Privacy Policy

Privacy Policy for Counselling Clients

This is LWCCS’s Privacy Policy outlining how and why LWCCS wish to process your personal data, as well as how LWCCS intends to keep it safe. LWCCS complies with the Data Protection Act (1998) and the General Data Protection Regulations (2018) follows the NHS Confidentiality Code of Practice.


This privacy policy outlines your rights, and LWCCS’s obligations to you, with regard to the recording and storage of your personal information. In this privacy policy LWCCS will let you know what information LWCCS needs to collect from you before beginning counselling, and what information LWCCS needs to collect from you during counselling. This also sets out how LWCCS will look after your personal information, how long LWCCS will store it, and who LWCCS will share it with. In addition, LWCCS will let you know what you are able to request from me with regard to this information.

What is personal information?

The DPA defines personal information as any information that can be used to identify a living individual. Individuals can be identified by various means including their name, address, telephone number or email address for example.

Why does LWCCS want to process my personal information?

LWCCS needs to process your personal information in order to fulfil LWCCS’s contractual obligations to you as a counselling service, for example to assess whether LWCCS is able to offer you counselling in the first place, and then to deliver effective counselling to you if therapy commences. Your personal information helps guide both your LWCCS Counsellor’s assessment process, and their clinical decision-making during counselling. LWCCS’s contractual obligations to you as a counselling service are the lawful basis for LWCCS’s processing of your personal information.

What are the laws that protect my personal information?

The DPA and the General Data Protection Regulation (GDPR) require that all organisations that store personal information about people may only do so provided that the information is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept in a form that permits identification of information subjects for no longer than is necessary for the purposes for which the personal information are processed; and processed in a manner that ensures appropriate security of the personal information.

How will you collect my personal information?

LWCCS will collect your personal information in the following ways: over the telephone to arrange an initial consultation, in writing, and in person during counselling sessions.

How will you treat my personal information?

LWCCS will treat your personal information confidentially in a way that is compliant with the DPA and the GDPR. The lawful and proper treatment of your personal information is important to LWCCS. We will notify you promptly in the unlikely event of any breach of your personal data that might expose you to serious risk.

How will you store my personal information?

LWCCS have implemented and require from their counsellors generally accepted standards of technology and operational security in order to protect personal data from loss, misuse, or unauthorised alteration or destruction.

LWCCS will store your personal information both electronically and physically. Your contact details and dates of sessions are kept electronically in order to arrange counselling in a password protected file on a password protected device.

Your telephone number may be stored in your counsellor’s mobile phone’s SMS should you exchange messages to arrange/cancel sessions this way but not under your name.

Personal information that is stored physically using paper records will be held securely in locked storage only accessible to LWCCS counsellors.

How long will you store my personal information?

According to the GDPR, your personal information should be stored for no longer than is necessary. In practical terms, LWCCS will usually store your information for a minimum of 7 years following the termination of your treatment as required by the NHS. However, LWCCS may need to store your information for longer than this, for instance to comply with insurance terms and conditions.

What types of information will you collect about me?

LWCCS will collect several types of information about you and in several different ways.

If you phone LWCCS or contact LWCCS to request a call back, LWCCS will ask you to provide the following information: name, telephone number, address, date of birth, email address, availability and roughly the psychological issues that you would like to address.

In order to provide counselling a LWCCS Counsellor will collect initial information during your initial assessment session and during therapy that may include: goals for therapy, G.P. contact details, previous therapy, current medication, previous criminal convictions, network of support, financial and employment circumstances, health and physical issues, alcohol and drug use, appetite and sleep, family structure, overview of your family situation, and early memories of caregivers.

What is ‘special category’ information, and why do you need to process this too?

Special category information is defined by the GDPR as being information that is more sensitive than other personal information, and therefore requiring of higher levels of protection. Examples of this type of information could include information about your health, race, sexuality, sex life, or religion. In order to lawfully process special category information, LWCCS is obliged to identify a specific condition for processing it under Article 9 of the GDPR and communicate this to you. With this in mind, the condition of the GDPR that LWCCS is applying to the processing of your special category information is that it is ‘pursuant to contract with a health professional’. This means that, if you begin counselling with LWCCS, or ask LWCCS to assess whether or not you are eligible for LWCCS to offer counselling to you, then LWCCS will likely need to process some special category information about you. Usually, this is information about your mental health, and LWCCS needs to process it in order to fulfil my contractual obligations to you in delivering safe, effective counselling.

What is a ‘data controller’, and who is the ‘data controller’ for LWCCS?

The GDPR defines a ‘data controller’ as the person in an organisation who: ‘determines the purposes and means of processing personal data’. For the purposes of the GDPR, the ‘data controller’ is LWCCS’s Manager.

Who will my personal information be shared with?

LWCCS shares with your G.P. dates of your attendance and the scores from your MDS questionnaires at the start and end of therapy. Any concerns your counsellor has about your wellbeing and safety may also be shared with your G.P. and your counsellor will always endeavour to discuss this with you first if this is the case.

Your LWCCS Counsellor will share personal information during regular consultations with their professional supervisor, who is also a member of professional bodies, approved by LWCCS and bound by confidentiality. Your LWCCS counsellor will only give your first name along with details from sessions relevant to ensuring good practice. If you know your LWCCS Counsellor’s supervisor personally or professionally then they will not share this information with them and will see another independent supervisor.

Otherwise LWCCS will only share your information if LWCCS has a legal obligation to do so e.g. court order and by law information on drug money laundering or terrorism. LWCCS will always seek legal advice before releasing any information to the courts or police authority and will only do so if compelled by law or with your consent.

Under very exceptional circumstances and only to prevent immediate substantial harm to yourself or others (vital interest), some of your personal information may be shared with your G.P. or relevant public authority e.g. the police. LWCCS will always seek to discuss this with you first.

You can choose to opt in or out of IAPT data collection where your MDS questionnaire scores are anonymously passed to the NHS to monitor our service (please see IAPT consent letter for full details).

What are my rights under data protection law?

You have the following rights:

· to access a copy and explanation of your personal data

You can contact LWCCS’s Manager to request a copy of the personal data LWCCS holds on you. LWCCS will respond to your request within one month. We usually suggest you sit down with your counsellor or LWCCS’s Manager who will go through and explain the information we hold.

· to request correction, LWCCS will respond to your request within a month of receiving it.

· to request limiting or ceasing data processing, where applicable

· to compensation for substantial damage or distress caused by data processing, where applicable

Can I object or complain about the processing of my personal information by LWCCS?

Yes. Whilst LWCCS hope that the policy outlined above will be sufficient to reassure you of the security of your personal information, should you wish to object or complain about the way that your personal information is being handled by LWCCS, then do please communicate this to LWCCS at the earliest possible opportunity.

You can do this by talking to the LWCCS Manager, Jan Grainger, email

LWCCS will do our best to address your concerns and take steps to try and resolve whatever issues you may raise.

Should you wish to take the matter further, please contact the Information Commissioner’s Office on 0303 123 1123, or visit for more information.

Registered with the Information Commissioner's Office - Registration Number: ZA229047

You will also be asked whether or not you agree to anonymised data being used by IAPT. You will be supplied with the following consent form. We need this consent in order to receive funding for your treatment but you can choose to withhold consent:

LWCSS is now part of the NHS Cambridgeshire and Peterborough Clinical Commissioning Group Improving Access to Psychological Therapies (IAPT) Service.

What does this mean to me?

During treatment, you will be asked to complete questionnaires about how you feel, how much progress you are making towards achieving treatment goals, and how helpful you think the service has been. Your therapist will regularly check these with you to make sure they are helping the best they can.

Our request:

Your permission to use answers to these questionnaires, along with information about the care you receive, to collect information about the quality and effectiveness of the services in comparison to other areas of the country. This is nationally mandated.

By signing the consent form you are agreeing that: Your personal details and questionnaire responses will be held securely by Cambridgeshire and Peterborough NHS Foundation Trust on their Primary Care Management Information System (PC-MIS). This is a secure data storage system which inputs into anonymous national analysis.

All the information will be handled securely so only a limited number of authorised people can see it. Any identifying information, such as your name, address, date of birth, and NHS ID, will be removed after the forms have been collated and will not be seen by people analysing the information. No one involved in the handling or analysis of information will release your personal information unless required by law or where there is a clear overriding public interest. The paper forms will be securely destroyed in line with Department of Health Records Management Code of Practice.


1. Statement, Scope and Purpose of Policy

LWCCIC is committed to ensuring that all personal data it handles will be processed according to legally compliant standards of data protection and data security.

An organisation which controls processing activities, involving personal or sensitive data must comply with the General Data Protection Regulation 2018

(GDPR) and the Privacy and Electronic Communications Regulation 2003


The scope of this policy covers all processing activities and supporting information systems involving Personal or Sensitive Data, including data in physical form, stored in a relevant filing system. The scope of this policy also covers all employees, volunteers, contractors, third parties, processors or others who process Personal or Sensitive Data on behalf of LWCCIC.

The purpose of this policy is to ensure that LWCCIC achieves its data protection and data security aims by:

· Notifying staff, volunteers and clients of the types of personal information that we may hold about them, and what we do with that information;

· Setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring that staff and volunteers understand our rules and the legal standards;

· Clarifying the responsibilities and duties of staff in respect of data protection and security.

For the purposes of this policy:

· Data protection laws means all applicable laws relating to the processing of Personal Data, including the General Data Protection Regulation (GDPR);

· Data subject means the individual to whom the personal data relates;

· Personal data means any information that relates to an individual who can be identified from that information;

· Processing means any use that is made of data, including collecting, storing, amending, sharing, transferring, disclosing or destruction;

Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

2. Data Protection Principles

The main purpose of this policy is to draw attention to the responsibilities and duties of LWCCIC in the collection, storage, usage and confidentiality of information held about people. Staff and volunteers whose work involves using personal data must comply with this policy and with the following data protection principles which require that personal information is:

· Processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information, the purpose for which it is processed and to whom it may be shared/disclosed;

· Collected only for specified, explicit and legitimate purposes.

Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data we must first tell the data subject;

· Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject;

· Accurate and all reasonable steps taken to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information;

· Retained only for the period necessary for processing.

Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it;

· Processed securely, in an appropriate manner to maintain security.

3. Roles and Responsibilities

The Board of Directors has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised in this policy.

The Manager is the Senior Information Risk Owner (SIRO) and has overall accountability for the management of information assets held by LWCCIC.

As LWCCIC is a small organisation the Manager is also the lead for Information Governance, Data Security and Protection. They are responsible for overseeing day to day Data Protection and Security issues. This includes developing and maintaining policies, standards, procedures and guidance, coordinating Data Security and Protection in LWCCIC, raising awareness of Data Security and Protection and ensuring that there is ongoing compliance with the policy and its supporting standards and guidelines. They are also to ensure that employees and volunteers are made aware of their responsibilities and they comply with this and associated data protection, information security, information management and information technology processes and procedures.

All staff and volunteers have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out in this policy and to ensure that measures are taken to protect the data security.

All individuals and organisations that process information on behalf of LWCCIC have a responsibility to comply with this and associated data protection, information security, information management and information technology processes and procedures.

4. Personal Data and Activities

This policy covers personal data which:

Relates to a natural living individual who can be identified either from that information in isolation or by reading it with other information we possess;

· Is stored electronically or on paper in a filing system;

· Is in the form of statements of opinion as well as facts;

· Relates to staff or volunteers (present, past or future) or to any other individual whose data we handle or control;

· We obtain, is provided to us, which we hold or store, organise, disclose or share/transfer, amend, retrieve, use, handle, process, transport or destroy.

5. Lawfulness of Processing Data

The Manager ensures that their processing is lawful and documents the lawful grounds for processing. Once a lawful basis is decided it cannot normally be changed.

Where processing involves the data of children, parental consent must be sought, provided and documented. With the exception of storage, processing must cease immediately where there are no longer lawful grounds for processing.

6. Data Protection by Design and Default

Data protection by design and default are key principles in the GDPR, recognising the need for privacy to be ensured through design and maintenance of information systems. It is an approach to project management that promotes privacy and data protection from the start, requiring that appropriate technical and organisational measures are put in place to implement the data protection principles and safeguard individual rights. It is now a legal requirement.

Data protection by design is an approach that ensures we consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. This means that we must integrate and embed data protection into our processing activities and business practices from the very start of an activity or project.

A Data Protection Impact Assessment (DPIA) is a key component of a “data protection by design” approach and senior and line managers are to ensure that a DPIA is completed for all new projects and activities.

Data protection by default requires us to ensure that we only process the data that is necessary to achieve our specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation. Because we have to process some personal data to achieve our purpose, data protection by default means that we need to specify this data before the processing starts, appropriately inform individuals and only process the data that is needed for the purpose.

Our data flow information capture process is a key component of a “data protection by default” approach as the personal data to be processed can be identified at the start of the new project or activity. The Manager will ensure that a data flow chart is completed for all new projects and activities.

Pseudonymisation is a method of ensuring that the principle of data minimisation is satisfied. It is an approach that satisfies the requirements of privacy by design and by default with respect to ensuring the security of data held. Pseudonymised data involves replacing one attribute in a record by another. The natural person is therefore still likely to be identified indirectly. This is often achieved using hashing, encryption or tokenisation of an identifier. For example, in its simplest terms a person’s name is replaced by a number. The question of whether data can be

pseudonymised is to be included and considered as part of the Data Protection

Impact Assessment process.

7. Privacy Notices

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

When you collect personal information from the individual it relates to you must provide them with information at the time you obtain their data. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. This is called “Privacy Information”.

You must provide privacy information to individuals at the time their personal data is collected. If you obtain personal data from other sources you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

You must actively provide privacy information to individuals. You can meet this requirement by putting the information on our website but individuals must be made aware of it and given an easy way to access it. Privacy information must be regularly reviewed and updated.

8. Subject Access Request

Individuals have the right to access their personal data and this is referred to as a Subject Access Request. Individuals can make a subject access request verbally or in writing. The request does not have to be in any particular format, it just has to be clear that the individual is asking for their own personal data. Any request must be responded to within one month of receipt

The Manager will ensure that their staff and volunteers receive appropriate training on how to process subject access requests. All requests are to be logged and forwarded to the Manager for their action. Any response should normally include:

· Whether or not their personal data is processed by us, and if so why;

· The type or categories of data being processed, and the source of the data if not collected direct from the individual;

· To whom the data is or may be disclosed or shared;

· For how long the personal data is stored, or how that period is decided;

· Their right of rectification or erasure of data, or to restrict or object to processing;

· Their right to complain to the Information Commissioner if they think we have failed to comply with their data protection rights;

· A copy of the personal data undergoing processing.

If a request is manifestly unfounded or excessive we may not be obliged to comply with it.

9. Data Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidently lost or destroyed.

The GDPR makes it clear that when a security incident takes place, we must quickly establish whether a data breach has occurred and, if so, promptly take steps to address it, including telling the Information Commissioner if required.

All data breaches are to be dealt with in accordance with LWCCIC’s Incident Reporting Procedures and the Manager will ensure that their staff and volunteers receive appropriate training on how to deal with and report data breaches.

The Managers will also ensure that following a breach, dependent on the likelihood and severity of any resulting risk to people’s rights and freedoms, notifiable breaches are reported to the Information Commissioner within 72 hours of their becoming aware of the breach.

10. Training

All staff and volunteers are to receive training about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

The Manager is responsible for the implementation the policies, procedures and guidance. As well as formal training, data security and protection is to be included on all meeting agendas and the practicalities and relevance of the policies, and how they apply to “real work situations” is to be discussed and minuted at these meetings.

11. Policy Approval

This policy, and its supporting standards and work instruction, are fully endorsed by the Board of Directors through the production of these documents and their formal


Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal.

12. Related Policies and Guidance

This policy should not be read in isolation. The following policies also include specific and supporting requirements:

  1. Data Protection and Security Policy
  2. Information governance procedures (includes records retention and management, access controls, information transfer and business continuity procedures)
  3. Information Security Policy
  4. Confidentiality Policy
  5. Counsellor confidentiality agreement
  6. Privacy Policy
  7. Privacy Statement
  8. Data Protection Monitoring and Audit Compliance
  9. Information Security Incident Management and Reporting Procedures
  10. Data Quality Policy
  11. Information Flow map and Risk Assessment
  12. Information Asset Register
  13. Risk Assessment of LWCCIC office security
  14. Data Protection Guidelines (includes LWCCIC Information Management, Retention, Processing and Individual Rights Guidance and LWCCIC Data Sharing Code of Practice 2019 with Data Sharing Checklist

For a copy of these policies please contact