DATA PROTECTION POLICY

GENERAL DATA PROTECTION REGULATION 

  1. Policy Statement 

The purpose of this policy is to:

  • Comply with relevant legislation, particularly The Data Protection Act 1998 and the (hereafter ‘The Act’) and General Data Protection Regulation 2018 (hereafter referred to as GDPR)

  • Follow good practice, protecting participants, staff, other individuals and Trident Counselling

  • To be respectful of individual rights, undertaking to be open and honest by informing all staff and, wherever possible, participants and other individuals of their rights under GDPR

  • To provide support and guidance for staff who process personal data, within the meaning of GDPR, to ensure that all are aware of their responsibilities under GDPR

  • To ensure Trident Counselling notifies the Information Commissioner of any issues or breaches of GDPR


Trident Counselling works to comply with both the spirit and the letter of the law contained within GDPR and reflected in this policy. The general principles outlined in this policy apply to everyone associated with Trident Counselling including freelance workers.


  1. General Data Protection Regulation 

The General Data Protection Regulation, which replaces previous versions of GDPR, provides for a much broader definition of ‘data’ to include manual records.  The Act covers the processing of personal data and stipulates that all processing of personal data must comply with seven principles of good practice. GDPR gives employees and Clients rights of access to personal data employers may hold on them. 


  1. The Principles of Good Practice

The General Date Protection Regulation says that “personal data” must be:

  • processed fairly, lawfully and transparently

  • collected for specified, explicit and legitimate purposes only and must not be further processed in a way that is incompatible with those purposes

  • limited at collection stage

  • accurate

  • retained for a limited period of time

  • securely stored

  • stored with accountability


Failure to comply with these principles of GDPR may result in enforcement notices being served on Trident Counselling by the Information Commissioner’s Office.  This could lead to penalties and fines, in addition to reputational damage.


  1. Personal Data

As defined by GDPR, personal data is information, either factual or opinion, which relates to a living individual who can be identified from the data held.


  1. Sensitive Personal Data 

GDPR defines Sensitive Personal Data as data relating to an individual’s:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Genetic data

  • Biometric data (where processed to uniquely identify someone).


Sensitive Personal Data may not be held about an individual (including employees) without their express permission, unless it is in compliance with legislation.


  1. Processing

GDPR defines ‘Processing’ as obtaining, recording or holding personal information or data and carrying out operations such as storing, organising, adapting, altering, retrieving etc.


  1. Responsibilities 

Ultimately the Trident Counselling Staff has responsibility to comply with all of the company’s legal obligations including the company’s responsibilities under GDPR.


Michael Alan Read Jr. has been appointed by TRIDENT COUNSELLING as the Data Protection Manager (DPM) and their responsibilities include:

  • Briefing the Staff on Trident Counselling’s Data Protection responsibilities

  • Reviewing Data Protection and related policies

  • Providing ad-hoc advice on Data Protection issues

  • Ensuring that Data Protection procedures are in place and that induction and training take place

  • Notification to the Information Commissioner, if required

  • Handling subject access requests

  • Approving unusual or controversial disclosures of personal data

  • Providing Data Protection input into contracts with Data Processors

.  


  1. Access to Personal Data

Only the counsellor of a client has access to personal data only when necessary in order to fulfil the remit of their contract with the client. All personal data is anonymised and held in password protected drives.



  1. Data Protection Subjects 

Participants, venue clients and all other individuals associated with Trident Counselling are entitled to expect that the data Trident Counselling holds about them will be treated with respect and in accordance with the Data Protection Principles above.


As such, care must be taken when personal data is being shared with other companies or individuals.  The DPM will be responsible for ensuring that appropriate operational guidelines are supplied for each project or activity.


If an individual (including an employee) has concerns about the nature, content, accuracy or relevance of personal data held about them they may write to Trident Counselling, asking us to provide details of the personal information held. Such requests should be dealt with by the DPM and be responded to within 40 days. If the personal information is inaccurate it should be corrected or removed as soon as possible.


Employees can request that information be deleted from their personal files, unless the information is necessary for contractual reasons.  


  1. Breach of Data Protection Practice

Any breach of Data Protection Practice is considered serious and may be viewed as gross misconduct which may lead to disciplinary proceedings and dismissal. In circumstances where disciplinary proceedings cannot be applied (e.g. freelance contractors or individuals leaving the organisation to take up a new role elsewhere), the use or copying of data for use in another context is a serious offence and will lead to legal action.


11. Process


Inquiry: All emails, phone, and initial info offered up on inquiry via the website, or counselling directories are noted in locked personal files and password protected. All initial correspondence is then archived in emails under locked passwords.


Sessions: All sessions online or in person are held in a secure and confidential location with no other individuals present. All session notes are anonymous and are assigned an individual client number. This client number only links to the client on one file that is held separately from all session notes and materials and is kept password protected. Google drive adheres to GDPR. All records are held for three months past the conclusion of counselling and then are deleted. Please see your contract for those instances where actions of the law may require the therapist to hand over information on a client. 


Pay: All payment methods of BACS, PayPal, SumUp are held to GDPR standards. All personal financial data storage must be authorised by the client, and all information is held securely and password protected. All payment info is deleted at the conclusion of therapy.