‘Us’, ‘Our’, ‘We’, ‘ECCP’ or ‘the Service’ refers to Reflect. Change. Be. Psychotherapy, Counselling & Supervision.
‘Case notes’ is used to mean a written summary of the information which was discussed and/or details of agreed actions within a Therapy or Clinical Supervision session.
‘GDPR’ refers to General Data Protection Regulation (GDPR).
‘Data Controller’ is the organisation who determines the purposes and means of processing personal data.
‘Data Processor’ is person/organisation responsible for processing personal data on behalf of a controller.
‘Personal Data’ is information that relates to an identified or identifiable individual.
‘Therapist’ is used to mean specifically counsellors and psychotherapists.
‘Therapy’ is used to mean specifically counselling and psychotherapy sessions.
‘Therapeutic services’ is used generically to include the practice of Counselling, Psychotherapy, EMDR and Clinical supervision.
2. Contact details
Elizabeth Clarke of Reflect.Change.Be. is the Data Controller of the personal information that you provide to us unless stated otherwise. You can contact us by telephone, email, or post. Click here to access the Contact Us page
Postal address: Elizabeth Clarke, Office 1 Willow Court, 64 St Mary’s Road, Market Harborough, LE16 7DU.
This privacy notice tells you what to expect us to do with your personal data when you make contact with us or use one of our services. Your privacy is a top priority for us. We aim to be transparent and use straightforward language so that you can make informed decisions about your personal information. We will update this privacy notice regularly to ensure it continues to comply with best practice and the latest regulations, so do check back from time to time. This edition of the privacy notice was published on the website on 6 January 2022.
4. Purpose and lawful basis for processing
Our purpose is to provide health care in the form of therapeutic services i.e. Counselling, Psychotherapy and Clinical Supervision.
The lawful bases we rely on to process your personal data are:
- Article 6(1)(b) recital 44 of the GDPR, which allows us to process personal data when this is necessary to fulfil our contract of providing therapeutic services.
- Article 6(1)(b) recital 47, 48 & 49 of the GDPR, which allows us to process personal data for legitimate interests. The very nature of therapeutic services is to provide a space whereby clients/supervisees can explore personal information about their circumstances. As clinicians, we are expected to keep records of each session as part of maintaining our professional standards, as well as to support any professional conduct/complaints procedures.
Given our work involves processing special category data, such as health, religion, trade union, ethnic information, sex life or sexual orientation information etc., we need to also provide lawful bases for this specifically.
- The lawful basis we generally rely on to process special category data is explicit consent (Article 9(2) recital 51(a) of the GDPR).
- Should special category data be disclosed by the client which would need to be disclosed to a third party without your consent due to substantial public interest we would rely on substantial public interest as the lawful basis (article 9(2) recital 51(g) of the GDPR).
- Should special category data need to be processed to protect the vital interests of the client or of another natural person where the data subject is physically or legally incapable of giving consent, we would rely on the lawful basis of vital interests (Article 9(2) recital 51(c) of the GDPR). An example of this is clinical supervision;
- Lastly, in the case of having to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity, we would rely on the lawful basis of legal obligation (Article 9(2) recital 51(f) of the GDPR) for processing relevant special category data.
5. Types of data we need
We collect personal data to provide our therapeutic services and to inform our development of new and improved products to continue to meet our client’s needs.
a) Basic personal data
Your name, contact telephone number(s), email address and contact address will be processed for the following business purposes:
- Communicating by text, email, video call or telephone regarding business or therapeutic services.
- Processing electronic payments.
- Sending invoices and/or receipts.
- Sending booking reminders/confirmations.
- Maintaining accounting records.
Anonymised data is used to improve the effectiveness of service.
b) Sensitive data & case notes
Sensitive data about you and your circumstances may be processed electronically to assess your suitability to contract for our services.
Sessional case notes contain brief information about the issues that you are facing in your personal or professional life and any actions agreed on a session by session basis.
We need to keep records of this data to:
- Identify problems and support you in managing them.
- Monitor our effectiveness.
- Comply with professional standards.
6. How do we get personal data?
a) Referrals to the service
Most of the personal data we process is provided to us directly by you for one of the following reasons:
- You have made an email, website, text or telephone enquiry to us.
- You have contacted us via an online directory for therapeutic services.
- You have applied to or are providing a service to us.
We also receive personal data indirectly, in the following scenarios:
- We have been given your information by an organisation, insurance company, or employee assistance programme provider for the purposes of providing therapeutic services on their behalf.
- A company or public organisation has referred you to us for therapeutic services.
- A friend or family member has contacted us on your behalf.
In these cases, wherever possible, we’ll contact you to let you know we are processing your personal data.
b) Communicating with us digitally
There may be a reason to communicate with us digitally, for example, sending a text message or an email to change an appointment time or we may contact you to request some information. Communication like this would involve processing some level of personal data. Similarly, if you choose to have a session as a video call (telehealth) or over the telephone, this would also be classed as processing your data.
c) Visitors to our website
If we do collect personal data through our website, we’ll be upfront about this. We’ll make it clear when we collect personal information and we’ll explain what we intend to do with it.
We use Google Analytics, a third-party service, on our website to collect details of visitor patterns of behaviour and internet log information to help us improve the effectiveness of the website. Information is processed anonymously, and we do not attempt to find out the identities of our visitors. We use Google Analytics so that we can continually improve our service – read the Google Analytics privacy notice.
We use WordPress as the content management system for our website. If you fill in a form on our website, that data will be stored on the web host before being sent to us.
7. Confidentiality and sharing your data
a) Therapy & Clinical Supervision
All information you provide to the Service and the content of all therapy and supervision sessions are treated as highly confidential except for the following exceptions:
- You consent for us to share details about yourself to a third party, for example in the event of being referred to another professional / service, or as part of a contract as a counselling trainee.
- To maintain professional standards all Counsellors, Psychotherapists and Supervisors are required to undertake mandatory clinical supervision. This will involve discussing anonymised case material about clients and supervisees.
- In the event of the incapacity or death of the Service provider, your contact details (name, address, email address, contact telephone number(s) will be passed to a Clinical Executor to notify you of the event, and then will be deleted. All case notes will subsequently be deleted
- If you have been referred to us via your workplace, an insurer, Employee Assistance Programme (EAP) or another organisation, there may be a requirement to share reports or attendance data.
- In exceptional circumstances, we reserve the right to break confidentiality without your consent. These are only when there has been a court subpoena, where there appears to be a serious and imminent risk to your own or others safety (in the Public’s interest), or if we are made aware of serious illegal activities (under The Terrorism Act 2000, Drug Trafficking Act 1994, Proceeds of Crime Act 2002 or the Money Laundering Regulations 2007, Road Traffic Act 1991, Children Act 1989, Serious Crime Act 2007, and/or The Female Genital Mutilation Act 2003).
Where appropriate we would seek to speak with you first before contacting anyone else. Please ask if you require further clarification on this policy.
b) Business processes
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us such as telehealth providers, accountants, payment processing, IT and administration services. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
8. How long we keep your data
Personal data may only be retained for as long as necessary for the purpose of processing as follows:
- Enquiries made to the Service either via the telephone, or sent electronically, will be processed and stored electronically for a minimum of 6 months. If therapeutic services are not contracted within this time frame, details of correspondence will be deleted unless expressed consent is given to hold the data for a longer period of time.
- Case notes (date, summary of what was discussed) and details of correspondence will be kept for a minimum of 3 years after the last session took place, unless there is a requirement from the client or referring organisation to hold them for longer which will be discussed with you at the point of contracting. After this time, the records will be deleted.
- Records relating to sales and payment transactions (including name, address and/or email address, contact telephone number(s), time, date, location, fee and duration of sessions) will be kept for a minimum of 6 years in compliance with HMRC requirements.
- Anonymised records (case number, date, duration, location) will be kept indefinitely for professional accreditation purposes.
9. How and where your data is stored
Our principal data management system is Cliniko for case notes, video calls, booking details, confirmations and reminders. This system enables us to efficiently store any information about our clients and other stakeholders in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests. For details of the other software we use, please see Section 13.
Our software services shall not transfer data outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
10. Your rights
Under GDPR you have rights as an individual which we need to make you aware of. You may be able to exercise all/some of these rights in relation to the information we hold about you. These rights are:
- Your right of access: You have the right to ask us for a copy of your personal information. This right always applies but there are some exemptions.
- Your right to rectification: You have the right to ask us to rectify information you think is inaccurate or complete information you think is incomplete.
- Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing: You have the right to object to processing in certain circumstances.
- Your right to data portability: This only applies to information you have given us. This right also only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
You can read more about these rights on the ICO’s website.
We take our security seriously, and whilst it is not possible to 100% protect against a data-breach, we take the following precautions to minimise risks:
- Provide a HTTP Secure website at https://reflectchangebe.com.
- Use personal firewall software to protect our internet connection as well as using boundary firewalls where available.
- Ensure all devices are password protected.
- Have enabled the ability to remotely wipe devices if lost or stolen.
- Use Password storage software so we can use stronger passwords.
- Use two-factor authentication for extra security for Password Storage and Case Note storage software.
- Control access to software through different level user accounts; administration privileges are only given to those that need them.
- Only use software from approved stores.
- Use anti mal-ware software, and keep all software up-to-date.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that occur accidentally and deliberately.
Should we experience a breach, and the breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform those concerned directly and without undue delay.
12. Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. Please read the privacy notices on the other websites you visit. This same principle also applies to websites that you have visited before you visited this website.
13. Main third party services and data processors
You can find below the privacy notices and security standards for the main third party software providers and data processors which are used by Reflect. Change. Be.
- Dropbox: Privacy Notice & Security Standards
- Healthcode: Privacy Notice & Security Standards
- PayPal: Privacy Notice & Security Standards
- Square: Privacy Notice & Security Standards
- Front: Privacy Notice & Security Standards
- Xero: Privacy Notice & Security Standards