Introduction
It is important to Counselling Services Glasgow (CSG), an independent charity and member of the Relationships Scotland Network, that you understand why and how we collect and use your personal information. This Privacy Notice sets out our policies on the collection and use of your data, and your rights under data protection legislation in the United Kingdom.
About RelationshipsGlasgow
CSG is a counselling organisation staffed by an experienced group of qualified and upskilling relationship counsellors. We are a Scottish charity (SC008419) and we provide services in relationship counselling and psycho-sexual therapy. Our counsellors are authorised to act as counsellors through COSCA (Counselling and Psychotherapy in Scotland www.cosca.org.uk). We are quality assured by the Relationships Scotland Network (www.relationships-scotland.org.uk
)
Data controller and data protection officer
We are registered with the Information Commissioner’s Office (ICO) as data controllers. Our data protection controller is Stuart Duffin, who you can contact at stuart@rsglasgow.org.uk.
Your personal information
Why do we collect personal information?
We believe in a human rights-based approach to counselling where all are treated fairly with dignity and respect. We are collaborative and create projects in which counsellors work with other services to help meet gaps in building strong relationships and resilient lives, and to reduce inequality for marginalised, vulnerable and disadvantaged groups.
We provide our counselling services (and contribute our counselling expertise) by
- providing relationship counselling services to people and communities
- supporting outreach services
- delivering professional training and public education, and
- contributing to research, advocacy and policy, at local, national and international levels.
To fulfil our aims, and support our projects, we may need to collect personal information from individuals seeking counselling or participating in our training and outreach event
What information might be requested?
To provide you with relationship counselling services, either directly or through our outreach digital services, we may ask for:
- your name and contact details
- sensitive personal information (eg racial or ethnic origin, health, harm you may have suffered) if this is relevant to the counselling.
If you attend a professional training, public education or other outreach event, then to process and record your attendance we may ask for:
- your name and contact details
- payment details.
How will we request this information?
We will ask you for this information either orally or in writing. You have the right to withhold certain information if you wish.
If you withhold information, depending on the service you are accessing, we may still be able to provide you with a service. If you wish to withhold information, please tell us as soon as possible, and we will explain any implications for whether we can continue to work with you.
All clients are required to agree and sign our terms of engagement (our counselling contract), and our confidentiality policy, prior to beginning counselling with RelationshipsGlasgow. The contract provides the lawful basis for processing your information under data protection legislation.
What will we do with this information, and who will we share it with?
We will use the personal information you have given us to provide you with the counselling service we have offered to you. At the commencement stage, we will explain to you specifically what purposes we will use your information for, and who it will be shared with. These specific terms will apply in addition to (or in place of) the more general terms of this Privacy Notice.
We may also use some of your information for research or to write reports, but if so it would be done anonymously, so that you could not be identified. Similarly, if we were working in collaboration with another partner organisation, information shared to support the collaboration would be anonymous.
Without your explicit consent, we will not use your personal information for any purpose other than the purposes we told you about at the time you agreed to share it with us, unless we are required to do so by law.
How will we store this information?
All information relating to casework (including e-mails), and training, research and policy work is stored on secure online cloud-based services. Access is restricted to members of our team, and other professional service providers (eg for IT and the case management system as needed).
We also store some personal information in paper files held in locked filing cabinets.
We have an Information Governance and Data Protection Policy to ensure that our team are aware of their obligations to handle data securely, and the procedures for doing this.
We utilise a range of online methods and other communication tools in order to offer remote services, including counselling, training and education, as well as to accept payments and donations. These include (but are not limited to) Microsoft 365, Google Workspace, Zoom, Eventbrite, Paypal, JustGiving and MailChimp. These are secure systems, and access is restricted to members of our team, and other professional service providers.
We only process personal data in a manner that ensures its security; and protect against unauthorised or unlawful processing and against accidental loss, damage or destruction.
How long will we store this information?
We will only store your information for as long as is necessary, or as long as we are required to do so by law. This will usually be set out in the specific information we give you at the commencement of our services to you.
This is further detailed in our records management policy and records retention schedule, which is in place to avoid excessive retention or premature destruction of personal data.
Your rights in relation to your personal data
You have important rights in relation to the data we hold about you, which you can exercise at any time. These include to
- ask to see a record of all the personal information we hold
- ask that we amend any incorrect or incomplete data that we hold
- request that we permanently delete data we hold
- complain about how we have taken or processed your data.
The right of access to personal data gives individuals the right to access, be made aware of, and verify the lawfulness of processing. We will respond without delay and no later than one month after receipt of the request, subject to ID verification and any applicable exemptions.
For more information, or to exercise any of these rights, please contact our data protection controller stuart@rsglasgow.org.uk.
If you are unhappy with how RelationshipsGlasgow
have taken or processed your data, you also have the right to lodge a complaint with the Information Commissioner’s Office on 0303 123 1113 or at www.ico.org.uk/concerns.
Thank you for taking the time to read our Privacy Notice. We hope you have found it helpful, and welcome any comments you may have.
Information Governance and Data Protection Policy
Purpose and scope
This policy covers all CSGvactivities and processes in which personal data is used, whether in electronic form or hard copy.
This policy applies to all representatives of CSG including employees, volunteers, and those in training. It also applies to others acting on behalf of CSG or who are otherwise given access to our information infrastructure.
As a counselling agency, employer, and service provider, we collect personal data when registering clients, employing staff and volunteers, and providing services to clients.
This policy takes precedence over any other policy on matters relating to data protection.
Definitions
The following terms are defined in data protection legislation
- Personal data - any information relating to a person who can be directly or
indirectly identified (including by reference to an identifier, eg name identification number)
- Special category personal data - the following types of personal data (specified in data protection legislation) are particularly sensitive and/or private, and therefore more likely to cause damage
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
health related conditions (physical or mental health)
sex life and sexual orientation
commission (or alleged commission) of any criminal offence
genetic data
biometric data (where processed to uniquely identify an individual)
- Data subject - the individual to whom the personal data relates
- Data controller - person who determines the purposes and means of processing personal data
- Data processor - a person responsible for processing personal data on behalf of a controller
- Data breach - a security incident that affects the confidentiality, integrity or
availability or personal data; eg whenever any personal data is
lost
corrupted
unintentionally destroyed or disclosed
accessed or passed on without proper authorisation (or made unavailable
causing a significant negative effect on the data subjects).
Policy
CSG is committed to complying with the General Data Protection Regulation (GDPR) and any legislation enacted in the UK in respect of the protection of personal data (data protection legislation).
To do this, CSG will
1 Only collect and use personal data where strictly necessary, and where there is an appropriate lawful basis for processing.
2 Inform data subjects of the lawful basis, explain the purpose and manner of the processing and inform them about the Privacy Notice.
3 Keep personal data secure.
4 Observe the rights of individuals under data protection legislation.
5 Ensure everyone this policy applies to is trained appropriately in managing personal data. We will also ensure that they are familiar with the contents of the Privacy Notice.
6 Ensure that all records containing personal data are managed effectively.
7 Maintain a written record of processing activities.
8 Only share personal data with third parties where adequate standards of data protection can be guaranteed and, where necessary, contractual arrangements are put in place. (We will not transfer personal data to countries outside the European Economic area.)
9 Implement comprehensive and proportionate governance methods to demonstrate compliance with data protection legislation principles.
10 Manage any data breaches in line with legislative requirements and good practice.
Roles and responsibilities
Everyone who works for, or on behalf of CSG must have complete a mandatory online GDPR training course on commencement and thereafter every two years; and undertake any other training considered appropriate.
They must also ensure that any personal data they handle is processed in accordance with this policy.
The Board and CEO are responsible for approving this policy and assuring that CSG meets its data protection obligations.
The role of Data Protection Officer falls to the CEO, who is responsible for
- informing, advising and updating CSG of its data protection obligations and maintenance of this policy
- monitoring, and providing guidance, support, training and advice on, compliance
- awareness raising and training of all involved in data processing
- undertaking internal audits of data protection and risk reduction (and demonstrate compliance with data protection legislation principles)
- providing advice on data protection impact assessments, which are undertaken as required
- cooperating wit the Information Commissioner and acting as the contact point for any issues related to processing
- processing all subject access requests for RelationshipsGlasgow.
Data breaches
We will follow a data breach management procedure for addressing data breaches, and all suspected and actual data breaches will be reported to stuart@rsglasgow.org.uk as soon as possible.
Where feasible, we will notify the Information Commissioner within 72 hours of becoming aware of a breach (unless the breach is unlikely to result in a risk to the rights and freedoms of any individuals).
Any affected individuals will be notified with undue delay.