Table of Contents
- Review Status
- Who is responsible for Data Protection?
- Status of this Policy and the implications of breach
- Data protection laws
- Your main obligations
Assessment Date: 1st July 2021
Review Date: 1st July 2022
Issued: July 2021
HTC – HT Counselling;
Workers – Counsellor’s, Trainee’s, Volunteer’s, Consultants – anyone working on behalf of HTC; Policy – Data Protection Policy issued by HTC;
PD – Practice Director – Helen Townsend for HTC;
DPO – Data Protection Officer;
DPL – Data Protection Laws;
ICO – Information Commissioner Office;
DPA – Data Protection Act 1998;
GDPR – General Data Protection Regulation;
DPA 2018 – Data Protection Act 2018; SPD – Sensitive Personal Data;
Rights – The rights of access to your data;
Information Notice – served by the ICO where information is required;
Enforcement Notice – served by the ICO if a company is not complying with the Information Notice.
HT Counselling (“HTC”) as a service is committed to complying with data protection law and to respecting the privacy rights of individuals. The policy applies to all of our counsellors, trainee’s, volunteers and consultants (“Workers”).
This Data Protection Policy (“Policy”) sets out our approach to data protection law and the principles that we will apply to our processing of personal data. The aim of this Policy is to ensure that we process personal data in accordance with the law and with the utmost care and respect.
We recognise that you have an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy and to apply and implement its requirements when processing any personal data. Please pay special attention to section ‘Your main obligations’ as these set out the practical day to day actions that you must adhere to when working or volunteering with HT Counselling.
Data protection law is a complex area. This Policy has been designed to ensure that you are aware of the legal requirements imposed on you and on us and to give you practical guidance on how to comply with them. This Policy also sets out the consequences of failing to comply with these legal requirements. However, this Policy is not an exhaustive statement of data protection law nor of our or your responsibilities in relation to data protection.
If at any time you have any queries on this Policy, your responsibilities or any aspect of data protection law, seek advice from Practice Director (“PD”) for HTC.
Who is responsible for Data Protection?
All our Workers are responsible for data protection, and each person has their role to play to make sure that we are compliant with data protection laws. We are not required to appoint a Data Protection Officer (“DPO”). However, we must still ensure that we are compliant.
Why do HTC Have a Data Protection Policy?
We recognise that processing of individuals’ personal data in a careful and respectful manner cultivates trusting relationships with those individuals and trust in our service. We believe that such relationships will enable our organisation to work more effectively with and to provide a better service to those individuals. This Policy works in conjunction with other policies implemented by HTC from time to time.
Status of this Policy and the implications of breach
Any breaches of this Policy will be viewed very seriously. All Workers must read this Policy carefully and make sure they are familiar with it. Breaching this Policy would see a restriction/termination of any hire contract to any Workers.
If you do not comply with Data Protection Laws (“DPL”) and/or this Policy, then you are encouraged to report this fact immediately to the PD. This self-reporting will be taken into account in assessing how to deal with any breach, including any non-compliance which may pre-date this Policy coming into force.
If you are aware of or believe that any other representative of ours is not complying with DPL and/or this Policy you should report it in confidence to the PD.
There are a number of serious consequences for both yourself and us if we do not comply with DPL. These include:
- Restriction/Termination of contract: Where you are a Worker, failure to comply with our policies could lead to termination of your Worker position with the service;
- Criminal sanctions: Serious breaches could potentially result in criminal liability;
- Investigations and interviews: Your actions could be investigated, and you could be interviewed in relation to any non-compliance.
For the organisation:
- Criminal sanctions: Non-compliance could involve a criminal offence;
- Civil Fines: These can be up to 20 million Euros (or equivalent in sterling) or 4% of the annual turnover whichever is higher;
- Assessments, investigations and enforcement action: We could be assessed or investigated by, and obliged to provide information to, the Information Commissioner Office (“ICO”) on our processes and procedures and/or subject to the ICO’s powers of entry, inspection and seizure causing disruption and embarrassment and potential breach of client confidentiality;
- Court orders: These may require the service to implement measures or take steps in relation to, or cease or refrain from, processing personal data;
- Claims for compensation: Individuals may make claims for damage they have suffered as a result of the services non-compliance;
- Bad publicity: Assessments, investigations and enforcement action by, and complaints to, the ICO quickly become public knowledge and might damage the service. Court proceedings are public knowledge;
- Loss of business: Prospective clients might not want to deal with the service if we are viewed as careless with personal data and disregarding our legal obligations;
- Use of management time and resources: Dealing with assessments, investigations, enforcement action, complaints, claims, etc takes time and effort and can involve considerable cost.
Data protection laws
The Data Protection Act 1998 (“DPA”) applies to any personal data that we process, and has been updated by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”) (together “Data Protection Laws” (DPL)) and after Brexit the UK will adopt laws equivalent to these DPL’s.
The DPL’s all require that the personal data is processed in accordance with the Data Protection Principles (see below) and gives individuals rights to access, correct and control how we use their personal data (see below).
Data will relate to an individual and therefore be their personal data if it:
- Identifies the individual. For instance, names, addresses, telephone numbers and email addresses;
- Its content is about the individual personally. For instance, medical records, a recording of their actions, or contact details.
Examples of information likely to constitute personal data:
- unique names;
- names together with email addresses or other contact details;
- video and/or photographic images;
- Information about individuals obtained as a result of
- Safeguarding checks;
- Medical and disability information.
Lawful basis for processing
For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the DPL’s.
For the processing of ordinary personal data in our organisation these may include, among other things:
- the data subject has given their consent to the processing (counselling agreements);
- the processing is necessary for the performance of a contract with the data subject (payment of fees and letters to external parties);
Special category data
Special category data under the DPL’s is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.
Under DPL’s this type of information is known as special category data and criminal records history becomes its own special category which is treated for some parts the same as special category data.
Previously these types of personal data were referred to as Sensitive Personal Data (“SPD”) and some people may continue to use this term.
To lawfully process special categories of personal data we must also ensure that the individual has given their explicit consent to the processing.
To lawfully process personal data relating to criminal records and history there are even more limited reasons, and we must either:
- ensure that either the individual has given their explicit consent to the processing; or
- ensure that our processing of those criminal records history is necessary under a legal requirement imposed upon us.
We would normally only expect to process special category personal data or criminal records history data in the context of our client work for reasons of health and safety requirements, safeguarding checks, etc.
When do we process personal data?
Virtually anything we do with personal data is processing including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just storage of personal data is a form of processing. We might process personal data using computers or manually by keeping paper records.
Examples of processing personal data might include:
- Using personal data to correspond with clients;
- Holding personal data in our databases or documents; and
- Recording personal data in client or Worker files.
The main themes of the DPL’s are:
- good practices for handling personal data;
- rights for individuals in respect of personal data that data controllers hold on them; and
- being able to demonstrate compliance with these laws.
In summary, DPL requires each data controller to:
- only process personal data for certain purposes;
- process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner);
- provide certain information to those individuals about whom we process personal data which is usually provided in a privacy notice (counselling agreement);
- respect the rights of those individuals about whom we process personal data (including providing them with access to the personal data we hold on them); and
- keep adequate records of how data is processed and, where necessary, notify the ICO and possibly data subjects where there has been a data breach.
Every Worker has an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy.
DPL in the UK is enforced by the ICO. The ICO has extensive powers.
Data protection principles
The DPL’s set out 6 principles for maintaining and protecting personal data, which form the basis of the legislation. All personal data must be:
- Processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met;
- Collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”);
- Adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”);
- Accurate and where necessary kept up to date;
- Kept for no longer than is necessary for the purpose (“storage limitation”);
- Processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).
Data subject rights
Under DPL’s individuals have certain rights (“Rights”) in relation to their own personal data. In summary these are:
- The rights to access their personal data, usually referred to as a subject access request;
- The right to have their personal data rectified;
- The right to have their personal data erased, usually referred to as the right to be forgotten;
- The right to restrict processing of their personal data;
- The right to object to receiving direct marketing materials;
- The right to portability of their personal data;
- The right to object to processing of their personal data; and
- The right to not be subject to a decision made solely by automated data processing.
The exercise of these Rights may be made in writing, including email, and verbally and should be responded to in writing by the PD for HTC without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, considering the complexity and number of the requests. We must inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.
Where the data subject makes the request by electronic form means, any information is to be provided by electronic means where possible, unless otherwise requested by the individual.
If we receive the request from a third party (e.g. a legal advisor), we must take steps to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean contacting the relevant individual directly to verify that the third party is properly authorised to make the request.
There are very specific exemptions or partial exemptions for some of these Rights and not all of them are absolute rights. However, the right to not receive marketing material is an absolute right, so this should be complied with immediately.
Where an individual considers that we have not complied with their request e.g. exceeded the time period, they can seek a court order and compensation. If the court agrees with the individual, it will issue a Court Order, to make us comply. The Court can also award compensation. They can also complain to the regulator for privacy legislation, which in our case will usually be the ICO.
In addition to the rights discussed in this document, any person may ask the ICO to assess whether it is likely that any processing of personal data has or is being carried out in compliance with the privacy legislation. The ICO must investigate and may serve an “Information Notice” on HTC (if the service is the relevant data controller). The result of the investigation may lead to an “Enforcement Notice” being issued by the ICO. Any such assessments, information notices or enforcement notices should be sent directly to the PD for HTC from the ICO.
In the event of a Worker receiving such a notice, they must immediately pass the communication to the PD.
Notification and response procedure
If a Worker has a request or believes they have a request for the exercise of a Right, they should:
- pass the call to the PD. The PD will take and record all relevant details and explain the procedure. If possible, try to get the request confirmed in writing addressed to the PD for HTC; and
- inform the PD of the request.
The PD will co-ordinate the services response (which may include written material provided by external legal advisors). The action taken will depend upon the nature of the request. The PD will write to the individual and explain the legal situation and whether the service will comply with the request. A standard letter/email from HTC services should suffice in most cases.
Your main obligations
What this all means for you can be summarised as follows:
- Treat all personal data with respect;
- Treat all personal data how you would want your own personal data to be treated;
- Immediately notify the PD if any individual says or does anything which gives the appearance of them wanting to invoke any rights in relation to personal data relating to them;
- Take care with all personal data and items containing personal data you handle or come across so that it stays secure and is only available to or accessed by authorised individuals; and
- Immediately notify the PD if you become aware of or suspect the loss of any personal data or any item containing personal data.
Data protection laws have different implications in different areas of the service and for different types of activity, and sometimes these effects can be unexpected.
Areas and activities particularly affected by DPL include human resources, payroll, security (e.g. CCTV), customer care, sales, marketing and promotions, health and safety and finance.
You must consider what personal data you might handle, consider carefully what DPL might mean for you and your activities, and ensure that you comply at all times with this policy.
Whilst you should always apply a common-sense approach to how you use and safeguard personal data, and treat personal data with care and respect, set out below are some examples of dos and don’ts:
- Do not take personal data out of HTC’s premises (unless absolutely necessary);
- Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café, etc and this would include paper files, mobile phone, laptops, tablets, memory sticks etc;
- Never leave any items containing personal data in unsecure locations, e.g. in a car on your driveway overnight and this would include paper files, mobile phone, laptops, tablets, memory sticks etc;
- If you are staying at a hotel then utilise the room safe or the hotel staff to store items containing personal data when you do not need to have them with you;
- Do encrypt/password protect laptops, mobile devices and removable storage devices containing personal data;
- Do lock laptops, files, mobile devices and removable storage devices containing personal data away and out of sight when not in use;
- Do password protect documents and databases containing personal data;
- Never use removable storage media to store personal data unless the personal data on the media is encrypted;
- Use confidential waste disposal for any papers containing personal data, do not place these into the ordinary waste, place them in a bin or skip etc, and either use a confidential waste service or have them shredded before placing them in the ordinary waste disposal;
- Do dispose of any materials containing personal data securely, whether the materials are paper based or electronic;
- When in public place, e.g. a train or café, be careful as to who might be able to see the information on the screen of any device you are using when you have personal information on display. If necessary move location or change to a different task;
- Do not leave personal data lying around, store it securely;
- When speaking on the phone in a public place, take care not to use the full names of individuals or other identifying information, as you do not know who may overhear the conversation. Instead use initials or just first names to preserve confidentiality;
- If taking down details or instructions from a client in a public place when third parties may overhear, try to limit the information which may identify that person to others who may overhear in a similar way to if you were speaking on the telephone;
- Never act on instructions from someone unless you are absolutely sure of their identity and if you are unsure then take steps to determine their identity. This is particularly so where the instructions relate to information which may be sensitive or damaging if it got into the hands of a third party or where the instructions involve money, valuable goods or items or cannot easily be reversed;
- Do not transfer personal data to any third party;
- Do notify the PD immediately of any suspected security breaches or loss of personal data;
- If any personal data is lost, or any devices or materials containing any personal data are lost, report it immediately to the PD.
Foreign transfers of personal data
Personal data must not be transferred outside the European Economic Area.