Forest of Dean Pink Elephant Project C.I.C.
Data Protection Policy
Contents
- Personal and Sensitive Information
- Counselling / Coaching
- Information Sharing
- Information Sharing Data Security
- Information and Storage Security
- Client Access to Notes
- Basic Data Protection Guidance
- Data Breach Incident management
- Storage and Disposal of Information
- Breach of Policy
1 Personal and Sensitive Information
Any personal information we hold must be treated as confidential information and must not be shared unless consent is given. In counselling there may be times when information may be shared without consent (safeguarding and mental health concerns). Personal and sensitive information is defined as any information which is held in professional capacity that enables a person’s identity to be established. This is interpreted by name, date of birth, address, NHS number. Please be mindful that combinations of post code and date of birth can also be considered as identification.
When we hold sensitive or confidential information this can impact an individual if lost or misdirected. Under the Data Protection Act sensitive and personal data can be defined as information about racial or ethnic origin, political opinions, religious belief, physical or mental health conditions, sexual life, offenses committed or alleged by the data subject or outcomes of such proceedings. Also included with this is financial information, commercial information security arrangements.
2 Counselling / Coaching
Everyone has the right to privacy and confidential treatment that includes counselling and coaching without other people knowing this. A counsellor or coach may encourage the client to seek additional help and support during their therapy however this is not always safe or appropriate for them to do so, we therefore must respect this.
Confidentiality is extremely important to the development and building of the therapeutic alliance, material discussed in a counselling or coaching session will therefore be confidential in line with The Human Rights Act 1998.
3 Information Sharing
Forest of Dean Pink Elephant Project (FoD-PEP) reserves the right to share information if:
- there is risk of serious harm to self or others
- there is a report of abuse
- there are acts of crime such as terrorism, drug trafficking proceeds of crime, fraud etc.
- counselling information subpoenaed by law.
Whenever possible counsellors seek consent to share information that is necessary and relational to areas of concern and will not include non-relevant sensitive information.
4 Information Sharing Data Security
Any communication which gives confidential or personally identifiable data such as date of birth, name, address will only be sent via secure and encrypted email.
5 Information and Storage Security
In accordance with the Data Protection Act (1998) permission will be gained to when contracting with clients to store personal records. All feedback and evaluation material will be stored by referral / case file number to protect the client’s identity. All files will be locked and stored securely where only authorised administrative personnel will have access.
6 Client Access to Notes
Under the Data Protection Act (1998) clients can access their counselling records.
7 Basic Data Protection Guidance
- Be sure to know whom you are communicating with and check identity.
- Never disclose personal data to confirm identity of a caller or the person they are enquiring about as this will be disclosing information. This can be done by asking the person to confirm address for example.
8 Data Breach Incident management
Data breach in any form must be reported to a FoD-PEP Director where this will be reported to the designated person. This will generate an investigation into the lost data.
9 Storage and Disposal of Information
All material containing identifiable or confidential information to be kept secure at all times. Electronic identifiable data must be stored on devices that have adequate security measures in place. Encrypted email is used to refer referrals which must be received by and password protected secure source and destroyed once received.
Data retention:
| Document Type | Retention Period (years) |
|---|---|
| Financial and Accounting Records | Financial year +6 |
| Company Records (Companies House) | Indefinitely |
| Company Insurances | Indefinitely |
| Personal Data | No longer than is necessary |
| COSHH Records | 40 years |
| Accident Records | 3 years from date of incident |
At the end of the retention period, data shall be securely destroyed.
10 Breach of Policy
- Failure to manage information security places FoD-PEP at risk to breaching the Data Protection Act (1988). Everyone has the responsibility for the safety and security of the information the process. Failure to comply with the terms of this policy may lead to disciplinary action against the individual concerned.
Data Protection Policy v1.1 15/11/2024