such cases I have carefully selected which partners I work with. I take great care to ensure that I have a contract with the third party that states what they are allowed to do with the data I share with them. I ensure that they do not use your information in any way other than the task for which they have been contracted. I will never pass on your contact details to any third party organisations for the purposes of sales, marketing or research and will never use your personal data for any purposes other than the administration of the counselling service I am providing to you i.e. to arrange, cancel and rearrange appointments and collect payment for sessions.

Kiku

I use a counsellor and therapy practice management software called Kiku. As a data processor, Kiku is fully GDPR compliant.

Kiku’s website and admin system is secured with RSA 256 bit SSL encryption, which means that both my and my clients' data is encrypted when both processed and stored.

Access to Kiku is both password and two-factor authentication protected to ensure that the personal information that they process and store remains safe and secure.

Kiku is hosted on AWS Ireland Servers which adhere to strict and robust security measures.

GDPR Compliant, UK Developers

Kiku was developed and is maintained by Jump Up Limited (ICO Z160546X) in accordance with the latest security compliance standards.

The website code-base is stored in a private UK based GitHub repository with full version control and developer accountability.

Data access

Kiku’s support team are only able to view clients' contact details and attendance history via the Kiku application which is both password and 2FA protected.

In the event of data loss the permitted members of the Kiku Development Team are able to access more sensitive information (clinical notes, emergency contacts etc.) in order to restore your records. Their access is through the application where they must tunnel via a secure SSH encryption, an intermediate Bastion server and subsequently provide an additional SSH key to reach the database.

Online Bookings

When you make an online booking or payment, Kiku will send a booking notification to me via email and the Kiku messaging system.

Anonymised payment details are recorded in Kiku’s financial income reports. These reports will only hold your first name, last name initial and unique client reference number. The HMRC requires that I retain this information for 5 years after the end of the financial year.

All of Kiku’s accounts use the secure GSuite server and are double password protected. If you send an email to my email address, only I have access to it.

Your Payment Details

All payments made through Kiku are made through the secure Stripe Connect server. My website therefore does not hold your payment information. Where you have made payment for your session over the phone, I will never keep a record of your card details. Your information is inputted directly into the card payment port and no written record will be taken.

Clinical Will

It is an ethical requirement that I have a Professional Executor for a Clinical Will. In the unlikely event of my sudden death or incapacitation, my Professional Executor will be given access to my diary and client contact details on Kiku.

On gaining access to my client contact details, they will contact my clients to inform them of the situation, discuss with them appropriate arrangements for their ongoing support and provide support sessions for any client who may require it.

They will confidentially dispose of any paper case records and request the confidential

deletion of any digital records such as the deletion of my Kiku account. This Executor is a counsellor who upholds the same principles of confidentiality and code of ethics.

Your Rights

Any personal data retained by me is kept in accordance with the GDPR, 2018.

Under these guidelines you have the following rights

1. The right to request access to your data

You can request to view the information that I hold about you (contact details, appointment logs etc.) at any time. If during therapy you would like to see your session notes, please let me know. Should you require a copy of your notes after your therapy has come to an end you can make this request by emailing claire@clairebasstian.co.uk or calling 07856 356611.

2. The right of rectification

At any point during your time using my service or during the seven years thereafter, while we retain your records, you have the right to request amendments to your contact details or session notes. This right can be exercised either by speaking directly to me or by contacting me in writing.

3. The right to be forgotten

You can request that I delete and confidentially destroy the information that I hold about you and your sessions at any time. This request can be made by contacting me at claire@clairebasstian.co.uk.

Instances where I would not be able to comply with your request are as follows:

1. a) It is necessary for me to retain these records in order to continue providing an effective service

2. b) I am compelled to retain these records by a Court of Law

3. c) I am require these records in order to establish, exercise or defend legal claims

Website Visitors

By accessing my website, you are consenting to the information collection and use practices described in this privacy notice. Should you choose to contact me using the contact form on the website none of the data that you supply will be stored by the website or passed to any third party data processors. Instead the data will be collated into an email and sent to me over the Simple Mail Transfer Protocol (SMTP). SMTP servers are protected by TLS (sometimes known as SSL) meaning that the email content is encrypted before being sent across the internet. The email content is then decrypted by local computers and devices.

The website uses cookies and Google Analytics. Almost all websites use cookies which are small files that get put on your computer by websites as you surf them. These cookies can store lots of information which can have privacy implications. Google Analytics is a service provided by Google that gathers anonymous data on how people are using websites and then provides visitor statistics, details of page views etc. This service is used by many website owners as the data helps website owners to improve their websites.

Some page elements are embedded from trusted third parties in order to provide you with Interactive Maps. This makes the website more helpful to you as a site visitor however most of these come with their own cookies. This applies to Google Maps. I do not control these cookies so I cannot guarantee what they do. In many cases the cookies are used to generate identical information to Google Analytics and indeed use Google Analytics, so opting-out of Google Analytics will also opt you out of these cookies too. You can opt out of Google analytics and other Google services here and here.

My website has been made by Webhealer but I retain the administration of it. They organise the SSL certificate for my website. This authenticates my website’s identity and enables an encrypted connection. SSL stands for Secure Sockets layer, a security protocol that creates an encrypted link between a web server and a web browser. I collect data including your name, email address and phone number when you contact me through it. You can see more of Webhealer’s privacy and cookies policy here.

You can see more of Kiku’s privacy policy here.

You can see more of Zoom’s privacy policy here.

You can see more of BACP’s privacy policy here.

Consent

When you book your first session with me, you will be asked to provide a digital signature and tick a checkbox to confirm that you consent to the storage and processing of your personal data for the purposes of providing therapeutic services.

You are entitled to withdraw this consent at any time and can do so by emailing me at claire@clairebasstian.co.uk

Breaches of data protection

In the event of any breach of my data protection policies, I will notify you and the Information Commissioner’s Office (ICO) within 72 hours and will seek to rectify this immediately.

Raising concerns

Should you have any concerns about my data protection practices, you can raise these directly with me. You can also notify the Information Commissioner’s Office. I am registered with ICO under the reference number ZB659292.

Changes to privacy notice

This privacy notice may be updated from time to time, so please check occasionally for any

updates.