The DPA & GDPR May 2018
We comply with the DPA (Data Protection Act 1998) and the GDPR (General Data Protection Regulation), which comes into effect from May 2018. We will update this policy accordingly after the completion of the UK's exit from the European Union.
What are cookies? Cookies are small files saved to the user's computer's hard drive that track, save and store information about the user's interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website.
Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors or use the cookie control system if available upon their first visit.
Website Visitor Tracking
This website uses tracking software to monitor its visitors to better understand how they use it. The software will save a cookie to your computer's hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information.
Adverts and Sponsored Links
This website may contain sponsored links and adverts. These will typically be served through our advertising partners, who have detailed privacy policies relating directly to the adverts they serve.
Downloads & Media Files
Any downloadable documents, files or media made available on this website are provided to users at their own risk. While all precautions have been undertaken to ensure only genuine downloads are available users are advised to verify their authenticity using third party anti-virus software or similar applications.
We accept no responsibility for third party downloads and downloads provided by external third-party websites and advise users to verify their authenticity using third party anti-virus software or similar applications.
Contact & Communication With us
Users contacting us through this website do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use.
Where we have clearly stated and made you aware of the fact, and where you have given your express permission, we may use your details to send you products/services information through a mailing list system. This is done in accordance with the regulations named in 'The policy' above.
Email Mailing List & Marketing Messages
We operate an email mailing list program, used to inform subscribers about products, services and/or news we supply/publish. Users can subscribe through an online automated process where they have given their explicit permission. Subscriber personal details are collected, processed, managed and stored in accordance with the regulations named in 'The policy' above. Subscribers can unsubscribe at any time through an automated online service, or if not available, other means as detailed in the footer of sent marketing messages. The type and content of marketing messages subscribers receive, and if it may contain third party content, is clearly outlined at the point of subscription.
Email marketing messages may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of subscriber data relating to engagement, geographic, demographics and already stored subscriber data.
External Website Links & Third Parties
Although we only look to include quality, safe and relevant external links, users are advised to adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text / banner / image links to other websites).
Shortened URLs; URL shortening is a technique used on the web to shorten URL's (Uniform Resource Locators) to something substantially shorter. This technique is especially used in social media and looks similar to this (example: https://bit.ly/zyVUBo). Users should take caution before clicking on shortened URL links and verify their authenticity before proceeding.
We cannot guarantee or verify the contents of any externally linked website despite our best efforts. Users should therefore note they click on external links at their own risk and we cannot be held liable for any damages or implications caused by visiting any external links mentioned
Social Media Policy & Usage
We adopt a Social Media Policy to ensure our business and our staff conduct themselves accordingly online. While we may have official profiles on social media platforms users are advised to verify authenticity of such profiles before engaging with, or sharing information with such profiles. We will never ask for user passwords or personal details on social media platforms. Users are advised to conduct themselves appropriately when engaging with us on social media.
There may be instances where our website features social sharing buttons, which help share web content directly from web pages to the respective social media platforms. You use social sharing buttons at your own discretion and accept that doing so may publish content to your social media profile feed or page. You can find further information about some social media privacy and usage policies in the resources section below.
Resources & Further Information
- Overview of the GDPR - General Data Protection Regulation
- Data Protection Act 1998
- Privacy and Electronic Communications Regulations 2003
- The Guide to the PECR 2003
May 2019 edited and customised by Vicky Parkin trading as The Balance of Life, reviewed annually.
The purpose of this document is to demonstrate:
- My understanding of data protection (the collection, use and storage of personal information)
- My compliance with relevant legal frameworks (DPA in the UK, GDPR in the EU - see below)
To the best of my knowledge, this document describes professional best practice in relation to running a counselling business.
This is a 'live' document and may change from time to time to reflect changes in legislation, or the needs of my business (for example).
- As a professional counsellor, I place an emphasis on my clients' confidentiality
- I am committed to complying with the letter and the spirit of the law (e.g. DPA, GDPR)
- I respect that individuals have a set of moral and legal rights relating to how their personal data is processed
- I will register with the ICO and comply with their requirements.
The DPA (Data Protection Act) 1998 has been supplemented by the GDPR (General Data Protection Regulation) 2016 (enforced from 25 May 2018). These regulations cover the processing (collection, use and storage) of personal data.
The GDPR refers to 'controllers' and 'processors'. For the purposes of my business (Vicky Parkin Counselling t/as The Balance of life) I will hold roles of data controller and of data processor. I may also use third party intermediaries as data processors - including (but not limited to): my webhost and email providers; my webform providers; my phone company; my business bank.
This document details the Legitimate Interests which are the Lawful Bases upon which I (and third parties employed by me as data processors) will collect, use and store personal data. For each type of data processed, I have identified my Legitimate Interest, shown that processing is necessary to achieve it, and throughout I have balanced this against the individual's interests, rights and freedoms. As such, this document constitutes my Legitimate Interests Assessment (LIA).
How I Collect, use and store Data:
Third parties will instigate contact with me via phone (calls, voicemail and text message), and via email. Where a third party contacts me, I will consider, by convention, that they intend and acknowledge that I may return contact by these means. Likewise, where an enquirer provides me with alternative contact details I will consider that they are inviting me to use those contact details in good faith. This is consistent with the Lawful Basis of 'Legitimate Interest' - as a lone trader with no permanent physical business presence, I need to collect and store contact information for clients and other enquirers.
Third parties may send information to me using webforms. This information may be processed and held by intermediary services (e.g. Google) as well as being sent to my own business email accounts. This is consistent with the Lawful Basis of 'Legitimate Interest' in that a third party using a webform to contact me, knows that that information will be transmitted and stored electronically and expects that I will respond to, or otherwise action, their communication.
I may also use webforms myself, such as to input confidential client notes. Accounts will be securely password-protected. Collecting and storing client notes in this way is consistent with the Lawful Basis of 'Legitimate Interest' - as a Counsellor I am ethically bound to keep accurate notes of my sessions. I have considered whether it is desirable to keep electronic notes (versus paper notes). I have concluded that electronic notes are at least as secure, and at least as durable, as paper notes. This is consistent with advice from the ICO. The platform I will be using is Bacpac https://bac-pac.co.uk/
Nevertheless I may still keep paperwork relating to my business - for example, signed copies of contracts. This is consistent with the Lawful Basis of 'Legitimate Interest' - I may need to provide copies of physical paperwork for example in order to support a client's claim for insurance expenses, or, in relation to legal proceedings. As a counsellor, I am ethically bound to keep such records.
I will also process personal data relating to the Assessment of prospective clients. This includes (for example) name, address, DOB, family and medical histories, and emergency contacts/next-of-kin. This has a Lawful Basis of 'Legitimate Interest' in that processing of assessment data helps ensure safe, ethical and appropriate therapy. It is a professional requirement that I process such data, and I may need to refer to it at any time during or after therapy (for instance, in relation to legal proceedings). I will store such data securely, whether in electronic or paper format (or both).
I will be particularly mindful of the rights and interests of third parties such as family members and significant others, regarding whom my clients may provide personal data (such as medical history; criminality) without the knowledge or permission of those third parties. I will undertake to process (collect, use and store) only a viable minimum of such information, consistent with me discharging the Legitimate Interests detailed in this document - for example, the collecting of family members' mental health history at the point of client Assessment, which is required in order to provide a safe, ethical and appropriate service to the client.
I may use online communication platforms provided by third parties (e.g. Skype) in order to deliver Online Counselling sessions. This will be by agreement with my client(s). Such use is consistent with the Lawful Basis of 'Legitimate Interest' in that the provision of Online Counselling requires the collection, use and storage of personal data - e.g. the client's username, and IP address.
Likewise, I may use business and personal phone services to deliver Telephone Counselling, and in any case to collect, use and store personal information (e.g. client names or codes, phone numbers, text messages). I will password-protect or otherwise secure any personally identifiable information. Clients and other enquirers should know and accept that by sharing telephone contact information with me, and by using telephones to contact me (including by text message), their personal data will be collected, used and stored. This is consistent with the Lawful Basis of 'Legitimate Interest' in that, as a counsellor I will need to contact clients at short notice (such as to arrange sessions, handle cancellations etc.) and, that I also make a valid commercial decision to offer a Telephone counselling service to those clients who wish to use it.
Where a client wishes to use electronic or online payments, or pay by cheque, my bank (and any third party intermediary) will collect, use and store personal data - e.g. the client's name and account number. This is consistent with the Lawful Basis of 'Legitimate Interest' in that I make a valid commercial decision to offer electronic or online payments, or payment by cheque. Clients paying by these means should know and accept that such payments require personal information to be collected, used and stored.
I am professionally bound to share relevant information about my counselling clients, with other counselling professionals (my clinical supervisor(s) and other trusted colleagues, the clients fertility clinic or employees). Usually this information will be anonymized and only a minimum of personally identifiable data will be shared, in order to protect the confidentiality of my clients and any third parties. Counsellors share information in this way in order to promote safe, effective, ethical therapy.
Under exceptional circumstances, personal data may also be shared under the terms of a 'professional will' whereby I will pre-authorise certain trusted executor to act on my behalf, to ensure ethical and appropriate care of my clients, in cases where I am unable to exercise my own duties directly (for example death, illness or injury). This is consistent with the Lawful Basis of 'Legitimate Interest' in that such arrangements are considered best practice amongst counselling professionals. My contractual terms will make this arrangement clear to clients.
Sensitive Personal Data:
Under the GDPR, sensitive personal data includes data about:
• Racial or ethnic origin
• Political opinion
• Religious belief or belief of a similar nature
• Trade union membership
• Physical or mental health condition
• Sex life
• Criminality, alleged or proven
• Criminal proceedings, their disposal and sentencing
It is in the nature of counselling that clients will reveal, and counsellors will process, such sensitive data. Usually this data concerns the client himself or herself, but it may also concern a third party such as a family member. I shall process sensitive data under a Lawful Basis of 'Legitimate Interest' in that the commercial and therapeutic services I provided, would not be viable without collecting, using and storing such sensitive data. For instance I am ethically bound to conduct appropriate client Assessments, which consider clients' physical or mental health with a view to the safety and appropriateness of any service I may offer. I am also ethically and professionally bound to keep appropriate client notes, which may include details of sensitive data. I will only process a viable minimum of such data.
Whilst holding a Lawful Basis of 'Legitimate Interest' for processing sensitive data, I will also seek clients' explicit and informed permission (the Lawful Basis of 'Consent') within my Assessment and Contract documents.
Third parties about whom I hold personal data, have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Third parties should consult the relevant legislation for a full understanding of their rights.
My understanding is that these rights are not absolute. For example: I may refuse a request to access data, on the basis that the request is unfounded or excessive - and/or I may charge a reasonable administration fee. Where a client requests data concerning a further third party, I may refuse the request in order to protect the rights and interests of that third party (for example, where a client seeks session notes which refer to a third party they had discussed with me in session).
That said, I aim to comply with the spirit of the legislation and I will seek to fulfil any reasonable request to the best of my abilities.
Erasure, Retention and Disposal
Third parties have an in-principle right for their data to be erased upon request, and to be held no longer than is necessary.
Where this concerns clients of Vicky Parkin Counselling t/as The Balance of Life, I reserve the right to preserve data securely in order to exercise or defend legal claims, and to comply with professional counselling standards (the principle that counsellors will keep accurate client notes, and retain these for a minimum of seven years in order to facilitate professional conduct enquiries, legal proceedings etc.).
Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
I undertake to record any data breaches I am aware of, and to promptly inform the subject of the data, the ICO and other relevant authorities where appropriate.
Policy adopted by Vicky Parkin on 21 May 2019, reviewed annually.
An up to date policy will always be available on my website www.vickyparkin.co.uk