ICO Registration number: Z8963972
Axis Counselling is committed to protecting and respecting your privacy.
This Privacy Policy sets out important details about information that Axis Counselling and staff responsible for your care may collect and hold about you, how that information may be used and your legal rights.
We will review this Privacy Policy on a regular basis and we advise you to check back on our website for the latest version.
Axis counselling are the data controllers for the information we hold about you, and are accountable for the data that we process.
- Who has information about me?
Information is shared for your direct care purposes. There may be instances where we are required under legislation to share information, but we will only do so if we have a legal basis.
- What information does Axis Counselling hold about you?
We hold 2 types of data about you.
- Personal data (data which Identifies you)
- Personal data only includes information relating to natural persons.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive, and Axis Counselling may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- Special Category (sensitive data)
This sort of data could include:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data (where used for identification purposes)
- health
- sex life
- sexual orientation
- Information we collect
We collect information about you which you have supplied or from others involved in your care and support (i.e. GP, police, other support services including Mental health).
This is likely to include your personal data see Personal Data (see definition in section 2)
We may also hold more sensitive information about you, see Sensitive Data (see definition in section 2)
We may collect information from you when;
- contact us via telephone call.
- communicate with us via email, or social media.
- visit one of our offices for an appointment.
- we visit you in the community for an appointment.
Sometimes we obtain information about you from:
- other health care providers, GP, etc
- the Police
- other support services
- How will Axis Counselling use the information it holds about me?
We use information about you in connection with
- providing you with a service
- assessments, and
- support and advocacy.
We may use your phone number (or email address where you have provided it to us) to contact you in advance of appointment for reasons connected with your support. Where you have provided us with your mobile number or email address, we may send you confirmations/reminders of your appointments via text message or email and we may respond to your email enquiries via email. We will only via means of contact that you have confirmed are safe.
We may also use information about you for
- quality assurance,
- maintaining our business records,
- anonymised reporting to our funders,
- developing and improving our products and services, and
- monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you.
This may include our staff planning and workload management systems to help support our staff to develop and plan the most appropriate levels of care to our clients and to ensure we have got the right levels of productivity and efficiency and good outcomes for clients.
We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud or safeguarding) or in connection with legal proceedings.
We may also use information about you where you have provided your consent to us doing so.
We do not carry out automated decision making or profiling.
- Staff access to your personal and sensitive data.
We carefully control who has access to your information. Staff have access where they are required to do so to provide care or support. Where possible we limit the access that staff have on our electronic systems (i.e. databases). We also carry out spot checks and audits to see if there has been any inappropriate access. Where that occurs, disciplinary action may be taken against the staff, and in serious cases court action. If the data breach includes access to your information, we will contact you. We also have an obligation if it is a serious data breach to inform the Information Commissioners Office.
In order to reduce risk of a data breach Axis Counselling have in place robust policies and procedures and we carry out training for all staff on an annual basis.
All counselling staff providing direct care are registered with the appropriate professional and regulatory bodies, i.e. BACP and have a responsibility to uphold the highest standards when handling client information.
- How we keep your information safe and secure
- Axis Counselling is required to complete the NHS Digital Data Security & Protection Toolkit. This is a tool that provides assurance that we are meeting standards on handling patient/client information.
- We have Data Protection Policies in place to ensure staff understand the ‘must’ or ‘must not do’ with client data.
- Staff are required to complete induction training in Information Governance and to complete annual update training.
- Spot checks are carried out across the company.
- Our IT is managed by Start Tech; Salesforce; and Visia Software Ltd who ensure that all safeguards are in place to protect data held on IT systems are protected and secure from unauthorised access, loss or damage and hold a Cyber Security Plus certification. These organisations can only use any data shared with them, as we have instructed them.
- Passwords are changed on a regular basis, and we utilise multi-factor authentication (MFA) where it is available.
- Where incidents do happen, our investigations will include actions we take, and lessons learnt.
- Will Axis Counselling share information about me with others?
Yes, we set out these reasons below and assure you that in each case, we share only such information as is appropriate, necessary and proportionate.
Axis will share personal data internally within the organisation for the purposes of:
- providing you with a service,
- keeping your information up to date
- referring between services within Axis, to minimise the amount of duplicate information that you have to provide us with,
- line management supervision of our workers, and quality assurance (information will be shared with the relevant manager(s)),
- safeguarding you or another person who may be at risk of harm.
Any data shared will be on a need-to-know basis. All staff must comply with our Data Protection and GDPR policies and procedures.
Axis will share personal data with its specified partners in accordance with data sharing protocols whilst complying with the GDPR and Caldicott guidelines which govern how we can share personal information with our partner organisations. The general rules can be summarised as:
- Justify the purpose of using confidential information.
- Only identify the client if necessary
- Use the minimum amount of information required.
- Access should be on a strictly need–to-know basis.
- Everyone should be aware of their responsibilities.
- Everyone should understand and comply with the law.
- The duty to share information for individual care is as important as the duty to protect client confidentiality.
- Inform service users about how their confidential information is used and what choice they have. There should be no surprises.
Some of the circumstances in which personal information may be disclosed are:
- Where permission of the client has been given and disclosure is permitted by law.
- Where we have a statutory duty to disclose or by order of a court.
- For study, research, and/or statistical purposes (including reporting to our funders), where the information has been anonymised.
- To prevent harm to the data subject or another person.
- Where there is a risk to public health
- To prevent or detect crime.
We may share information about you with external organisations such as:
- our lawyers,
- auditors,
- Insurance companies,
- NHS organisations,
- other support organisations
- regulatory bodies such as the BACP,
- social care, and
- the police.
We will only do this where we have a legal basis to do so or with your consent.
We may also share information about you with third party suppliers, which provide us with:
- electronic client record systems. (They can only use any data shared with them, as we have instructed them)
- clinical supervision (we contract clinical supervisors to provide monthly clinical supervision for all of our workers, for the purposes of keeping them and you, safe).
Information shared between Axis Counselling and partner agencies regarding rape and sexual assaults would be used for the following purposes:
- To ensure better support for clients/ survivors
- To identify risk factors associated with survivors and potential survivors.
- To assist with MARAC, MAPPA and any other multi agency risk prevention meeting as required
- To develop a problem profile on rape and sexual assault and include information from it as part of West Mercia Police’s strategic assessment.
- To assist West Mercia Police to identify and target offenders, identify linked offences, and links with other criminal activities and criminals.
- To assist West Mercia Police to develop a prevention and enforcement strategy.
- For further information sharing purposes with partner agencies where appropriate
- To support a co-ordinated approach to healthcare, social care and criminal justice processes to ensure better outcomes for survivors.
- To ensure that the wishes of clients/ survivors are met and the reason for sharing information is justified.
- To monitor the quality of services, share and develop best practice.
- To develop services to better meet the needs of survivors.
- To ensure there is a recognised framework in which to share information and to ensure that such information is managed appropriately.
- To avoid duplication of information gathering.
- To improve the knowledge and understanding of the impact of rape and sexual assault
- To produce statistical information and support research
- To develop strategy and identify implications for future resourcing and funding applications.
In each case, we would share only such information as was relevant, necessary and proportionate.
Counsellors in Training
Axis provides placement opportunities for Counsellors in Training to enable them to complete the counselling hours that are required, in order for them to become qualified Counsellors. Some Counsellors in Training are required to audio record a small number of counselling sessions, and/or provide one or more case studies in order to qualify. These requirements concentrate on the counsellor in training’s responses and use of the counselling modality they are being trained in, so they are in effect, an assessment of the counsellor in training’s skills and do not focus on the client.
If you have consented to receiving a service by a counsellor in training, it is the responsibility of the Counsellor in Training to make a request of one or more of their clients, to audio record a counselling session and/or use case material to write a case study.
To demonstrate our commitment to showing respect to our clients and working in partnership with them, you will be provided with all of the information you require to assist you in making an informed decision on whether to consent, or not. There is absolutely no obligation on you to agree to such a request, the service that you receive will not be affected if you do not wish to consent.
It is always acceptable for a client to change their mind and withdraw consent at any time during the process even at the end. Should you consent to this, the counsellor in training will regularly review how comfortable you are in continuing to participate and you can opt-out at any time.
Should you consent, you will be given an opportunity to review and comment on the case study/recording before it is used and can request information to be removed. Any unused information will be destroyed.
Every effort will be made to protect anonymity by not using identifiable information and your counsellor in training will discuss this with you at the time.
Our Counsellors in Training come from a number of different education establishments, each having their own requirements. The Counsellor in Training will tell you:
- How they will use your case material/ recordings.
- Who it will be shared with.
- How they will keep it safe, and
- When it will be destroyed.
If you are considering consenting, please ensure that you fully understand this information, as the counsellor Counselling in Training will be responsible for the safekeeping of such information, not Axis.
All Counsellors in training have stringent requirements relating to how they handle and store your information, and with whom they share your information. All are required to comply with the Data Protection Act (2018) and GDPR.
- Sharing with regulators or because of a legal or contractual obligation
We may share information about you with our regulators, and/or the regulators of our funders, including the
- NHS England (which leads the NHS in England) and the Department of Health (the government department responsible for health and adult social care policy).
- Health & Safety Executive.
- Public Health England.
Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a:
- court order
- regulatory body has statutory powers to access clients’ records as part of their duties to investigate complaints, accidents or health professionals’ fitness to practise.
Before any disclosure will be made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest.
Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.
- What legal basis does Axis Counselling have for using information about me?
Data protection law requires that we set out the legal basis for holding and using information about you. We have set out the various reasons we use information about you and alongside each, the legal basis for doing so. Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis which we have set out in the third column (entitled ‘legal basis for more sensitive information’) explaining our reason for this.
Processing shall be lawful only if and to the extent that at least one of the following applies:
- a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- c) processing is necessary for compliance with a legal obligation to which the controller is subject;
- d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for processing this information is:
We have a legitimate interest.
Legal basis for more sensitive information
In order to lawfully process special category data, we must identify both a lawful basis under Article 6 of the UK GDPR (as above) and a separate condition for processing under Article 9.
Article 9 of the UK GDPR lists the conditions for processing special category data:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
Under the UK General Data Protection Regulation (UK GDPR), the separate condition we rely on for processing special category data is:
We are a not-for-profit body.
- Where and for how long does Axis Counselling store information about me?
The information about you that we hold, and use is held securely in the United Kingdom and stored electronically on secure servers, and in some cases, in paper format, in secure locked filing cabinets, in a secure locked officer, only accessible by authorised personnel.
No records are stored outside the EU.
We retain client data is held for seven years from the date they are closed to all Axis services. Files for clients accessing the service as children or young people will be kept for 7 years after their 18th birthday, or for 7 years after the file closure date, whichever is the longer.
Your records may not be retained in hard copy form where a digital copy exists.
If you would like more detailed information on this, please contact our CEO (contact details below).
- What rights do I have?
Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.
If you wish to exercise any of the rights set out below, please contact the CEO using the contact details set out below.
- Details of your rights are set out below.
- The right to be informed. This privacy notice forms part of that, but we also aim to keep you fully informed during your consultations, via posters in the company and leaflets when appropriate
- The right to access your personal information
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in the form you request, if we are unable to do that we will inform you. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
You are entitled to the following under data protection law.
Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:
- The purposes for which we use your personal information.
- The types of personal information we hold about you.
- Who your personal information has been or will be shared with.
- Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
- If the personal data we hold about you was not provided by you, where we obtained the information from.
- Your right to ask us to amend or delete your personal information (if appropriate).
- Your right to ask us to restrict how your personal information is used or to object to our use of your personal information (if appropriate).
- Your right to complain to the Information Commissioner’s Office.
- We also need to provide you with a copy of your personal information.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity (this will be proportionate) and ensure your right to access your personal information (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.
We respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
The right to request correction of your personal information
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete and up to date. However, if you do not believe this is the case, you can ask us to update or amend it.
The right to request erasure of your personal information
In some circumstances, you have the right to request the erasure of the personal information that we hold about you. This is also known as the ‘right to be forgotten’. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.
The right to object to the processing of your personal information
In some circumstances, you have the right to object to the processing of your personal information. This would usually apply to processing for other purposes other than your direct health care i.e. research
The right to request a transfer of your personal information
In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to object.
You can ask us to stop sending processing your information for any other purposes other than your to provide you with a service.
The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)
You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.
The right to withdraw your consent
You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information.
To apply any of the Individual Rights above please contact the Chief Executive Officer
- CCTV
Our landlords have installed external CCTV at our Telford office to:
- ensure the security of our and your property and that of our clients and staff
- monitor the security of our premises.
All CCTV is maintained and overseen by our landlord – Prestige Brickwork. They are responsible for carrying out compliance audits and reviewing the need for CCTV.
- Data for Research
The data held in the Axis Counselling records of clients, where the service they have been provided with is wholly or partially funded by the NHS, is used to support health research in England, helping to find better treatments and improve patient outcomes for everyone. Any data that could directly identify you (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.
This process is called pseudonymisation and means that patients will not be identified directly in the data.
If you do not want your patient data to be shared for purposes except your own care, you can opt-out of this process.
For further information please access the website National data opt-out – NHS Digital Or contact the administration office
In order to opt-out of NHS Digital, we will need your NHS number, so that your data can be identified by NHS Digital in order to effect the opt-out.
- The right to complain to the Information Commissioner’s Office
You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.
Making a complaint will not affect any other legal rights or remedies that you have.
More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ and the Information Commissioner’s Office can be contacted by post, phone, or email as follows:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate number)
Fax: 01625 524 510
Email: casework@ico.org.uk
For further questions or to exercise any rights set out in this Privacy Policy, please contact Axis Counselling Data Protection Manager (DPM):
DPM contact details: Axis Counselling’s DPM is the Chief Executive Officer
Email address: management@axiscounselling.org.uk