Privacy and Data Protection We have the highest respect for your privacy and want to assure you that we will not distribute, sell, lease or share your personal information to any third party, unless we have reason to believe that disclosing this information is reasonably necessary to comply with the law or for safe ethical practice or where you are at serious risk of being a harm to yourself or others. Except in the aforementioned circumstances, data will not be passed to another party without your consent.
Transforming Together has data management and protection policies and procedures in place concerning the collection, processing, holding and transmitting of your personal information in order to work within the requirements of the Data Protection Act 2018 and the General Data Protection Regulation 2018. The nature of our work is spiritual reflection, retreats and contemplative and wellbeing walks. Personal information supplied by clients and delegates will be held securely and used solely by Elaine Arthur or Transforming Together except for Soul Spa retreats where the information will be shared with Elaine’s co-retreat leader Beryl Bye.
Only where you use our services or where you request our services or information about our services, will we gather and secure your personal information. This will be used to contact you to understand your needs, to arrange appointments and to improve our services. Client enquiries relating to the processing and use of personal data should be addressed to the Data Processor, Elaine Arthur, at email@example.com or phone 07515 370270.
Details of the procedures and policies related to data management and protection are included below.
Transforming Together (TT) Privacy and Data Management and Protection Procedures May 2018
The Data Protection Act 2018 and the General Data Protection Regulation 2018 obliges organisations by law to manage all personal data, including client data, in a strictly confidential and appropriate manner. These guidelines have been produced using existing practices and have been validated against the ICO guidelines.
Based upon this an assessment of requirements the following documents were produced
- Data Protection Policy
- Client Data Handling for Counsellors and Assessors
- Data Protection and Client Confidentiality Procedures (this document)
3. Conditions for Processing Client and Other Personal Data
The ICO describes the type of data that TT holds on Clients in Client Notes and other files as “Sensitive Personal Data” and lays out a number of conditions for processing that data. For TT the key points to note in handling sensitive personal data items are as follows:
- The individual whom the sensitive personal data is about has given explicit consent to the processing.
- The processing is carried out by TT and does not involve disclosing personal data to a third party, except where legal or ethical requirements apply.
In the event that the individual providing the TT service dies or becomes so ill that they cannot contact the Client then they have a named representative who will have the first name and phone number of their Clients kept securely locked away. In such exceptional circumstances the representative will make contact with the Client to update them about the individual and if appropriate to make suggestions for alternative arrangements for the provision of ongoing services.
4. Data Processing Roles
The ICO describe three key roles in the processing of Client Data:
- Data Subject – means an individual who is the subject of personal data. For TT the Client is the Data Subject and before Counselling/Coaching can commence will have signed a Counselling Agreement giving permission for the Counsellor/Coach to keep and retain the Client Notes. As the majority of our client work is counselling, with coaching integrated as appropriate, the following documents mention counselling, but they can also apply to coaching. In the case of training services delegates will be advised by the Trainer on how their feedback forms will be stored and used within TT and their own organisations, giving delegates opt out options as to whether they include personal or sensitive information or not.
- Data Controllermeans a person who determines the purposes and manner in which any personal data are processed. A data controller must be a “person” recognised in law, that is to say, an individual, an organisation, or a corporate or unincorporated body of persons (e.g. a Trust). For TT the Counsellor/Coach/Trainer is the Data Controller for Client Data as they have an intimate knowledge of the Client Notes and are the person best able to determine such items as retention period or risk related matters. For other individuals TT Management are the Data Controller.
- Data Processor, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Transforming Together acts as the Data Processor providing a set of procedures for the handling of the Client Notes. While Transforming Together operates the Client Notes Processes, accountability for the notes remains with the Data Controller. For all other personal data, TT Management is the Data Controller and Data Processor.
- In the majority of cases Elaine Arthur, Founder of Transforming Together, is the Counsellor/Coach/Trainer for our services and she is the Service Manager. In most cases Elaine will be both the Data Controller and the Data Processor.
5. Client Data including Client Notes
All client data is kept securely and confidentially within the Service. In line with the Services Data Protection Policy, counsellors’ notes are kept for a defined retention period. After this time they are destroyed by shredding.
All clients using the Counselling/Coaching Service are asked to sign a Counselling Agreement to agree to notes being kept. If a client will not sign the Agreement, only the initial assessment can be offered. In this session it will be made clear why counselling cannot be offered and other options will be suggested
Transforming Together provide guidance to Counsellors/Coaches on the production of Client Notes in a number of policy documents, these include:
- Data Protection Policy
- Client Data Handling for Counsellors and Assessors
- Counselling Agreement
- Making Notes of Counselling and Supervision
In summary these documents recommend that:
- Client data should not be held and stored in electronic form on PCs or other processing devices (tablets, laptops, mobile phones) on a long term basis. Such data e.g. emails from clients will be fully deleted from any electronic devices at the earliest opportunity once the client’s details are in hard copy and can be locked away. For example if a letter is written to a client the copy of the letter stored electronically will not contain any personally identifying information.
- The client’s files are separated into “personal data” and “sensitive data” based upon the ICO definitions. The Client’s Sensitive Data File must have no means of identifying the client except by a client code or pseudonym.
- Identifying personal data such as addresses and telephone numbers, Counselling Agreement, GP letters etc must be kept in a separate Client’s Personal Data File.
- Clear guidance is given on the factual and objective nature of how notes should be taken
- At all times when not in use Client Notes should be securely locked away
6. Client Access to their Notes (see also Subject Matter Access Request)
Under the Data Protection Act, clients have a right of access to all notes kept on them. If those notes contain references to other individuals these may not be available to the client, as protection is also granted to third parties. If the client’s file includes a letter or additional information from the person responsible for their clinical care, usually their general practitioner (GP) or psychiatrist, consent from the relevant practitioner must be obtained before the correspondence is disclosed.
When client notes are not in use they must be kept in locked facilities by the counsellor, whilst the client continues to receive counselling. Clients are free to see their notes on request at any time, unless they contain documents referring to third parties in which case prior approval must be sought or there is potential for serious mental or physical harm as determined by a clinical professional. Client Notes cannot be taken away by the Client, they are to be kept in the possession of the counsellor at all times when not locked away. If the Client wishes to have a copy of all personal data held by the Counsellor (and TT) then the Counsellor should ask them to raise a Subject Matter Access request (see below).
At the end of counselling, clients notes continue to be kept in locked facilities in possession of the service within the archive. These are archived for between three and seven years depending on case specific circumstances as advised by the Counsellor and their insurance provider and are then destroyed by shredding.
7. Third Party Access to Client Notes
There are circumstances under which it is possible that a third party would require access to TT’s Client Notes. This could be for a number of reasons usually driven by a Legal requirement. Any disclosure should be undertaken in a manner that best maintains the Client’s trust. As part of the Clients Counselling Agreement the following should have been reviewed and discussed with the Client before Counselling has commenced.
CONFIDENTIALITY: It is agreed that the information given during counselling will remain confidential unless exceptional circumstances should arise (including a criminal act or when required to do so by the processes of the law) which give (amongst other things) the counsellor good grounds for believing that the client will or may cause serious harm or real risk of safety to him/herself or others. In all of these situations other appropriate parties will be contacted, e.g. G.P, police, and social services etc. Whenever possible the decision to break with confidentiality will be made only after consultation with a supervisor as per the Association of Christian Counsellor’s (ACC) Code of Ethics.
Further guidelines for Counsellors with respect to Third Party access, is contained in the document “Third Party Confidentiality Guidelines” which is part of the Policies and Procedures supplied to all Counsellors.
In particular Counsellors are advised:
- To contact their Supervisor first before agreeing to any demands that are being made on them by the legal or other professions to gain access to client notes in order to understand their rights
- If contact is necessary with any other outside agencies; e.g. GP, Minister, Psychiatrist etc. permission in writing will be sought from the client unless they are a serious danger to themselves or others or where there is a reasonable requirement by law to pass on information without consent e.g. concerning acts of terrorism.
8. Data Retention Periods
The following Data Retention dates will be used for TT held data:
Information received in electronic form e.g. via email or by contacting us via our websites will be destroyed as soon as the information has been transferred to hard copy. We aim to do this within a week, but it may be longer during times of absence. The exception is where both parties have used secure encrypted email providers where the information may be held in line with retention periods for hard copy information. We do not record telephone calls. We will take hand written notes related to enquiries received via telephone. We will advise you of this and the information will be locked away and held in line with the following retention periods.
Information relating to enquiries which do not lead to use of TT’s services will be destroyed in hard copy within a maximum of 1 year.
Default Data Retention period for hard copy client notes is 3 years.
Maximum Data Retention period for hard copy client notes where special circumstances warrant longer retention is 7 years.
Information relating to payments e.g. invoices and bank statements will be held for 7 years as a requirement for our accounts.
All of the above will be kept in locked cabinets when not in use.
In the event of the death of the founder of Transforming Together, Elaine Arthur, all client notes related to services provided by Elaine will be shredded as soon as is reasonably possible. Accounts information will be kept for 7 years.
The Data Protection principles state that unless a relevant exemption applies, at least one of the following conditions must be met whenever you process personal data:
- The individual whom the personal data is about has consented to the processing.
- The processing is necessary:
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
For all Client Data, including sensitive data, TT will only provide a service once a client has agreed and signed the Counselling Agreement. At any point where third party engagement is requested in the counselling process and the clients data is identifiable (typically a GP) then the clients explicit consent is sought at each stage. A review of all TT Client Forms and documents has been completed to ensure that the Client has given explicit consent to personal data being discussed.
There are other situations where client sensitive personal data is discussed for the purposes of ensuring the quality of the treatment for the client, for example Supervision. In all these cases only the client code or pseudonym is used with any other party (Supervisor, peer Supervisions, TT Service Manager).
10. Subject Matter Access Request
The Data Protection Regulation provides increased rights for individuals to request information from an organisation regarding the personal data that the organisation holds on an individual. As part of the Counselling Agreement the informal process for a client reviewing the personal and sensitive data that TT holds in the Client Notes is clearly described. This does not require the use of a special form to make the request, nor is a fee required.
Outside of the Counselling Agreement process mentioned above, the general TT response to a formal Subject Matter Access Request (SMAR) is as follows:
- If a written SMAR is received the identity of the requestor should be validated by the Service Manager and the request acknowledged.
- For a client request the Service Manager should ask the appropriate Counsellor and potentially with the support of their Supervisor, to compile the clients’ data information.
- The data should be reviewed for any third party data that is included within the data held and permission sought for the sharing of that data e.g. GP information for clients.
- In certain situations it may not be in the best interest of a client to access their personal information, as it may cause further risk to their mental or physical health. If the Counsellor, taking advice from their Supervisor, feels this would apply for the client, then specialist advice should be sought from the person responsible for the clients’ clinical care. This would apply only in exceptional circumstances.
- Once appropriate permissions have been received, the compiled information should be provided to the individual requesting the data.
- As far as possible this process should be acted upon as a priority and completed within one month from the receipt of the SMAR.
11.Data Breach Procedures
There is a risk for any organisation that at some point personal data could be lost, accessed inappropriately or stolen. TT guidelines insist that all but transient client data is held in paper files only, so a likely breach would be a loss of one or more client files through theft or being misplaced. Other non-client data is held on PC’s and could be breached through Computer Security failings. In either case should any suspected data breach occur the TT Service Manager should be informed, they will then assess the impact of the data breach, as follows:
- Review the data breach in terms of the scale, severity and potential impact of the data breach. Review the latest Information Commissioner’s Office (ICO) procedures for handling of a data breach, this provides good advice on items to consider and more detail on the approach to take.
- Where the breach does not include personal data potentially being held or accessed by an unauthorised person (eg PC virus, corrupt/deleted online file etc) an approach will be agreed on an appropriate data recovery approach (eg restore, recreation from other records) and the incident closed.
- If it is identified that personal data has been lost then the scale and risk of the data loss should be determined (eg type of data, number of individuals, cause of loss etc).
- Steps should be put in place to minimise the impact of the breach and to prevent the possibility of it recurring.
- Depending upon the scale and type of breach the following may need to be notified of the breach, the type of data lost, the potential risk and the actions taken:
- The individuals potentially impacted
- The professional body of the Counsellor for Client data
- The appropriate Insurer
- Any potentially impacted third parties, eg GP, Supervisor
- If appropriate the ICO will be informed.
- Once the incident has been resolved and processes and procedures updated to prevent a recurrence. The Service Manager should examine if any sanctions should be applied to those involved in the breach, if for example negligence is identified.
12. Direct Marketing
TT performs a very limited amount of Direct Marketing to individuals. This is done through a list of people who have expressed an interest in being notified of forthcoming courses.
For the current distribution list TT believe that these individuals satisfy the “soft-opt-in” requirements of the GPA and the EPCR. These are as follows:
- the person’s details have only been collected as they have attended or requested to attend a TT course
- the messages only provide information on TT courses or services the client has requested
- an opportunity to refuse marketing is included on all direct communications
Cookies are small text files which can be gathered from your browser, e.g. Internet Explorer or Safari, if you agree to it when you access websites. Sometimes cookies are necessary to identify us e.g. to remember your user preferences on a website. Sometimes cookies are strictly necessary for the operation of the website. Sometimes the information is gathered for use by an organisation.
We use strictly necessary cookies for some aspects of the operation of our website e.g. for clients wishing to book and pay for events like training courses online. This will include personally identifying information which will be deleted from the system when the event closes.
We use analytics cookies to store information about what pages of the website people visit. This helps us to understand which pages are of more interest to potential clients which can help us with our service development. Analytics cookies do not collect or store users’ personal information e.g. names or addresses. If you decide to contact us via posting a comment on our website these come to our Service Manager via an email. They are not visible in the public domain and are deleted from the website as soon as possible, usually within a week.
The plug ins used on our websites are 1) Events made easy which we use for managing bookings and payments for our events 2) GDPR Cookie Compliance. This is a plug in which enables individuals to select settings regarding whether they accept cookies or not when they use our websites 3) Google XML Sitemaps. This enables our website to be included in indexation of search engines like Google, Yahoo, Bing and others. 4) J Shortcodes. This is a collection of short codes to customise the website. 5) WP Sitemap Page. This adds a sitemap page. Inclusion here does not mean an endorsement of these plug ins, but this information is provided in terms of transparency concerning our websites.
How do I turn cookies off? Most modern web browsers allow you to adjust your cookie settings. If you log on to the browsers by visiting the browser developer’s website e.g. Google Chrome, Microsoft Edge, Mozilla Firefox, Microsoft Internet Explorer, Opera, Apple Safari you can usually find these settings in an “options” or “preferences” menu of your browser. However if you use your browser settings to block all cookies, including essential cookies, you may not be able to access all or parts of our website or other websites. You can use the “Help” option in your browser to understand the settings.
To find out more about cookies, including how to see what cookies have been set visit www.aboutcookies.org or www.allaboutcookies.org”
In case of any queries or questions about these procedures please contact the Data Processor Elaine Arthur by email to firstname.lastname@example.org or by phone to 07948 388266.
Transforming Together (TT) Privacy and Data Protection Policy May 2018
Transforming Together (TT) needs to collect and use certain types of information about the clients who come into contact with Transforming Together in order to carry out our work of counselling, coaching, and training. This personal information must be collected and dealt with appropriately whether it is collected on paper in a filing system, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the Data Protection Act 2018 and the General Data Protection Regulation of 2018.
2. Data Controller and Data Processor Responsibilities
Retreat Leaders and Trainers engaged through Transforming Together are considered the Data Controller for client data, which means that they determine for what purposes personal information is held and what it can be used for. For client data Transforming Together acts as the Data Processor. For all other data held by Transforming Together the organisation is both the Data Controller and Data Processor. Transforming Together will take the lead in notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.
Transforming Together does not share personal or sensitive data with other agencies such as the NHS, local authorities, funding bodies or voluntary agencies. There are circumstances where the law requires Transforming Together to disclose data (including sensitive data) without the data subject’s consent. These are:
- Carrying out a legal duty or as authorised by the Secretary of State
- Protecting vital interests of a client or other person
- Conducting any legal proceedings, obtaining legal advice or defending any legal rights
- Providing a confidential service where the clients consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill clients to provide consent signatures. See also Third Party Confidentiality Guidelines for specific legal and other requirements relating to the counselling context.
Transforming Together regards the lawful and correct treatment of personal information as very important to successful working and to maintaining the confidence of those who engage with the service. The client or other individuals will be made aware in most circumstances, how and with whom their information would have to be shared.
Transforming Together intends to ensure that personal information is treated lawfully and correctly. To this end, Transforming Together will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 2018 and the General Data Protection Regulation 2018.
Specifically, the Principles require that personal information:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,
- Shall be obtained only for one or more of the purposes specified and shall not be processed in any manner incompatible with that purpose or those purposes,
- Shall be adequate, relevant and not excessive in relation to those purpose(s)
- Shall be accurate and, where necessary, kept up to date,
- Shall not be kept for longer than is necessary
- Shall be processed in accordance with the rights of data subjects under the Act,
- Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
- Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals/Service Users in relation to the processing of personal information.
Transforming Together will, through appropriate management and strict application of criteria and controls:
- Observe fully, conditions regarding the fair collection and use of information
- Meet its legal obligations to specify the purposes for which information is used
- Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements
- Ensure the quality of information used
- Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
- The right to be informed that processing is being undertaken,
- The right of access to one’s personal information
- The right to prevent processing in certain circumstances and
- The right to correct, rectify, block or erase information which is regarded as wrong information
- Take appropriate technical and organisational security measures to safeguard personal information
- Ensure that personal information is not transferred abroad without suitable safeguards
- Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
- Set out clear procedures for responding to requests for information
4. Data collection
Informed consent is when
- A client or other user clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data
- And then gives their consent.
Transforming Together will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a TT Agreement or other form.
When collecting data, Transforming Together will ensure that the client or other user:
- Clearly understands why the information is needed
- Understands what it will be used for and what the consequences are should the client or other user decide not to give consent to processing
- As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
- Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
- Has received sufficient information on why their data is needed and how it will be used
Transforming Together will continue to hold the contact details of those who have expressed a legitimate interest in the work of TT by attending or enquiring about courses that TT operates or have worked with TT at some point and in so doing have provided their contact details.
5. Data Storage
Information and records relating to service users will be stored securely in locked filing cabinets and will only be accessible to the individual providing the service and to TT Management. Information will be stored for only as long as it is needed or required by statute as described by the TT Data Retention rules and will be disposed of appropriately.
6. Data Access and Accuracy
All clients and other users have the right to access the information Transforming Together holds about them. For clients this process is described in the Counselling Agreement, signed prior to counselling commencing. Transforming Together will also take reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes.
In addition, Transforming Together will ensure that:
- A member of the management team has responsibility for data management and processing
- Everyone processing personal information understands that they are responsible for following good data protection practice
- Everyone processing personal information is appropriately trained to do so
- Everyone processing personal information is appropriately supervised
- Anybody wanting to make enquiries about handling personal information knows what to do
- It deals promptly and courteously with any enquiries about handling personal information
- It describes clearly how it handles personal information
- It reviews and audit the ways it holds, manages and uses personal information
- It assesses and evaluates its methods and performance in relation to handling personal information
- All those working for Transforming Together are aware that a breach of the rules and procedures identified in this policy may lead to management sanctions.
This policy will be updated as necessary to reflect best practice in data management, security and control and to seek to ensure compliance with any changes or amendments made to the Data Protection Act 2018 and the General Data Protection Regulation.
In case of any queries or questions in relation to this policy please contact the Transforming Together Data Processor, Elaine Arthur by email to email@example.com or phone 07948 388266.