Why I record and store personal information
There is some personal information that I need to hold in order to provide my service to clients. I aim to keep the information I record to a minimum. At the outset of our work together my clients give specific consent to my keeping this information.
The information I record and how I store it
For each of my counselling clients I record the following:
Their name, address, email address, age, telephone number and GP surgery
Recorded on paper, as part of an information and privacy agreement signed by the client. Stored in a locked filing cabinet.
Stored in the email contacts folder on a laptop computer. This is deleted after contact ends. Access to the laptop is password protected.
Stored in the contacts folder on a mobile phone using the client’s initials. Access to the phone is protected by a pass code.
A paragraph for each session typed up, dated and saved in a session notes file. Each session note file is passcode protected and saved to an encrypted hard drive. The filename used is the client’s initials and any reference to the client and other individuals is made using initials only.
Stored on a mobile phone. Access to the phone is protected by a pass code.
Email from clients
Saved to a specific folder on a password protected laptop computer and deleted after one month.
How I use the information I store
Contact information enables me to communicate with my clients between counselling sessions. I record details of my clients’ GP surgery in the unlikely event that I judge it to be in a client’s interest for me to take action to ensure their safety. My session notes help me to remember and reflect upon what my clients have shared with me, thereby enabling me to work with them as effectively as possible.
How long I store information for
A client’s contact information that I store electronically will be deleted within one month of my work with them ending. I keep session notes and paper records for six years. This is to enable me to refer back to previous work with returning clients and to respond to any complaints or other issues that might arise after our work has ended. If a client asks me to delete/destroy records within these time periods I will do so.
Sharing information with third parties
As a member of the British Association for Counselling and Psychotherapy (BACP) I am required to receive regular supervision of my work. This involves me discussing with my supervisor what my clients share with me. In doing so I do not mention my clients’ names or any other details which might enable my supervisor to identify them.
I will share a client’s personal information with a third party if that client asks me to do so or if we agree that doing so would be in their interest. When possible, I will share this information in electronic form copied to the client.
I may share information with relevant authorities in order to ensure the safety of children or vulnerable adults. I will also share information if legally required to do so e.g. if that information relates to money laundering or terrorism or if a subpoena is issued requiring me to submit my session notes to court.
Clients’ access to information, correction of inaccuracies and concerns about my data management
If a client asks me for a copy of any of their personal information, I will do so within 30 calendar days. Where possible I will share this information in electronic form, in the case of records held on paper these will be a PDF copy. I will make no charge for meeting any reasonable request for access to information. If a client believes that I hold information relating to them that is factually inaccurate I will correct it at their request. If a client believes that I am managing their information incorrectly they have the right to complain to the Information Commissioner’s Office.
If I have any reason to believe that a client’s information has been accessed without authorisation I will:
- inform the client as soon as I am able and agree actions, they would like me to take for their protection
- report the matter to the police, if appropriate
- take any necessary action to protect other information that I hold