What are the General Data Protection Regulations, 2018 (GDPR) and how do they affect me?
The GDPR replaces the 1998 Data Protection Act to ensure your personal and sensitive, confidential data is kept private and held securely, being processed in the way that you have agreed to. It is there to protect your rights as a consumer of a service or product that might involve your identifiable data, e.g. your name and address or whether you have a specific condition. It also covers any session records, text messages or emails we exchange.
How long will you hold my information for?
If you are an adult your data is kept for 7 years after your counselling, psychotherapy and/or supervision sessions have finished for insurance purposes. After 7 years your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine owned by the organisation.
If you are a child your data is kept until the month after your 25th birthday, or your 26th birthday if you are aged 17 when counselling and psychotherapy sessions end. At this point your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine owned by the organisation.
What rights do I have over my data?
If you wish to see a copy of your data then you need to request this clearly in writing. If the data controller doubts the identity of the person making the request then they will first take reasonable steps to ensure it’s really you before releasing any records. The data controller will check whether there is specific data that you wish to see or whether you wish to see all your data. A copy of your data will be provided within one month. There is no monetary charge for this. If you wish to make a correction to any of the data you believe to be inaccurate, you can do so by informing the data controller. If you do not want your data to be collected in the manner described in this document you can discuss this with your counsellor.
You can ask for all your data to be deleted if you don’t want it to be stored for 7 years. Again, you need to make this request in writing to Paper Plane Counselling Ltd. Once your identity was confirmed, all your paper records will be shredded with a cross-cut shredding machine and any electronic data such as emails or text messages will be permanently deleted from the devices they are stored on. We will have to save the request for deletion you made but would not save any other data. Please note that in some circumstances our insurance company’s legal team may want to verify the information we process and we may by law be unable to delete data if it is subject to a police or legal investigation (please see ‘Exceptions’ below).
You have the same rights to your data regardless of your age (i.e. children have the same rights to their data as adults).
Why do you need to record information about me?
We collect information about; why you are using the service, a small amount of medical information and a small amount of information about your important others, alongside brief session notes. This information enables us to provide a high-quality service to you, ensuring Amy Mills is equipped with the knowledge of our previous discussions prior to each session. Your contact details will only be used for purposes other than scheduling sessions with your explicit signed consent.
When an individual visits www.paperplanecounselling.com we use Google analytics who are considered a third party service, to collect information about what visitors do when they click on our website, e.g. which page they visit the most. Google analytics only collect non-identifiable data which means we or they cannot identify who is visiting. Paper Plane Counselling Ltd will always be transparent when it comes to collecting personal data and will be clear about how that data is processed. Google analytics privacy notice can be found here: https://policies.google.com/privacy/update?hl=en
Wix is a third-party service that hosts Paper Plane Counselling Ltd’s website. Wix uses anonymised data to collect visitor information such as how long an individual remains on a page of a website. Wix also hosts the Contact Us form on Paper Plane Counselling Ltd’s website and a copy of any data sent via this form is stored by Wix. Wix Bookings hosts the online session booking function on Paper Plane Counselling Ltd’s website and a copy of any data given when booking a session online will be stored by Wix Bookings. Wix’s privacy notice can be found here for further information: https://www.wix.com/about/privacy
We use Stripe and SumUp respectively to process payments online through our website and by credit/debit card. Both these providers record the payee’s contact details and banking details in order to process payments. Their privacy policies can be found here https://stripe.com/privacy-center/legal and https://sumup.co.uk/privacy/.
We use Quickbooks to manage our accounting electronically. Quickbooks records an individual’s name, payment amount and date of payment for each transaction made electronically (i.e. for all payments made via Stripe, SumUp or by making an online BACS payment). Quickbooks’ privacy notice can be found here: https://quickbooks.intuit.com/uk/privacy-policy/
What do you do to ensure my information is held securely?
Hardcopy documents – These are all stored in a locked filing cabinet in a locked room. They are stamped as “Private and Confidential”.
Text messages and Telephone Calls – Paper Plane Counselling Ltd uses a dedicated mobile phone which is secured with a pin code.
Emails – Amy Mills’ email account requires a user name and password, and two-step authentication is enabled. The account is only logged on to from devices which are the sole property of Paper Plane Counselling Ltd or Amy Mills. All emails sent are encrypted in transit. We use Frama RMail software to encrypt emails which contain sensitive personal information. This software includes the option for you to reply by encrypted email without having to install or register for software yourself.
Email attachments – Any attachments sent by email to you containing your personal information are sent by Frama RMail encrypted email. Each attachment is also password protected and the password is sent to you via a different medium (e.g. text message).
Online Agreement documents – Online contracting documents are sent to you via Frama RMail to sign electronically. This software offers full encryption and a verified electronic trail confirming the identity, date and time of the signature.
Electronic documents – Electronic documents are stored on a password protected and encrypted external hard drive which is stored in a locked filing cabinet behind a locked door when not in use. A back-up of all electronic documents is made on a monthly basis and is stored in a separate password protected and encrypted external hard drive which is stored in a separate locked filing cabinet behind a separate locked door when not in use. The computers used to access this data are password protected and are the sole property of Paper Plane Counselling Ltd or Amy Mills.
Is what we discuss kept confidential?
Everything you talk about during your sessions is strictly confidential between you and Amy Mills. In accordance with the BACP Ethical Framework, all counsellors consult a supervisor on a regular basis to ensure their practice is ethical and that they are working in the best interests of their clients. Your counsellor’s supervisor is verbally told broad overarching themes of your counselling sessions. The supervisor is not told your name nor contact details and does not have direct access to written records of your electronic or hard-copy data. The supervisor also adheres to the GDPR.
What if I see you outside of the session?
If you see Amy Mills outside of a session (e.g. you pass each other in the street) she may smile but will not engage in any further conversation to ensure your confidentiality. You are welcome to talk to other people about the therapy you are receiving, but Amy is obligated by GDPR law to ensure your confidentiality is protected. She requests that in order to ensure the success of your therapy, that you refrain from discussing your therapy with her outside of your sessions. This extends to the online world where Amy is obliged by law to protect your confidentiality. Therefore, she is unable to respond directly to any client interaction via social media, blogpost or other public internet forum.
What about other Health and Social Care Professionals?
As Amy adheres to the GDPR any contact, relating to you, with other health care professionals would only be made with your signed consent. For example, if she were to write to your GP to notify them of your treatment with her, and then notify them of the treatment ending, she would only do this if you were to sign the specific consent for this at the end of this document.
In order to safeguard you and the people around you, if you were to disclose that you were going to carry out significant harm to yourself or somebody else, then Amy is obligated by law to inform the relevant authorities. If this happens your counsellor will make every effort to discuss the situation with you first before sharing information in order to agree what information to share and to whom.
Amy may contact relevant authorities if she believes children or vulnerable adults are at risk of significant harm in order to safeguard their development and wellbeing. If this happens she will make every effort to discuss the situation with you first to agree what information to share and to whom; unless to do so would be to endanger the children or vulnerable adults concerned.
Your data must be shared with another professional or organisation if it is legally necessary to do so. This could happen if Amy becomes aware that you are planning, or have participated in, an act of terrorism or serious crime (e.g. murder). Likewise, if Amy is subpoenaed to give evidence in court then she is legally required to do so and to discuss your data if necessary.
In the event that Amy becomes incapacitated due to an unforeseen emergency then contact details of current clients will be passed to Amy’s supervisor. If you were seeing Amy for therapeutic sessions at that time, this person would contact you to explain the situation and discuss alternative support. They will archive any client files (both current and past) in accordance with General Data Protection Regulations.
Our Information Governance Policy and Procedure gives further details of all aspects of our compliance with GDPR.