​INTERNAL GDPR

 

Record of Data Processing Activities including Retention Schedule

This document sets out how Beth Kelsall Counselling (“we”) process personal data for which we are the data controller. This document is prepared in accordance with Article 30 of the EU General Data Protection Regulation (GDPR) and UK GDPR.  For the purposes of this document, “UK GDPR” means the GDPR as such regulation is adopted into the law of the United Kingdom pursuant to the European Union (Withdrawal Act) 2018 and as amended by the Data Protection Act 2018 and any successor regulation or law.

​

We will provide this record to a relevant appropriate supervisory authority on request as required by Article 30.

​

NAME AND DETAILS OF THE DATA CONTROLLER

​

Name: Beth Kelsall Counselling

Address: (On Companies House)

Sowerbys Accountants Beckside Court

Annie Reed Road

Beverley, East Yorkshire

HU17 0LF

(Therapy practice) Blue Frog Therapy Rooms

38 Bootham, York

YO30 7BL

Website: www.bethkelsallcounselling.com

​

CATEGORIES OF PERSONAL DATA  

 

We collect the following categories of personal data about the data subjects listed above:

 

From our clients:

 

1. we will hold their contact information such as name, email address, telephone number, home address as well as their emergency contact’s details (“Contact Information”) which we will use to provide our services and communicate either with them or their emergency contact in a secure manner;

2. as a patient, we will hold their biopsychosocial history and risk assessment data, other relevant medical history and ongoing information about their treatment and condition (“Medical Information”) which we will use in order to provide our services to them. 

3. we may hold certain financial information of theirs, such as debit or credit card details, in order for us to receive payment in exchange for providing our services to them (“Financial Information”);

4. a record of any correspondence or communication between them and us (“Communication Information”) which we will use to provide our services and communicate with them;

5. we may hold certain information about them in order to provide information about our services. This may include names, email addresses, phone numbers, addresses, and other information (“Marketing Information”) which we will use to market and promote our services. 

 

PURPOSES OF DATA PROCESSING  

 

We collect and processes personal data about the data subjects listed above for the following purposes:

 

In respect of personal data held about our patients or users of our services:

 

1. We will process the Contact Information on the basis that they have consented to it (for one or more specific purposes), where the processing is necessary for us to comply with our obligations under a contract with them (for instance for the provision of our services to them as a client) or for our legitimate interests in providing services to them as a client or potential client. A legitimate interest in this context means a valid interest we have, or a third party has, in processing their personal data which is not overridden by their interests in data privacy and security.

2. Medical Information consists of sensitive personal data and will be processed on the basis that:

• you have given your explicit consent to the processing;

• it is necessary for the protection of your (or another person’s) vital interests, to the extent you are unable to provide consent (whether physically or legally); or

• otherwise in accordance with applicable laws and regulations.

1. We will process Financial Information on the basis of our legitimate interests (in providing services to them) or as necessary for the performance of a contract with them.

2. Communication Information will be processed on the basis of our legitimate interests (in providing our services to them). 

3. Marketing Information will be processed on the basis of our legitimate interests (in providing services to them) or on the basis that they have consented to it. 

4. In addition to the above, all information may also be processed on the basis that it is necessary to comply with a legal obligation to which we are subject.

 

CATEGORIES OF PERSONAL DATA RECIPIENTS  

 

We disclose personal data to the following categories of recipients, some of which may be based outside of the UK or European Economic Area (EEA):

 

In respect of personal data held about our patients or users of our services

 

1. We may consult with other professionals involved in their treatment only with their explicit signed consent.

2. If we believe they or another person is at risk of being harmed e.g. if we are concerned that they are in serious danger of dying by suicide, in imminent danger or temporarily unable to take responsibility for their actions, we would advise the relevant emergency authorities and/or their doctor and/or their nominated emergency contact. Any decision to break confidentiality would not be taken lightly. We will usually consult with a colleague or clinical supervisor and where possible, advise them as well. 

3. If an accident, illness or our passing prevents us from being able to contact them, we have nominated a trusted colleague/supervisor who will be able to access the therapist’s client list and contact them if necessary. We have documented the procedure to follow in a clinical will and they will be provided with necessary referrals.

4. We may be required to disclose certain data to regulators or other lawful authorities.

5. If we are under a duty to disclose or share their personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime).

6. In order to enforce any terms and conditions or agreements for our services that may apply.

7. As necessary in order to protect both our and their rights, property and safety (for instance in relation to fraud protection).

 

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES  

 

We will take reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from them and to protect against unlawful access, accidental loss or damage. These measures may include (as necessary):

1. protecting our servers with software firewalls;

2. locating our data processing storage facilities in secure locations; 

3. encrypting all data stored on our server with an industry standard encryption method that encrypts the data between their computer and our server so that in the event of their network being insecure no data is passed in a format that could easily be deciphered;

4. securely disposing of or deleting their data;

5. regularly backing up and encrypting all data we hold.

We will take reasonable steps to ensure that we and our staff are aware of their privacy and data security obligations. 

1. PERSONAL DATA RETENTION PERIODS  

Except as otherwise permitted or required by applicable law or regulation, we only retain personal data for as long as necessary to fulfil the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. 

 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for processing the personal data, whether the employer can fulfil the purposes of processing by other means, and any applicable legal requirements.

 

Our current retention periods in relation to a patient’s or user of our services’ personal data are as follows:

 

Except where they explicitly agree otherwise or there is legal reason for us to continue storing it, their Contact Information, Financial Information, Communication Information and any other information not specifically mentioned in this section or privacy notice will be stored securely for a period of seven years from receipt of the data or after their final session with Beth Kelsall Counselling.

​

Medical Information will be stored securely for a minimum period of seven years from receipt of the data, or for as long as is required under relevant law, regulation, policy, practice or procedure.