The Aspen Counselling Services Mullingar CLG (ACSM) is an independent body whose functions include promoting, encouraging and fostering high standards and good practice in the delivery of mental health services aimed at supporting personal growth, wellbeing and integrating all aspects of human experience. Equally putting systems in place to protect the rights of our clients. This means that ACSM may need to process your Personal Data while you are in receipt of care and treatment at our centres, so that we can perform these legal functions.
- · “Personal Data” is information from which you (or another person) are identifiable or which relates to you;
- · “Special Categories of Personal Data” is personal data which is subject to a higher standard of protection under law due to its sensitivity.
It includes Personal Data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, and the processing of genetic data, data concerning health or data concerning an individual’s sex life or sexual orientation; and
- · “Processing” refers to any use of your Personal Data including its collection, disclosure, retention and storage.
This Guide summarises when, how and why your Personal Data will be processed as a client when attending our services. ACSM routinely processes Personal Data, but from time to time, Special Categories of Personal Data may also be processed. ACSM takes appropriate measures to protect the confidentiality of your Personal Data. Service providers that support our functions are also required to protect the confidentiality of your Personal Data and must not use it for any purpose other than providing services to us.
We have summarised how we use your Personal Data below.
We may sometimes need to provide Personal Data to other authorities such as the Child and Family Agency (TUSLA), the Health Information and Quality Authority (HIQA) or any other regulatory body as part of our functions. If we have to do this, we generally try to do so on an anonymised basis.
Legal justification for our use of Personal Data
To comply with the law, we need to tell you the legal justification we rely on for using your Personal Data.
ACSM has a statutory function “to promote, encourage and foster the establishment and maintenance of high standards and good practices in the delivery of mental health services and to take all reasonable steps to protect the interests of our clients”.
Justification for Processing Personal Data
We process your Personal Data in order to perform our statutory functions, comply with our legal obligations and to allow us perform tasks which are in the public interest.
Special Categories of Personal Data
We only process Special Categories of Personal Data where necessary for the performance of our functions, to protect your vital interests, in the context of legal proceedings, for the establishment, exercise or defence of your legal rights (or those of ACSM or a third person) or where necessary for reasons of public interest in order to ensure high standards of quality and safety of health care.
Criminal data will only be processed where necessary in the context of ACSM functions where authorised by law to do so. This could be in the context of our regulatory functions, for the establishment, exercise or defence of your legal rights (or those of ACSM or a third person) in the context of establishing a Mental Health Tribunal or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings.
Retention of Personal Data
Your Personal Data will only be kept for as long as is necessary for the purposes for which we collect it or by reference to any legal obligations. In all cases, Personal Data may be retained for a longer period where required in the context of an ongoing legal obligation, claim or legal proceedings.
Our current policy is to keep any records of your Personal Data for 7 years. Governing agencies for counselling practitioners’ recommends that, in the absence of a superseding requirement, Counsellors/Therapists retain records for a period of 7 years after the last date of service delivery. Records for children and young people should be retained until the client is 25 (or 26 if they are 17 when therapy sessions end) or 8 years after their death, if sooner.
Client Notes and Record Keeping
- Our policy is to keep minimum notes and records. The information we store may include particulars such as:
- Personal information – name, date of birth, address, contact details etc;
- ICE particulars;
- Background information that might be relevant to the counselling process;
- Your signed contract with us;
- Confidential case notes (describing the main focus of the session with any important information);
- Information for service evaluation and statistical purposes.
Records and Data Protection:
Client records may be held physically or may be kept in electronic format, under encryption, on the therapist’s computer. All Data Protection legislation will be complied with in accordance with current regulations. At the first session a client intake form will generally be completed giving relevant background information about the client; it may include information pertaining to medical conditions; substance dependencies; noting previous experience of counselling; G.P. details, and client contact details. Brief session notes will be created by the therapist post sessions and retained again physically or in electronic format, again under encryption, on the therapist’s computer. All records relating to a client will be erased from the therapist’s computer after a period of 7 years from the date of the last meeting or as stated under the guidelines stated under the heading ‘Retention of Personal Data’.
Personal Data Rights
You are afforded particular rights in relation to the processing of your Personal Data which may be limited by circumstance or legal exemptions.
These rights include the following:
- a) Right to access a copy of your Personal Data;
- b) Right to rectify any inaccurate Personal Data;
- c) Right to erase Personal Data, for example, when we no longer need to retain it;
- d) Right to restrict or suspend your use of Personal Data as part of any objection to or challenge of its use; and
- e) Right to complain to the Data Protection Commission about our use of your Personal Data.
Who to contact about your Personal Data
If you have any questions or concerns about the way your Personal Data is used by us, you can contact us by e-mail at: firstname.lastname@example.org
EU Regulation 2016/679 known as the GDPR and the Data Protection Act 2018 regulate the processing of personal data of a living person (known as a data subject), which is in the possession or under the control of a data controller such as Aspen Counselling Services Mullingar CLG (ACSM).
Personal data is defined as information from which the individual (data subject) concerned can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. These requirements do not apply however to fully anonymised or aggregated data where a living individual cannot be identified. There are also “special categories of personal data”, which is any data that relates to a data subjects’:
(a) Trade union membership.
(b) Data concerning physical or mental health or condition, or sexual life or orientation.
(c) Genetic data, biometric data.
(d) Racial or ethnic origin, political opinions, religious or philosophical beliefs, and which attract a greater level of protection under the GDPR.
Data relating to criminal convictions or offences is subject to specific protection and may only be processed under the control of official authority or where authorised by Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
The requirements apply to any person or entity that falls within the definition of a data controller or data processor. The obligations primarily apply to data controllers, defined as the entity that determines the purposes and means of data processing (alone or together with others). As noted above, Aspen Counselling Services Mullingar CLG is a data controller.
Information should be collected fairly and for a specific purpose and it should only be processed by reference to specific legal grounds.
The processing of special categories of personal data is subject to separate grounds for processing, which are set out in Article 9 GDPR. In addition, the Data Protection Act 2018 states that the processing of special categories of personal data is permissible when processing respects the essence of the right to data protection and is necessary and proportionate for the performance of a statutory function.
There is a requirement that “appropriate technical and organisational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.
Data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances. These are known as data subject access rights. These include the right of access, deletion (e.g. where processing is unlawful or excessive) and to rectification of inaccurate personal data. Please contact Aspen’s Data Protection Officer for any further information in relation to this issue. The other rights introduced by the GDPR which apply in certain circumstances include the right of restriction and right of objection. Please contact the ACSM Data Protection Officer for any further information in relation to this issue.
The GDPR introduces a compulsory requirement for controllers to report data breaches to its supervisory authority (i.e. in Ireland, the Data Protection Commission) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects. A risk assessment will therefore need to be taken by the controller in evaluating whether the obligation to report arises. Where a breach poses a high risk to data subjects, the GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay. Regardless of whether a notification to the regulator is made or not, controllers must document all personal data breaches, comprising the facts, its effects and remedial action taken. Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.
The GDPR gives data subjects a right to claim compensation for material or non-material loss or damage arising from an infringement of the GDPR by a controller or a processor (who can be sued on a joint and several basis where they are both involved in the processing giving rise to the infringement). Under the Data Protection Act 2018, these are classified as actions in tort subject to the jurisdiction of the Circuit Court and High Court.
Should you have any queries please contact:
Aspen Counselling Services (Mullingar) CLG
c/o 23e Axis Business Park
Tel: 086 776 0550