Privacy policy.
GDPR Privacy Notice
This notice describes what personal data we collect from you and how we store and process it as part of the counselling services provided by Aberdeen Bespoke Counselling. In the course of our practice we will collect, process and store personal data as a data controller.
We would like to reassure you that we adhere to all laws and procedures relating to the General Data Protection Regulation (GDPR) (EU) 2016/679, Data Protection Act 2018 or other applicable data privacy legislation and will only use your personal data to provide you with the specific service or services you explicitly agree to. We are registered with the Information Commissioner’s Office (ICO) registration reference A8733021.
1. YOUR RIGHTS
the right to access: You may request a copy of your clinical file for free at any time by emailing us. Your records are identifiable, retrievable and intelligible as per GDPR requirements. We will comply within 30 days.
the right to rectification: You may update any of the information we hold for you at any time. We will amend them immediately.
the right to erasure: You may request that we erase your data. We will comply within 30 days unless we cannot for legal reasons.
the right to restrict processing: You may request that we restrict how we process your data. We will comply within 30 days unless we cannot for legal reasons.
the right to object to processing: You may object to us processing your data. We will comply within 30 days unless we cannot for legal reasons.
the right to data portability: Your data is retrievable and may be able to be moved if necessary.
the right to complain to a supervisory authority: If you believe we have contravened the GDPR, you may contact the ICO.
the right to withdraw consent: You may withdraw your consent for us to hold your information. We will comply immediately unless we cannot for legal reasons.
the right to request information about the existence of automated decision-making, including profiling.
the right to be notified if your personal data is rectified or erased, or processing is restricted, in accordance with the above.
2. DATA COLLECTION, PROCESSING & LEGAL BASIS
Below we have set out the categories of personal data and sensitive personal data (such as your genetic data or ethnic origin) we collect and how we process the data:
we will hold your contact information such as name, email address, telephone number, home address as well as your emergency contact’s details (“Contact Information”) which we will use to provide our services and communicate either with you or your emergency contact in a secure manner;
as a client, we will hold your biopsychosocial history and risk assessment data, other relevant medical history and ongoing information about your treatment and condition (“Medical Information”) which we will use in order to provide our services to you.
we may hold certain financial information of yours, such as debit or credit card details, in order for us to receive payment in exchange for providing our services to you (“Financial Information”);
a record of any correspondence or communication between you and us (“Communication Information”) which we will use to provide our services and communicate with you;
we may hold certain information about you in order to provide information about our services. This may include names, email addresses, phone numbers, addresses, and other information (“Marketing Information”) which we will use to market and promote our services.
We will process the Contact Information on the basis that you have consented to it (for one or more specific purposes), where the processing is necessary for us to comply with our obligations under a contract with you (for instance for the provision of our services to you as a client or for our legitimate interests in providing services to you as a client or potential client. A legitimate interest in this context means a valid interest we have, or a third party has, in processing your personal data which is not overridden by your interests in data privacy and security.
Medical Information consists of sensitive personal data and will be processed on the basis that:
you have given your explicit consent to the processing;
it is necessary for the purposes of preventative or occupational medicine (i.e. to assess whether an employee is able to work, for medical diagnosis, to provide health or social care or treatment, or for the management of health or social care systems) on the basis of applicable law or pursuant to a contract with a health professional; or
it is necessary for the protection of your (or another person’s) vital interests, to the extent you are unable to provide consent (whether physically or legally).
We will process Financial Information on the basis of our legitimate interests (in providing services to you) or as necessary for the performance of a contract with you.
Communication Information will be processed on the basis of our legitimate interests (in providing our services to you).
Marketing Information will be processed on the basis of our legitimate interests (in providing services to you) or on the basis that you have consented to it.
In addition to the above, all information may also be processed on the basis that it is necessary to comply with a legal obligation to which we are subject.
Generally, we will collect information directly from you. If for any reason, we obtain your personal data from any other third party your privacy rights under this notice are not affected and you are still able to exercise the rights contained within this notice.
You do not have to supply any personal data to us however in practice we would be unable to provide our services to you without personal data (for instance we will need contact information in order to communicate with you). You may withdraw our authority to process your personal data (or request that we restrict our processing) at any time but there are circumstances in which we may need to continue to process personal data (please see below).
3. DISCLOSURE, DATA STORAGE & RETENTION
Who has access to your personal data?
We do not disclose any information you provide to any third parties other than as follows:
We may consult with other professionals involved in your treatment only with your explicit signed consent.
If we believe you or another person is at risk of being harmed e.g. if we are concerned that you are in serious danger of attempting or completing suicide, in imminent danger or temporarily unable to take responsibility for your actions, we would advise the relevant emergency authorities and/or your doctor and/or your nominated emergency contact. Any decision to break confidentiality would not be taken lightly. We will usually consult with a colleague, the clinical supervisor and where possible, advise you as well. You have an ethical and legal right to know the importance of and/or see what is being said about you if you wish and we will make every effort to include you in the process except in circumstances where it would harm you or others to inform you (e.g. child protection situations, mental incapacity, terrorism).
We may discuss our work in a general way with the clinical supervisor and supervision group in order to maintain high standards of practice. We will never use names or personally identifiable details.
We do not participate in forums, listservs, relevant online groups and other opportunities to collaborate and consult with other professionals in order to further our training and skill set. We do not share names or identifying details.
Your name may be contained in financial records and our online diary. It is possible that third parties may have access to those records, for example, an accountant, tax adviser, legal adviser or administrative assistant.
We may be required to disclose some of your personal data to your health insurance company. For instance, if we invoice your health insurance company directly in respect of your treatment, we may be required to provide certain information including your Contact Information, appointment and attendance dates, progress notices and the applicable consultation or treatment fee.
If an accident, illness or our passing prevents your practitioner from being able to contact you, we have nominated a trusted colleague who will be able to access the practitioner’s client list and contact you if necessary. We have documented the procedure to follow in a clinical will and you will be provided with necessary referrals. They will destroy personal and sensitive data and archive clinical notes safely at the appropriate time in line with GDPR requirements.
from time to time we may transfer personal data to our processors or sub-processors and other service and technology providers;
we may be required to disclose certain data to regulators or other lawful authorities;
if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
in order to enforce any terms and conditions or agreements for our services that may apply;
as necessary in order to protect both our and your rights, property and safety (for instance in relation to fraud protection).
What happens if there is a data breach?
Although we take measures to protect your data, information can be intercepted and breaches can occur. If there is a data breach, we will follow the regulations set out in Article 33 of the GDPR. This includes notifying the ICO of the nature and consequences of the breach within 72 hours, and any measures we have taken to address it, unless the personal data breach is unlikely to result in high risk to your rights and freedoms. We will also notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
How long is your personal data stored for?
We review the personal data (and the categories of personal data) we hold on a regular basis to ensure the data is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to update, correct or securely delete this data as may be required. Generally, we will aim to review all personal data held by us every 12 months.
Except where you explicitly agree otherwise or there is legal reason for us to continue storing it, your Contact Information, Financial Information, Communication Information and any other information not specifically mentioned in this section or privacy notice will be stored securely for a period of 5 years from receipt of the data or after your final session with Aberdeen Bespoke Counselling.
Marketing Information (such as names, telephone numbers and email address) will be stored for up to 12 months from the date on which you last interacted with us.
Medical Information will be stored securely for a minimum period of 5 years from the date of your last session with the practice, or for as long as is required under relevant law, regulation, policy, practice or procedure.
4. SECURITY
We will take reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and to protect against unlawful access, accidental loss or damage. These measures may include (as necessary):
protecting our servers with software firewalls;
locating our data processing storage facilities in secure locations;
encrypting all data stored on our server with an industry standard encryption method that encrypts the data between your computer and our server so that in the event of your network being insecure no data is passed in a format that could easily be deciphered;
securely disposing of or deleting your data;
regularly backing up and encrypting all data we hold.
We will take reasonable steps to ensure that we and our staff are aware of their privacy and data security obligations.
5. INTERNATIONAL TRANSFERS
We may occasionally conduct online counselling from outside of the UK or European Economic Area (“EEA”). In this case, your personal data may be transferred outside the EEA. Your personal data may also be transferred where some of our service providers (such as hosting service provider) are based outside of the EEA and in this instance, we will ensure that we have an agreement with such service providers to provide adequate safeguards and a copy of such agreements or information as to what these safeguards are will be made available.
6. THIRD PARTY SERVICES
Our site may contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
7. NOTIFICATION OF CHANGES TO THE CONTENTS OF THIS NOTICE
We will post details of any changes to our policy on the website to help ensure you are always aware of the information we collect, use, and in what circumstances, if any, we share it with other parties. Please check on the website regularly for any updates.
8. CONSENT
Please tick one box and sign below. Please discuss any concerns with us and we will try to accommodate your needs.
□ “I give consent for Aberdeen Bespoke Counselling to collect, process, store and erase my personal data as set out in this Privacy Notice only to the extent that my consent is required pursuant to this Privacy Notice.”
□ “I do not give consent for Aberdeen Bespoke Counselling to collect, process, store and erase my personal data as set out in this Privacy Notice to the extent that my consent is required pursuant to this Privacy Notice.”