Data Protection Policy

This policy/procedure document should be read as an element of the Policies and Procedures governing the management of Waterloo Community Counselling. The following policies and procedures have been agreed by the Board of Trustees of WCC and are reviewed biannually. The date each policy is agreed is noted at the end of this document together with the next review date:

Should you have any questions about this or any of the above policies, please address your query to the Director, Waterloo Community Counselling.

1. Policy Statement

1.1 Waterloo Community Counselling (WCC) is committed to protecting the rights and privacy of individuals, clients, employees and others in accordance with The General Data Protection Regulation 2018 and other relevant legislation. The policy applies to all staff, freelance employees and volunteer workers at WCC. Any breach of The General Data Protection Regulaton is considered to be an offence and in that event, disciplinary procedures apply (see Discipline and Conduct Policy).
1.2 As a matter of good practice, other organisations and individuals working with WCC who have access to personal identifiable information (PII) will be expected to have read and comply with this policy.

2. Legal Requirements

2.1 All data are protected by the General Data Protection Regulation (GDPR) 2018. The purpose of this Act is to protect the rights and privacy of individuals and to ensure that personal data are not processed without their knowledge, and, wherever possible, are processed with their consent.
2.2 The General Data Protection Regulation sets out good practice for dealing with personal information. The GDPR looks to ensure that individuals have more control over how their personal information is used, shared and updated.

3. Data Protection Principles

WCC meets the definition of a ‘data controller’ as specified in the GDPR, namely ‘a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.’

The GDPR includes the following principles:

a) Personal information is processed lawfully, fairly and in a transparent manner in relation to individuals
Under GDPR there are six lawful basis for processing data. The ones that WCC is most likely to rely on when it is processing PII is ‘Legitimate Interest’ and ‘Consent’. Consent is where the individual has explicitly given consent for the processing of their data for a specific purpose by opting in. In the majority of cases WCC will always seek to gain consent initially. However there may be occasions whereby consent is not possible and thus Legitimate Interest shall be used as the lawful basis for processing data. Legitimate Interest is whereby the processing is necessary for WCC’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Wherever WCC uses Legitimate Interest as the lawful basis, it shall always complete a Legitimate Interest Assessment to ensure that there is no other lawful basis for processing and that the individual’s rights are not over ridden.
An example of where WCC is relying on legitimate interest is whereby it would like to contact clients about relevant and appropriate counselling services, such as the Farsi speaking group therapy (MECS)
WCC will always be transparent with how it intends to use the data it collects. This will be presented in a privacy notice, which is provided to individuals before data collection. WCC will make the privacy notice accessible to all, by ensuring appropriate translators are present/ that the notice is read to the individual. Our counsellors will also confirm that they have evaluated the individual to be in sound mind as to understand the notice provided.

b) Personal information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
This means that WCC must have legitimate grounds for collecting and using personal data; WCC must not use the data in ways that have unjustified adverse effects on the individuals concerned; WCC must be transparent about how it intends to use the data, and give individuals appropriate privacy
notices when collecting their personal data; WCC must handle people’s personal data only in ways they would reasonably expect; and WCC must ensure that it does not do anything unlawful with the data.

c) Personal information shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
WCC will only hold such data as are adequate and relevant to the purposes for which the data are collected, avoiding the dangers of holding too much or too little data. If data given or obtained are excessive for such purpose, they will be immediately deleted or destroyed.
WCC will also review the data it has regularly to ascertain if it is still required for the original purpose for which it was given.

d) Personal information shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
WCC will provide clients, staff and others associated with WCC, where appropriate, with a copy of their data. Counsellors and staff will be responsible for keeping their client’s information up to date, using the CRM. Under GDPR individuals have the right to access their data and request that any amendments are made.
All amendments will be made as soon as possible, but no later than 14 working days after the request has been made. WCC will give individuals and organisations whose data it holds the opportunity to regularly update their data by emailing As part of good practice WCC will make a note on the CRM as to the date of the update, along with who made the request.

e) Personal information shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
WCC discourages the retention of data for longer than it is required.
Client records will not be kept for longer than 5 years after the client’s counselling session finishes. This allows for situations where complaints may arise and notes may need to be referred to; client’s GP or solicitors require information (only to be provided with the client’s consent); they return to counselling and records can be accessed to provide them with a quality service, or; records need to be kept so that anonymised statistics can be used for feedback purposed to our funders and other partners.
Financial records will be held for 7 years in accordance with HMRC guidelines.
A full retention record will be kept, regularly updated and available to all staff.
All records after these periods will have their details anonymised (if required for statistical purposes) and then deleted securely. Under GDPR individual
have the right to be forgotten. Any such request can be made in writing to, or Data, Waterloo Community Counselling, Barley Mow Clinic, Greet House, Frazier Street, London, SE1 7BD and will actioned as soon as possible, but no later than 30 days after the initial request (see Subject Access Rights Policy for more details).

f) Personal information shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
WCC will implement all appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. This could include, always using the cloud to store work, using password/ encryption protection on computers and devices used for WCC work.
Where staff or contractors use their own devices for WCC work, they shall abide by the Bring Your Own Device (BYOD) Policy.
Client’s data shall not be shared with third parties, unless the client has given explicit consent for WCC to do so.

4. Responsibility for WCC’s compliance with GDPR

4.1 GDPR is to be embraced by WCC and each staff member/ contractor should be responsible GDPR within their own work areas. Staff will have been trained, been given guidance and presented with this policy, so that they are aware of GDPR, how to comply and their responsibilities with regards to GDPR and protecting data.
4.2 Marisa Matos been given the responsibility of co-ordinating WCC’s GDPR efforts and to ensure understanding and compliance among staff, including new starters.
4.3 The Director and Board of Trustees have overall responsibility for compliance with GDPR but individual members of staff, as well as contractors hired for specific projects are responsible for the proper use of the data they process.

5. Data Protection by design

Data Protection by design means that when WCC is commissioning or developing a new piece of work, software or technology, it will ensure that data protection and GDPR compliance is integrated into the planning stage. This seeks to ensure that WCC is always mindful about how its activities will impact data protection and ensure that it is complying with GDPR.

6. WCC’s responsibilities for Data Protection and confidential information

WCC will ensure that there is someone with specific responsibility for data protection in the organisation. The nominated person is currently Marisa Matos

WCC will ensure that:
• Everyone managing and handling personal information understands that they are responsible for following good data protection practice
• This policy is available to each member of staff/ contractor/ volunteer
• Everyone managing and handling personal information is appropriately trained and supervised
• Contractors and external agencies who may process WCC data are aware of their responsibilities and that this is reflected within their contracts and terms.
• Queries about handling personal information are promptly and courteously dealt with and clear information is available to all staff
• Any data protection breaches are reported to CEO, Board of Trustees and if necessary to the ICO within 72 hours (See Data Protection Incident Reporting Policy)

7. Staff/ contactor/ volunteer responsibilities for data protection and confidential information

• All staff/ contractors/ volunteers should be aware of the requirements of GDPR and how the rules apply to them
• All staff/ contractors/ volunteers will be informed and given appropriate training and information about data protection
• All staff/ contractors/ volunteers have a responsibility to ensure that they respect confidential information in their possession and maintain information security.
• All staff/ contractors/ volunteers are responsible for ensuring personal information is kept no longer than is necessary

Agreed by chair of Trustees on: 1.3.20
Review date agreed: 1.3.23