Contents
Introduction
Policy Scope
The 8 Data Protection Principles and How to Apply to Marino Counselling Policy

Data Retention
Considerations necessary prior to implementation of this schedule
Data Storage
Destruction Policy
Training and Awareness
Data Security Breach
Appendix 1 Potential Data Security Breach Report
Appendix 2 Personal Data Request Form
Appendix 3 Glossary of Terms

Introduction

Marino Counselling
Data Protection Policy May 2018

The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 govern the
controlling and processing of personal data in Ireland. These Acts are in place to make sure
personal data is collected, stored and used appropriately and in line with the existing and
newly introduced Data Protection Regulations. This document is aimed at giving Marino
Counselling a guide to data protection and to help service users, employees and therapists
(who work at the centre) a reference point.
‘GDPR is the European General Data Protection Regulation which will be in effect from 25th May
2018. This new regulation has been put in place to encourage businesses all over Europe to really
think about data and the protection of it. The idea behind the regulation affecting the data of all EU
citizens, is to give control back to the public. It will ensure that individuals are aware of what data
they are giving, and how it is shared. (Data Protection Commissioner, 2018)
The purpose of gathering data include determining the best therapeutic fit for service users, research
activities, targeting advertisement, recruitment and selection of Therapists and Senior Trainees.

  1. Policy scope
    i. This policy applies to;
    ✔ All Marino Counselling Staff
    ✔ Marino Counselling Directors
    ✔ Therapists and Senior Trainees connected with Marino Counselling
    ✔ Service Users
    ii. This policy covers all personal information including employee information,
    Therapist/Senior Trainee information and Service User information generated in
    Marino Counselling Fairview.
    iii. It applies to all personal data collected and stored in Marino Counselling Fairview
    Dublin. This policy applies to both soft and hard copy data held on Marino
    Counselling systems, on network share drives, on cloud files and emails.
    iv. Where data is being transferred to any third party it is the responsibility of the
    organisation to ensure contractual agreements are in place covering security
    and retention of data.
    v. This data protection policy aims to ensure that Marino Counselling adheres to data
    protection law and applies good practice. It protects the rights of the Directors and
    Staff and is transparent about how it stores and processes individual’s data and
    mitigates from the risk of data breeches.
  1. The 8 Data Protection Principles and How to Apply to Marino Counselling
    Policy

    a) Obtain and process information fairly
    i. The collection of data by Marino Counselling includes a clear
    statement advising the service user and Therapists/Senior Trainees of
    the identity of the controller, the purpose of collecting the data to
    whom it may be disclosed and any other relevant information
    necessary to ensure that all processing meets the requirement of fair
    processing.
    ii. Where Marino Counselling collects sensitive data the data subject
    must give explicit consent to the processing. Appropriate security
    measures will be put in place to ensure confidentiality.
    b) Marino Counselling Policy – Therapist Information
    i. The data controller in Marino Counselling is Alan Oates.
    ii. The data collected on each therapist includes CV’s, Garda Vetting,
    Emails, Phone numbers and Insurance Certificates.
    iii. The purpose of holding CV’s is done as part of the assessment for
    suitability. The CV’s are kept so that Marino Counselling directors can
    refer to these if any issues arise and/or references need to be checked.
    iv. Emails and phone numbers of each therapists’ are kept as these are the
    two main points of contact when referring clients to therapists.
    v. The data collected on Therapists is only disclosed to a third party i.e.
    EAP once the therapist has agreed to this. All mails to third parties
    containing therapist information are encrypted.
    vi. All phone inquiries are asked for their consent before any information
    is passed on
    vii. Therapist CV’s are kept in a password protected file
    c) Marino Counselling – Client Information
    i. Information obtained from clients is only done so to ensure the ‘best
    fit’ when referring on to a therapist
    ii. No identifying information (in the form of emails) is kept on the client
    once the client has been referred onto a therapist. All mails are deleted
    once the client has been placed with a therapist. Any mails that are
    kept a) while we are waiting for consent to pass the mail on b) until we
    know client has been placed. In the case where a person has made an
    enquiry and we are waiting for consent (or a reply) we will only keep
    these mails for one month. After this the mail will be deleted.
    iii. Consent is sought from all callers/mailers before any information is
    passed on (for referral purposes only)
    iv. All information kept on clients is done so on email and is password
    protected. Only Alan and Kevin have the password to the main email
    account.
    d) Keep it only for one or more specified, explicit and lawful purposes.
    i. Marino Counselling will keep data for purposes that are specific, lawful and
    clearly stated. Primary purposes include:
    ✔ The assessment and management of applications by
    Therapists/Senior Trainees to Marino Counselling (CV’s)
    ✔ The creation of files for each Therapists for Transfer to EAP’s
    (Therapist consent obtained)
    ✔ The creation of files for each Therapist/Senior Trainee containing
    current Garda Vetting Certificates and Insurance Certificates
    ✔ For the purpose of finding the best Therapeutic fit for a Service
    User
    ✔ Compliance with regulatory, legal and tax laws and regulations
    ii. Secondary purposes include information sharing to current to
    Therapists linked to Marino Counselling. Marketing to existing
    and potential Service Users and Therapists. Where an individual
    gives Marino Counselling their personal data for one purpose
    Marino Counselling will get their consent if they want to use that
    information for any other purpose.
    e) Basis for Processing Personal Data is as follows:
    i. Consent: the individual has given clear consent for you to process
    their personal data emails). We note that a person must give their
    consent and that ‘silence’ or ‘not saying no’ does not mean
    consent
    ii. Legitimate interests: the processing is necessary for our
    legitimate interests or the legitimate interests of a third party
    unless outweighed by the data subject’s interests. It is likely to be
    most appropriate where you use people’s data in ways they would
    reasonably expect, and which have a minimal privacy impact, or
    where there is a compelling justification for the processing.
    f) Lawful Basis for Special Categories of Personal Data is as follows:
    i. The data subject has given explicit consent to the processing of
    their personal data for one or more specified purposes.
    ii. Processing is necessary for the purposes of preventive or
    occupational medicine (Under the Category of Health)
    g) Use and disclose it only in ways compatible with these purposes
    i. Marino Counselling will ensure that any use and disclosure will
    only happen for the purposes or compatible with the purposes for
    which the data is collected or otherwise in compliance with Data
    Protection legislation.
    ii. Persons to whom data may be disclosed include the following:
    ✔ Persons acting on the person’s behalf e.g solicitors
    ✔ The Service User whom the information concerns
    ✔ One of the Therapist’s linked to Marino Counselling
    ✔ An individual’s General Practitioner in the case where a
    Service User might disclose the intention to Self Harm,
    Harm another or Sexual Abuse of a minor. A contract of
    agreement is recommended standard practice for all
    therapists linked to Marino Counselling to include the
    limitations of confidentiality.
    ✔ The Garda Siochana, or any other person who is authorised
    by law to access service’s records. Such requests must be
    in writing and quoting the basis on which access is sought.
    h) Keep it safe and secure
    i. Marino Counselling will ensure that appropriate security measures are
    taken against unauthorised access to or alteration, disclosure or
    destruction of the data and against their accidental loss or destruction.
    This will include appropriate procedures in relation to back up data.
    Particular focus will be placed on the security of personal data held on
    portable devices/cloud files, with appropriate security measures such
    as password protection/Encryption. To increase the safety and security
    of personal data Marino Counselling are buying their own
    server/email which will be password protected/encrypted
    ii. On a going forward basis developments of the Marino Counselling IT
    systems will aim to ensure that access to personal data being logged
    can be audited. The aim is to include access on a read only basis. Such
    logs will be routinely checked on a random basis to ensure that access
    is appropriate. Our aim at Marino Counselling is to ensure that robust
    procedures for limiting access to personal data are in place, that staff
    are aware of these limits and that any breaches can be identified.
    iii. Marino Counselling has a confidentiality policy in place to the
    collection, processing, keeping and use of sensitive data. Access to
    sensitive data will be restricted to authorised staff. Some examples of
    good practice are shown below:
    iv. Using password protected screensavers to hide any information on
    workstations whilst taking breaks.
    v. Marino Counselling email ‘logged out’ each evening
    vi. Manual data kept in filing cabinet under lock and key with only two
    key holders
    vii. Protecting manual files and to disallow any unauthorised access,
    destruction, modification or photocopying.
    viii. Operate a “Clean desk policy” to ensure no personal data is lying
    around for others to see
    i) Keep it accurate, complete and up to date.
    i. Marino Counselling will keep data complete and up-to-date as it is
    given by the Therapists/Senior Trainees.
    ii. Therapists can ask for their data to be corrected where it is found to
    be incorrect
    iii. This will be achieved through the correction of incorrect data in line
    with the Data Protection Acts including where this is identified by
    the data subject to be the case in a verifiable way.
    j) Ensure that it is adequate relevant and not excessive.
    i. Marino Counselling will only collect information that is necessary for
    the purposes needed. The method of seeking information from Service
    Users/Therapists/Senior Trainees will be checked on an ongoing basis
    to ensure that only relevant information is sought and provided.
    ii. Marino Counselling will only collect data that directly relates to
    the purposes for which it is being collected. Marino Counselling
    will not ask for more information than needed.
    k) Retain if for no longer that is necessary for the purpose or purposes.
    i. Marino Counselling has a data retention policy. Client information
    (held on site) will be held for a period of six years after the ending of
    the therapeutic relationship. Currently there is no need to hold client
    information on site.
    ii. All Marino CounsellingTherapists will retain their own client
    information offsite and for a period outlined by their
    Insurers/Awarding Body.
    iii. Where an individual inquiry about Marino Counselling services but
    does not subsequently engage with the services or is referred on
    details will be kept on file for a period of one month to facilitate a
    subsequent engagement.
    l) Give a copy of his/her personal data to that individual on request
    i. Marino Counselling has a procedure in place to ensure that subject
    access requests are dealt with in accordance with the Data
    Protection Acts.
    ii. Service Users/Therapists/Senior Trainees have the right:
    iii. To enquire if any information is held about them
    iv. To request a copy of the information held
    v. To have any inaccurate data corrected
    vi. To have their names removed from any mailing lists etc. (Insurance
    Certificates/Garda Vetting/CV’s will not be removed while a Therapist/Senior
    Trainee is still working with Marino Counselling)
    m) Enquiry Timescales
    i. 21 days to respond to an enquiry as to whether information is held
    on computer or not (NO FEE)
    ii. 40 days (from receipt of formal written request) to provide
    customer with a copy of their information. Discretionary –
    donation to a charity
    iii. Any inaccurate data corrected – (NO FEE).
  1. Data Retention

    i. The purpose of a Data Retention policy is to ensure that Marino
    Counselling have clear and enforceable instructions around how long
    to retain data. Having a data retention policy will enable the Marino
    Counselling to be in compliance with the Data Protection Acts Rule 7
    which states that in relation to Personal Data that the data shall not be
    kept for longer than is necessary for that purpose or those purposes.
    ii. The objective of this policy is to ensure that;
    ✔ Guidance exists so that retention limits can be set for data
    which complies with the Data Protection Acts and all other
    relevant legislation
    ✔ Once retention limits are reached, the data is either
    automatically destroyed or reviewed for destruction
    ✔ Retained data is held securely
    ✔ All data marked for destruction is comprehensively and
    securely destroyed (Shredded)
    ✔ All relevant staff are informed on how to comply with Data
    Retention policy

4. Considerations necessary prior to implementation of this schedule

i. If under investigation or if litigation is likely, retain files as they may be used as
evidence.
ii. On-going legislative requirements.
Figure 1. Retention Limits
The below schedule is taken from the IACP Data Protection Policy and will be used as a guideline for
Marino Counselling.
Type of Record and Retention Period
Voice Recordings (for training 6 months from date call was recorded
and/ or verification purposes)
Employee Paper Data Retention 7 years after employee has left the organisation
Member’s Data 7 years from the date the individual’s membership has lapsed
Unsuccessful Application Data 7 years from date the application is deemed unsuccessful
Deceased Members Data 1 Year from the date Marino Counselling are notified of the death
Payment Information Card payment details will be inputted to a secure online
payment facility at the point of purchase
Complaints 7 years from the date the complaint is finalised
Minutes of Meetings (with Indefinitely
Directors)
Garda Vetting Applications are kept for a one year period from the date they
are approved.

  1. Data Storage
    i. All storage of data will be kept in line with the Data Protection
    guidelines.
    ii. Notes belonging to clients will be kept by each individual therapist on
    their respective clients.
    iii. It is recommended that these notes are coded with no identifying
    information (eg. Age, DOB, Phone, Email, Address).
    iv. It is recommended that therapists keep client intake forms (with
    identifying information) separate to their client notes. Marino
    Counselling recommends that Therapists keep their notes locked away
    in a room that is also locked.
    v. Marino Counselling does not keep any personal information on Service
    Users in a hard copy format on Site.
    vi. Marino Counselling will protect data according to the sensitivity of
    that information and will protect that information in line with that
    sensitivity.
    vii. Marino Counselling is aware that data retention guidelines apply to all
    data stored manually and electronically, the transfer of data internally
    and externally, and the protection from outside intrusion via internet
    and physical theft.
  1. Destruction Policy
    i. The destruction of records in relation to Marino Counselling will take
    place as part of a managed process and documented. Marino Counselling
    does not take responsibility for documents held by Therapists working at
    Marino Counselling and leaves the destruction of client documents up to
    the individual Therapists.
    ii. A clearly defined procedure for reviewing and selecting records for
    disposal and must ensure:
    ✔ All records held are retained in accordance with the Data protection
    guidelines.
    ✔ Records are disposed of in line with the level of detail contained in them.
    ✔ Data remaining is organised and labelled to maintain the integrity
    of the filing system.
  1. Training and Awareness
    i. All employees of Marino Counselling will be made aware of the impact of
    the Data Retention policy on their day-to-day interaction with service user
    information.
    ii. All Therapists linked to Marino Counselling will be made aware that the
    GDPR polices apply to them as individual practitioners and that they are
    asked to act in line with these.

 

  1. Data security breach
    i. Occurs when there is unauthorised access to, collection, use, disclosure
    or disposal of personal information.
    ii. This type of breach can occur for several reasons including:
    o Loss or theft of data or equipment on which data is stored;
    o Inappropriate access controls allowing unauthorised use;
    o Equipment failure;
    o Human Error;
    o Unforeseen circumstances such as a flood or fire;
    o A hacking attack;
    o Access where information is obtained by deceiving the
    organisation that holds it.

    iii. A record is defined under the Freedom of Information Acts 1997 and
    2003 as “any memorandum, book, plan, map, drawing, diagram, pictorial
    or graphic work or other document, any photograph, film or recording
    (whether of sound or images or both), any form in which data (within the
    meaning of the Data Protection Act, 1988 and 2003) are held, any other
    form (including machine-readable form) or device in which information
    is held or stored manually, mechanically or electronically and anything
    that is a part or a copy, in any form of any of the foregoing or is a
    combination of two or more of the foregoing” (Freedom of Information
    Act, 1997, 2003
    a) Data Security Breach Guidelines
    i. As a data controller, Marino Counselling processes personal data and
    appropriate measures require to be taken against the unauthorised or
    unlawful processing and accidental loss, destruction of or damage to
    personal data. It is, therefore, essential that in the event of a data security
    breach, appropriate action is taken by Marino Counselling to minimise
    any associated risks as soon as possible.
    ii. The purpose of these guidelines is to set out the processes that represent
    best practice in the event of a data security breach involving personal
    data or sensitive personal data. These guidelines are a supplement to
    Marino Counselling’s Data Protection Policy which affirms its
    commitment to protect the privacy rights of individuals in accordance
    with Data Protection legislation.
    b) Responding to a Potential Data Security Breach
    i. In line with best practice, these guidelines outline five stages to managing a
    response to a breach:
    Stage 1: Identification and Classification
    i. If a data security breach has occurred, this must be reported
    immediately to the staff member responsible for data protection
    (currently Alan Oates – Director) and to the second Director Alan
    Oates.
    Stage 2: Containment and Recovery
    i. The aim of the Marino Counselling staff member is to limit the scope and
    impact of the data security breach. If a breach has occurred, appropriate
    action will be taken by the relevant Marino Counselling staff to minimise
    any associated risks which may include:
    ✔ Establishing who within Marino Counselling needs to be made
    aware of the breach and ensuring relevant staff/Directors are
    informed what is required to assist in the containment exercise;
    ✔ Establishing whether there are any actions which may recover
    losses and limit the damage the breach can cause;
    ✔ Where appropriate, informing the Gardaí.
    Stage 3: Risk Assessment
    i. In assessing the risk arising from a data security breach, the relevant
    Marino Counselling staff are required to consider the potential
    adverse consequences for individuals, i.e. how likely are adverse
    consequences to materialise and, if so, how serious or substantial are
    they likely to be. The information provided by the individual
    reporting the breach can assist with this stage.
    Stage 4: Notification of Breaches
    i. In accordance with the Office of the Data Protection Commissioner’s
    (ODPC) “Personal Data Security Code of Practice“, all incidents in which
    personal data has been put at risk must be reported to the ODPC within 2
    days of Marino Counselling becoming aware of the incident, however,
    incidents do not have to be reported to the ODPC when:
    ✔ the full extent and consequences of the incident has been
    reported without delay directly to the affected data
    subject(s) and
    ✔ it affects no more than 100 data subjects and
    ✔ it does not include sensitive personal data or personal data of a financial
    nature.
    Stage 5: Evaluation and Response
    i. Subsequent to a data security breach, a review of the incident by the staff
    member responsible for data protection and Management will occur to
    ensure that the steps taken during the incident were appropriate and to
    identify areas that may need to be improved
    Appendix 1:
    Potential Data Security Breach Report
    (Taken from IACP)
    Please complete the following questions in order to ascertain if a data security breach has
    occurred and return the completed form the staff member responsible for data protection.

What type of data is involved? _________________________________________________________
Does it fall under the definitions of personal
data and/or sensitive personal data outlined
above? ________________________________________________________________________________
If so, the following information must be provided
Details of the breach ___________________________________________________________________
Date and time incident occurred (if known) _____________________________________________
Date and time incident detected _______________________________________________________
Name of person reporting incident_____________________________________________________
Details on how the data was held, e.g. laptop,
memory stick, personal digital assistant etc. ___________________________________________
Details of safeguards (e.g. encryption), if any,
that would mitigate the risk if data has been
lost or stolen ___________________________________________________________________________
Are there any reasons to suspect that the
passwords used to protect the data may have
been compromised? (e.g. password stored with
mobile device or weak password used) _________________________________________________
Details of the number of individuals whose
information is at risk, i.e. how many individuals’
personal data are affected by the breach? _______________________________________________
Who are the individuals whose data has been
breached – are they staff, students, suppliers,
third parties etc? ________________________________________________________________________
What could the data tell a third party about the
individual? ______________________________________________________________________________
Any other information ___________________________________________________________________

Appendix 2: Personal Data Request Form
Alan Oates
21 Fairview
Clontarf, Dublin 3, D03 K4H0


Dear Sir/Madam,
I wish to make an access request under the Data Protection Acts 1988 and 2003 for a
copy of any information you keep about me, on computer or in manual form. I am making
this request under section 4 of the Data Protection Acts.
Regards,
Signed: ______________________________________________
Full Name: ___________________________________________
Date: _______________________________________________
Name (please print): ___________________________________________
Address: _____________________________________________________



Date when (if ever) you last made a request of this nature to Marino Counselling:


Please Note:

  1. Request in writing should be made and signed by the applicant in person.
  2. Within the terms of the Data Protection Act 1988/2003, Marino Counselling will
    respond to your request for personal data within 40 days.
  3. Please donate something to charity
  4. In order for us to protect the security of personal data, it is necessary for you to provide
    proof of your identity. Please contact the Marino Counselling to receive a list of
    acceptable documents.
    Requests should be submitted to: Alan Oates, 21 Fairview Clontarf, Dublin 3, D03 K4H0

Appendix 3: Glossary of Terms
As with any legislation, certain terms have particular meaning. The following are
some useful definitions:
Data means information in a form which can be processed. It includes both automated
data and manual data.
Automated data means, broadly speaking, any information on computer, or information
recorded with the intention of putting it on computer.
Manual data means information that is kept as part of a relevant filing system, or with the
intention that it should form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is
structured by reference to individuals, or by reference to criteria relating to individuals, so
that specific information is accessible.
Personal data means data relating to a living individual who is or can be identified either
from the data or from the data in conjunction with other information that is in, or is likely to
come into, the possession of the data controller. This can be a very wide definition depending
on the circumstances.
Processing means performing any operation or set of operations on data, including: –
obtaining, recording or keeping data, – collecting, organising, storing, altering or adapting the
data, – retrieving, consulting or using the data, – disclosing the information or data by
transmitting, disseminating or otherwise making it available, – aligning, combining, blocking,
erasing or destroying the data.
Data Subject is an individual who is the subject of personal data. Data Controllers are
those who, either alone or with others, control the contents and use of personal data.
Data Controllers is a body that, either alone or with others, controls the contents and
use of personal data. It can be either legal entities such as companies, Government
Departments or voluntary organisations, or they can be individuals such as G.P.’s,
pharmacists or sole traders.
Data processor is a person who processes personal data on behalf of a data controller, but
does not include an employee of a data controller who processes such data in the course of
his/her employment. Again individuals such as G.P.’s, pharmacists or sole traders are
considered to be legal entities.
Sensitive personal data relates to specific categories of data which are defined as data
relating to a person’s racial origin; political opinions or religious or other beliefs; physical or
mental health; sexual life; criminal convictions or the alleged commission of an offence; trade
union membership. You have additional rights in relation to the processing of any such data.