I am registered as the Data Controller for my business: Heron Counselling with the Information Commissioner’s Office (ICO), registration number ZA469597.
‘Data controller’ is the term used to describe the person/organisation that collects and stores and has responsibility for people’s personal data. In this instance, the data controller is me.
Your privacy is very important to me and you can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to me.
This privacy notice tells you what I will do with your personal information from the initial point of contact via my website through to after your therapy has ended.
I am happy to chat through any questions you might have about my data protection policy. You can contact me via my e-mail address to arrange a time: firstname.lastname@example.org
- This is a notice to inform you of my policy about all information that I record about you. It sets out the conditions under which I may process any information that I collect from you, or that you provide to me. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.
- I regret that if there are one or more points below with which you are not happy, your only recourse is to leave my website immediately, and we will not be able to work together.
- I take seriously the protection of your privacy and confidentiality. I understand that all my clients and visitors to my website are entitled to know that their personal data will not be used for any purpose unintended by them and that it will not accidentally fall into the hands of a third party.
- I undertake to preserve the confidentiality of all information you provide to me and hope that you agree to preserve confidentiality in turn.
- My policy complies with UK law accordingly implemented, including that required by the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
- The law requires me to tell you about your rights and my obligations to you in regards to the processing and control of your personal data. I do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org
- Except as set out below, I do not share, or sell, or disclose to a third party, any information collected through my website or through our work together.
The bases on which I process information about you
The law requires me to determine under which of six defined bases I process different categories of your personal information, and to notify you of the basis for each category.
If a basis on which I process your personal information is no longer relevant then I shall immediately stop processing your data.
If the basis changes then if required by law I shall notify you of the change and of any new basis under which I have determined that I can continue to process your information.
- Information I process because I have a contract with you
When you become my client, a contract is formed between you and me.
The service I provide to you as a client requires that you provide me with personal information.
I process this information on the basis that there is a contract between us, or that you have requested I use the information before we enter into a legal contract.
Additionally, I may aggregate this information generally to use it to provide ‘class information’, for example, to monitor the performance of a particular service I provide. If I use it for this purpose, you as an individual will not be personally identifiable.
I shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.
- Information I process with your consent
Through certain actions when otherwise there is no contractual relationship between us, such as when you browse my website or ask me to provide you more information about my services, you provide your consent to me to process information that may be personal information.
Wherever possible, I aim to obtain your explicit consent to process this information.
Sometimes you might give your consent implicitly, such as when you write to me requesting a response.
Except where you have consented to my use of your information for a specific purpose, I do not use your information in any way that would identify you personally. I may aggregate it in a general way and use it to provide class information.
I continue to process your information on this basis until you withdraw your consent or it can be reasonably assumed that your consent no longer exists.
You may withdraw your consent at any time by writing to me at my registered office or by e-mail at email@example.com. If you do so, I shall not be able to provide my services further.
- Information I process for the purposes of legitimate interests
I may process information on the basis there is a legitimate interest, either to you or to me, of doing so.
Where I process your information on this basis, I do so after having given careful consideration to:
- whether I could achieve the same objective by other means
- whether processing (or not processing) might cause you harm
- whether you would expect me to process your data, and whether you would consider it reasonable to do so
For example, I may process your data on this basis for the purposes of:
- Record-keeping for the proper and necessary administration of my business
- Protecting and asserting your rights, my rights, or the rights of any other third party
- Insuring against or obtaining professional advice required to manage business risk
- ·Protecting your interests where I believe I have a duty to do so
4. Information I process because I have a legal obligation
I am subject to the law like everyone else. Sometimes, I must process your information in order to comply with a statutory obligation.
I may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. This may include your personal information.
Specific uses of information you provide to me
- Information relating to your method of payment
Your debit or credit card number and other payment information are never taken by me or transferred to me either through my website or otherwise. (I do not currently take payment this way but may introduce this in the future).
When you pay me by bank transfer, you may be identifiable by name in my bank account and statements. Payments into my bank account are automatically downloaded into my accounting software administered by my Bookkeeper, you may also be identifiable by name here.
- Contacting me
When you contact me, whether by telephone, by post, through my website, via my social media page(s), by e-mail or via a professional directory, I collect the data you have given to me in order to reply with the information you need.
I may keep personally identifiable information associated with your messages, such as your name and email address so as to be able to track my communications with you to provide a good service.
When I receive a complaint, I record all the information you have given to me.
I use that information to resolve your complaint.
If your complaint reasonably requires me to contact some other person, I may decide to give to that other person some of the information contained in your complaint. I do this as infrequently as possible, but it is a matter for my sole discretion as to whether I do give information, and if I do, what that information is.
I may also compile statistics showing information obtained from this source to assess the level of service I provide, but not in a way that could identify you or any other person.
If you complain about any of the content on my website or in any leaflet, I shall investigate your complaint. If I feel it is justified or if I believe the law requires me to do so, I shall remove the content while I investigate.
If I think your complaint is vexatious or without any basis, I shall not correspond with you about it.
Use of information I collect through automated systems when you visit my website
Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved.
Some cookies may last for a defined period of time, such as one day or until you close your browser. Others last indefinitely.
Your web browser should allow you to delete any you choose. It also should allow you to prevent or limit their use.
If you prevent their use through your browser settings, you may not be able to use all the functionality of my website. I would advise you to disable cookies on your internet browser regularly. Please see www.youronlinechoices.com/uk for information about cookies and www.aboutcookies.org for advice about deleting and managing cookies.
8.1. to track how you use my website
8.2. to record whether you have seen specific messages I display on my website
8.3. to keep you signed in my site
8.4. to record your answers to surveys and questionnaires on my site while you complete them
8.5. to record the conversation thread during a live chat.
- Personal identifiers from your browsing activity
My website is hosted by a hosting service, WordPress. Requests by your web browser may be recorded by that hosting service.
Information such as your geographical location, your Internet service provider and your IP address, may be recorded, as well as information about the software you are using to browse my website, such as the type of computer or device and the screen resolution.
This information is used in aggregate to assess the popularity of the webpages on my website and how I perform in providing content to you.
If combined with other information gained about you from previous visits, the data possibly could be used to identify you personally, even if you are not signed in to my website.
Disclosure and sharing of your information
- Credit reference
To assist in combating fraud, I may share information with credit reference agencies, so far as it relates to clients or customers who instruct their credit card issuer to cancel payment to me without having first provided an acceptable reason to me and given me the opportunity to refund money.
- Clinical will
In the event of my death or incapacitation through illness, a nominated contact will receive access to the name and contact details only of any clients with whom I have a current counselling relationship, so that they can inform them.
- Third-party access to your information
Third parties may hold access to information gained through our communications together. This might include information gained through cookies or your browsing activity (as in points 8 and 9), information from phone contact between us, information about payments (as in point 5), and information derived from our work online via email and video-conference / instant messaging software. This will normally relate to times and durations of communication rather than content.
12.1 Contract and Forms for signature and personal data – Third-Party Software
If you decide to work with me as your therapist I will ask you to complete forms with your personal data and sign a contract at the start of our relationship. If we are working online this request may be automated via third-party digital signature software.
- Access to your personal information
13.1. At any time you may review or update or request that I remove personally identifiable information that I hold about you. To obtain a copy of any information that is not provided on my website you may send me a request at:
13.2. After receiving the request, I will tell you when I expect to provide you with the information, and whether I require any fee for providing it to you.
13.3. When I receive any request to access, edit or delete personal identifiable information I shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
14.2. If a dispute is not settled then I hope you will agree to attempt to resolve it by engaging in good faith with me in a process of mediation or arbitration.
14.3. If you are in any way dissatisfied about how I process your personal information, you have a right to lodge a complaint with the Information Commissioner’s Office. This can be done at https://ico.org.uk/concerns/
- Storage of information
I store your information in one of 3 places – in the cloud or in one of 2 lockable filing cabinets designated A and B for the purposes of this document.
15.1 If you return your signed and completed contract and contact documentation to me in paper form, I file this in locked filing cabinet A.
If your signed and completed contract and contact documentation have been returned to me via third party digital signature software I store this in the cloud. Any invoices or receipts are stored in the cloud, In this instance, I print off your contact information including your emergency contact information and file this in locked filing cabinet A.
Attendance records, session notes, printed anonymised emails and assessment notes are coded and stored in a separate locked filing cabinet B.
15.2 I keep your email address in the video conferencing/messaging software, and in my email account. These are both password protected.
15.3 I keep your phone number on my mobile phone using your initials. My phone is password protected.
- Retention period for personal data
Except as otherwise mentioned in this privacy notice, I keep your personal information only for as long as required by me:
16.1. to provide you with the services you have requested;
16.2. to comply with other laws, including for the period demanded by relevant tax authorities;
16.3. to support a claim or defence in court.
I normally retain client records for 7 years after the end of the counselling relationship, or when your final accounts are settled, unless one of the points above would require me to keep them longer.
- Compliance with the law
I may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on my website on the day you use my website. I advise you to print a copy for your records.
Data Controller: Jacqui Whittingham
Email address: firstname.lastname@example.org
Last updated 05/06/202