‘Us’, ‘Our’, ‘We’, ‘ECCP’ or ‘the Service’ refers to Elizabeth Clarke Counselling & Psychotherapy.
‘Case notes’ is used to mean a written summary of the information which was discussed and/or details of agreed actions within a Therapy or Clinical Supervision session.
‘GDPR’ refers to General Data Protection Regulation (GDPR)(Regulation (EU) 2016/679).
‘Data Controller’ is the organisation who determines the purposes and means of processing personal data.
‘Data Processor’ is person/organisation responsible for processing personal data on behalf of a controller.
‘Personal Data’ is information that relates to an identified or identifiable individual.
‘Therapist’ is used to mean specifically counsellors and psychotherapists.
‘Therapy’ is used to mean specifically counselling and psychotherapy sessions.
‘Therapeutic services’ is used generically to include the practice of Counselling, Psychotherapy and Clinical supervision.
2. Contact details
Elizabeth Clarke Counselling & Psychotherapy is the Data Controller of the personal information that you provide to us, unless stated otherwise. You can contact us by telephone, email, or post. Click here to access the Contact Us page
Postal address: Elizabeth Clarke, c/o Rooms To Talk Ltd, 62 High Street, Stony Stratford, Milton Keynes, MK11 1AQ.
This privacy notice tells you what to expect us to do with your personal data when you make contact with us or use one of our services. Your privacy is a top priority for us. We aim to be transparent and use straightforward language so that you can make informed decisions about your personal information. We will update this privacy notice regularly to ensure it continues to comply with best practice and the latest regulations, so do check back from time to time. This edition of the privacy notice was published on the website on 1 June 2018.
4. Purpose and lawful basis for processing
Our purpose is to provide health care in the form of therapeutic services i.e. Counselling, Psychotherapy and Clinical supervision.
The lawful bases we rely on to process your personal data are:
- Article 6(1)(b) recital 44 of the GDPR, which allows us to process personal data when this is necessary to fulfil our contract of providing therapeutic services.
- Article 6(1)(b) recital 47, 48 & 49 of the GDPR, which allows us to process personal data for the purpose of legitimate interests. The very nature of therapeutic services are to provide a space whereby clients/supervisees can explore personal information about their circumstances. As clinicians we are expected to keep records of each session as part of maintaining our professional standards, as well as to support any professional conduct / complaints procedures.
Given our work involves processing special category data, such as health, religious, trade union, ethnic information, sex life or sexual orientation information etc., we need to also provide lawful bases for this specifically.
5. Types of data we need
We collect personal data to provide our therapeutic services and to inform our development of new and improved products to continue to meet our client’s needs.
a) Basic personal data
Your name, contact telephone number(s), email address and contact address will be processed for the following business purposes:
- Communicating by text, email or telephone regarding business or therapeutic services.
- Processing electronic payments.
- Sending invoices and/or receipts.
- Sending booking reminders/confirmations.
- Maintaining accounting records.
Anonymised data is used to improve the effectiveness of service.
b) Sensitive data & case notes
Sensitive data about your and your circumstances may be processed electronically for the purpose of assessing your suitability for our services for the purpose of contracting.
Sessional case notes contain brief information about the issues that you are facing in your personal or professional life and any actions agreed on a session by session basis.
We need to keep records of this data to:
- Identify problems and support you in managing them.
- Monitor our effectiveness.
- Comply with professional standards.
6. How do we get personal data?
a) Referrals to the service
Most of the personal data we process is provided to us directly by you for one of the following reasons:
- You have made an email, website, text or telephone enquiry to us.
- You have contacted us via an online directory for therapeutic services.
- You have applied to or are providing a service to us.
We also receive personal data indirectly, in the following scenarios:
- We have been given your information by an organisation, insurance company, or employee assistance programme provider for the purposes of providing therapeutic services on their behalf.
- A company or public organisation has referred you to us for therapeutic services.
- A friend or family member has contacted us on your behalf.
In these cases, wherever possible, we’ll contact you to let you know we are processing your personal data.
b) Visitors to our website
If we do collect personal data through our website, we’ll be upfront about this. We’ll make it clear when we collect personal information and we’ll explain what we intend to do with it.
We use Google Analytics, a third party service, on our website to collect details of visitor patterns of behaviour and internet log information to help us improve the effectiveness of the website. Information is processed anonymously, and we do not attempt to find out the identities of our visitors. We use Google Analytics so that we can continually improve our service - read the Google Analytics privacy notice.
We use Webhealer as the content management system for our website. If you fill in a form on our website, that data will be temporarily stored on the web host before being sent to us. – read the Webhealer privacy notice.
7. Confidentiality and sharing your data
a) Therapy & Clinical Supervision
All information you provide to the Service and the content of all therapy and supervision sessions are treated as highly confidential except for the following exceptions:
- You consent for us to share details about yourself to a third party, for example in the event of being referred to another professional / service, or as part of a contract as a counselling trainee.
- To maintain professional standards all Counsellors, Psychotherapists and Supervisors are required to undertake mandatory clinical supervision. This will involve discussing anonymised case material about clients and supervisees.
- In the event of the incapacity or death of the Service provider, your contact details (name, address, email address, contact telephone number(s) will be passed to a Clinical Executor to notify you of the event, and then will be deleted. All case notes will subsequently be deleted
- If you have been referred to us via your workplace, an insurer, Employee Assistance Programme (EAP) or another organisation, there may be a requirement to share reports or attendance data.
- In exceptional circumstances we reserve the right to break confidentiality without your consent. These are only when there has been a court subpoena, where there appears to be a serious and imminent risk to your own or others safety (in the publics interest), or if we are made aware of serious illegal activities (under The Terrorism Act 2000, Drug Trafficking Act 1994, Proceeds of Crime Act 2002 or the Money Laundering Regulations 2007, Road Traffic Act 1991, Children Act 1989, Serious Crime Act 2007, and/or The Female Genital Mutilation Act 2003).
Where appropriate we would seek to speak with you first before contacting anyone else. Please ask if you require further clarification on this policy.
b) Business processes
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us such as accountants, payment processing, IT and administration services. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
8. How long we keep your data
Personal data may only be retained for as long as necessary for the purpose of processing as follows:
- Enquiries made to the Service either via the telephone, or sent electronically, will be processed and stored electronically for a minimum of 6 months. If therapeutic services are not contracted within this time frame, details of correspondence will be deleted unless expressed consent is given to hold the data for a longer period of time.
- Case notes (date, summary of what was discussed) and details of correspondence will be kept for a minimum of 3 years after the last session took place, unless there is a requirement from the client or referring organisation to hold them for longer which will be discussed with you at the point of contracting. After this time, the records will be deleted.
- Records relating to sales and payment transactions (including name, address and/or email address, contact telephone number(s), time, date, location, fee and duration of sessions) will be kept for a minimum of 6 years in compliance with HMRC requirements.
- Anonymised records (case number, date, duration, location) will be kept indefinitely for professional accreditation purposes.
9. How and where your data is stored
Our principal data management systems are Bac-pac for case notes, and Timely for booking details, confirmations and reminders. These system enables us to efficiently store any information about our clients and other stakeholders in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests.
Our software services shall not transfer data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
10. Your rights
Under GDPR you have rights as an individual which we need to make you aware of. You may be able to exercise all/some of these rights in relation to the information we hold about you. These rights are:
- Your right of access: You have the right to ask us for a copy of your personal information. This right always applies but there are some exemptions.
- Your right to rectification: You have the right to ask us to rectify information you think is inaccurate or complete information you think is incomplete.
- Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing: You have the right to object to processing in certain circumstances.
- Your right to data portability: This only applies to information you have given us. This right also only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
You can read more about these rights on the ICO's website.
We take our security seriously, and whilst it is not possible to 100% protect against a data-breach, we take the following precautions to minimise risks:
- Provide a HTTP Secure website at https://www.elizabethclarke.com.
- Use personal firewall software to protect our internet connection as well as using boundary firewalls where available.
- Ensure all devices are password protected.
- Have enabled the ability to remotely wipe devices if lost or stolen.
- Use Password storage software so we can use stronger passwords.
- Use two-factor authentication for extra security for Password Storage and Case Note storage software.
- Control access to software through different level user accounts; administration privileges are only given to those that need them.
- Only use software from approved stores.
- Use anti mal-ware software, and keep all software up-to-date.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that occur accidentally and deliberately.
Should we experience a breach, and the breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform those concerned directly and without undue delay.
12. Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. Please read the privacy notices on the other websites you visit. This same principle also applies to websites that you have visited before you visited this website.
13. Main third party services and data processors
You can find below the privacy notices and security standards for the main third party software providers and data processors which are used by ECCP.