Contents
Introduction
Policy Scope
The 8 Data Protection Principles and How to Apply to Marino Counselling Policy
Data Retention
Considerations necessary prior to implementation of this schedule
Data Storage
Destruction Policy
Training and Awareness
Data Security Breach
Appendix 1 Potential Data Security Breach Report
Appendix 2 Personal Data Request Form
Appendix 3 Glossary of Terms
Introduction
Marino Counselling
Data Protection Policy May 2018
The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 govern the
controlling and processing of personal data in Ireland. These Acts are in place to make sure
personal data is collected, stored and used appropriately and in line with the existing and
newly introduced Data Protection Regulations. This document is aimed at giving Marino
Counselling a guide to data protection and to help service users, employees and therapists
(who work at the centre) a reference point.
‘GDPR is the European General Data Protection Regulation which will be in effect from 25th May
2018. This new regulation has been put in place to encourage businesses all over Europe to really
think about data and the protection of it. The idea behind the regulation affecting the data of all EU
citizens, is to give control back to the public. It will ensure that individuals are aware of what data
they are giving, and how it is shared. (Data Protection Commissioner, 2018)
The purpose of gathering data include determining the best therapeutic fit for service users, research
activities, targeting advertisement, recruitment and selection of Therapists and Senior Trainees.
- Policy scope
i. This policy applies to;
✔ All Marino Counselling Staff
✔ Marino Counselling Directors
✔ Therapists and Senior Trainees connected with Marino Counselling
✔ Service Users
ii. This policy covers all personal information including employee information,
Therapist/Senior Trainee information and Service User information generated in
Marino Counselling Fairview.
iii. It applies to all personal data collected and stored in Marino Counselling Fairview
Dublin. This policy applies to both soft and hard copy data held on Marino
Counselling systems, on network share drives, on cloud files and emails.
iv. Where data is being transferred to any third party it is the responsibility of the
organisation to ensure contractual agreements are in place covering security
and retention of data.
v. This data protection policy aims to ensure that Marino Counselling adheres to data
protection law and applies good practice. It protects the rights of the Directors and
Staff and is transparent about how it stores and processes individual’s data and
mitigates from the risk of data breeches.
- The 8 Data Protection Principles and How to Apply to Marino Counselling
Policy
a) Obtain and process information fairly
i. The collection of data by Marino Counselling includes a clear
statement advising the service user and Therapists/Senior Trainees of
the identity of the controller, the purpose of collecting the data to
whom it may be disclosed and any other relevant information
necessary to ensure that all processing meets the requirement of fair
processing.
ii. Where Marino Counselling collects sensitive data the data subject
must give explicit consent to the processing. Appropriate security
measures will be put in place to ensure confidentiality.
b) Marino Counselling Policy – Therapist Information
i. The data controller in Marino Counselling is Alan Oates.
ii. The data collected on each therapist includes CV’s, Garda Vetting,
Emails, Phone numbers and Insurance Certificates.
iii. The purpose of holding CV’s is done as part of the assessment for
suitability. The CV’s are kept so that Marino Counselling directors can
refer to these if any issues arise and/or references need to be checked.
iv. Emails and phone numbers of each therapists’ are kept as these are the
two main points of contact when referring clients to therapists.
v. The data collected on Therapists is only disclosed to a third party i.e.
EAP once the therapist has agreed to this. All mails to third parties
containing therapist information are encrypted.
vi. All phone inquiries are asked for their consent before any information
is passed on
vii. Therapist CV’s are kept in a password protected file
c) Marino Counselling – Client Information
i. Information obtained from clients is only done so to ensure the ‘best
fit’ when referring on to a therapist
ii. No identifying information (in the form of emails) is kept on the client
once the client has been referred onto a therapist. All mails are deleted
once the client has been placed with a therapist. Any mails that are
kept a) while we are waiting for consent to pass the mail on b) until we
know client has been placed. In the case where a person has made an
enquiry and we are waiting for consent (or a reply) we will only keep
these mails for one month. After this the mail will be deleted.
iii. Consent is sought from all callers/mailers before any information is
passed on (for referral purposes only)
iv. All information kept on clients is done so on email and is password
protected. Only Alan and Kevin have the password to the main email
account.
d) Keep it only for one or more specified, explicit and lawful purposes.
i. Marino Counselling will keep data for purposes that are specific, lawful and
clearly stated. Primary purposes include:
✔ The assessment and management of applications by
Therapists/Senior Trainees to Marino Counselling (CV’s)
✔ The creation of files for each Therapists for Transfer to EAP’s
(Therapist consent obtained)
✔ The creation of files for each Therapist/Senior Trainee containing
current Garda Vetting Certificates and Insurance Certificates
✔ For the purpose of finding the best Therapeutic fit for a Service
User
✔ Compliance with regulatory, legal and tax laws and regulations
ii. Secondary purposes include information sharing to current to
Therapists linked to Marino Counselling. Marketing to existing
and potential Service Users and Therapists. Where an individual
gives Marino Counselling their personal data for one purpose
Marino Counselling will get their consent if they want to use that
information for any other purpose.
e) Basis for Processing Personal Data is as follows:
i. Consent: the individual has given clear consent for you to process
their personal data emails). We note that a person must give their
consent and that ‘silence’ or ‘not saying no’ does not mean
consent
ii. Legitimate interests: the processing is necessary for our
legitimate interests or the legitimate interests of a third party
unless outweighed by the data subject’s interests. It is likely to be
most appropriate where you use people’s data in ways they would
reasonably expect, and which have a minimal privacy impact, or
where there is a compelling justification for the processing.
f) Lawful Basis for Special Categories of Personal Data is as follows:
i. The data subject has given explicit consent to the processing of
their personal data for one or more specified purposes.
ii. Processing is necessary for the purposes of preventive or
occupational medicine (Under the Category of Health)
g) Use and disclose it only in ways compatible with these purposes
i. Marino Counselling will ensure that any use and disclosure will
only happen for the purposes or compatible with the purposes for
which the data is collected or otherwise in compliance with Data
Protection legislation.
ii. Persons to whom data may be disclosed include the following:
✔ Persons acting on the person’s behalf e.g solicitors
✔ The Service User whom the information concerns
✔ One of the Therapist’s linked to Marino Counselling
✔ An individual’s General Practitioner in the case where a
Service User might disclose the intention to Self Harm,
Harm another or Sexual Abuse of a minor. A contract of
agreement is recommended standard practice for all
therapists linked to Marino Counselling to include the
limitations of confidentiality.
✔ The Garda Siochana, or any other person who is authorised
by law to access service’s records. Such requests must be
in writing and quoting the basis on which access is sought.
h) Keep it safe and secure
i. Marino Counselling will ensure that appropriate security measures are
taken against unauthorised access to or alteration, disclosure or
destruction of the data and against their accidental loss or destruction.
This will include appropriate procedures in relation to back up data.
Particular focus will be placed on the security of personal data held on
portable devices/cloud files, with appropriate security measures such
as password protection/Encryption. To increase the safety and security
of personal data Marino Counselling are buying their own
server/email which will be password protected/encrypted
ii. On a going forward basis developments of the Marino Counselling IT
systems will aim to ensure that access to personal data being logged
can be audited. The aim is to include access on a read only basis. Such
logs will be routinely checked on a random basis to ensure that access
is appropriate. Our aim at Marino Counselling is to ensure that robust
procedures for limiting access to personal data are in place, that staff
are aware of these limits and that any breaches can be identified.
iii. Marino Counselling has a confidentiality policy in place to the
collection, processing, keeping and use of sensitive data. Access to
sensitive data will be restricted to authorised staff. Some examples of
good practice are shown below:
iv. Using password protected screensavers to hide any information on
workstations whilst taking breaks.
v. Marino Counselling email ‘logged out’ each evening
vi. Manual data kept in filing cabinet under lock and key with only two
key holders
vii. Protecting manual files and to disallow any unauthorised access,
destruction, modification or photocopying.
viii. Operate a “Clean desk policy” to ensure no personal data is lying
around for others to see
i) Keep it accurate, complete and up to date.
i. Marino Counselling will keep data complete and up-to-date as it is
given by the Therapists/Senior Trainees.
ii. Therapists can ask for their data to be corrected where it is found to
be incorrect
iii. This will be achieved through the correction of incorrect data in line
with the Data Protection Acts including where this is identified by
the data subject to be the case in a verifiable way.
j) Ensure that it is adequate relevant and not excessive.
i. Marino Counselling will only collect information that is necessary for
the purposes needed. The method of seeking information from Service
Users/Therapists/Senior Trainees will be checked on an ongoing basis
to ensure that only relevant information is sought and provided.
ii. Marino Counselling will only collect data that directly relates to
the purposes for which it is being collected. Marino Counselling
will not ask for more information than needed.
k) Retain if for no longer that is necessary for the purpose or purposes.
i. Marino Counselling has a data retention policy. Client information
(held on site) will be held for a period of six years after the ending of
the therapeutic relationship. Currently there is no need to hold client
information on site.
ii. All Marino CounsellingTherapists will retain their own client
information offsite and for a period outlined by their
Insurers/Awarding Body.
iii. Where an individual inquiry about Marino Counselling services but
does not subsequently engage with the services or is referred on
details will be kept on file for a period of one month to facilitate a
subsequent engagement.
l) Give a copy of his/her personal data to that individual on request
i. Marino Counselling has a procedure in place to ensure that subject
access requests are dealt with in accordance with the Data
Protection Acts.
ii. Service Users/Therapists/Senior Trainees have the right:
iii. To enquire if any information is held about them
iv. To request a copy of the information held
v. To have any inaccurate data corrected
vi. To have their names removed from any mailing lists etc. (Insurance
Certificates/Garda Vetting/CV’s will not be removed while a Therapist/Senior
Trainee is still working with Marino Counselling)
m) Enquiry Timescales
i. 21 days to respond to an enquiry as to whether information is held
on computer or not (NO FEE)
ii. 40 days (from receipt of formal written request) to provide
customer with a copy of their information. Discretionary –
donation to a charity
iii. Any inaccurate data corrected – (NO FEE).
- Data Retention
i. The purpose of a Data Retention policy is to ensure that Marino
Counselling have clear and enforceable instructions around how long
to retain data. Having a data retention policy will enable the Marino
Counselling to be in compliance with the Data Protection Acts Rule 7
which states that in relation to Personal Data that the data shall not be
kept for longer than is necessary for that purpose or those purposes.
ii. The objective of this policy is to ensure that;
✔ Guidance exists so that retention limits can be set for data
which complies with the Data Protection Acts and all other
relevant legislation
✔ Once retention limits are reached, the data is either
automatically destroyed or reviewed for destruction
✔ Retained data is held securely
✔ All data marked for destruction is comprehensively and
securely destroyed (Shredded)
✔ All relevant staff are informed on how to comply with Data
Retention policy
4. Considerations necessary prior to implementation of this schedule
i. If under investigation or if litigation is likely, retain files as they may be used as
evidence.
ii. On-going legislative requirements.
Figure 1. Retention Limits
The below schedule is taken from the IACP Data Protection Policy and will be used as a guideline for
Marino Counselling.
Type of Record and Retention Period
Voice Recordings (for training 6 months from date call was recorded
and/ or verification purposes)
Employee Paper Data Retention 7 years after employee has left the organisation
Member’s Data 7 years from the date the individual’s membership has lapsed
Unsuccessful Application Data 7 years from date the application is deemed unsuccessful
Deceased Members Data 1 Year from the date Marino Counselling are notified of the death
Payment Information Card payment details will be inputted to a secure online
payment facility at the point of purchase
Complaints 7 years from the date the complaint is finalised
Minutes of Meetings (with Indefinitely
Directors)
Garda Vetting Applications are kept for a one year period from the date they
are approved.
- Data Storage
i. All storage of data will be kept in line with the Data Protection
guidelines.
ii. Notes belonging to clients will be kept by each individual therapist on
their respective clients.
iii. It is recommended that these notes are coded with no identifying
information (eg. Age, DOB, Phone, Email, Address).
iv. It is recommended that therapists keep client intake forms (with
identifying information) separate to their client notes. Marino
Counselling recommends that Therapists keep their notes locked away
in a room that is also locked.
v. Marino Counselling does not keep any personal information on Service
Users in a hard copy format on Site.
vi. Marino Counselling will protect data according to the sensitivity of
that information and will protect that information in line with that
sensitivity.
vii. Marino Counselling is aware that data retention guidelines apply to all
data stored manually and electronically, the transfer of data internally
and externally, and the protection from outside intrusion via internet
and physical theft.
- Destruction Policy
i. The destruction of records in relation to Marino Counselling will take
place as part of a managed process and documented. Marino Counselling
does not take responsibility for documents held by Therapists working at
Marino Counselling and leaves the destruction of client documents up to
the individual Therapists.
ii. A clearly defined procedure for reviewing and selecting records for
disposal and must ensure:
✔ All records held are retained in accordance with the Data protection
guidelines.
✔ Records are disposed of in line with the level of detail contained in them.
✔ Data remaining is organised and labelled to maintain the integrity
of the filing system.
- Training and Awareness
i. All employees of Marino Counselling will be made aware of the impact of
the Data Retention policy on their day-to-day interaction with service user
information.
ii. All Therapists linked to Marino Counselling will be made aware that the
GDPR polices apply to them as individual practitioners and that they are
asked to act in line with these.
- Data security breach
i. Occurs when there is unauthorised access to, collection, use, disclosure
or disposal of personal information.
ii. This type of breach can occur for several reasons including:
o Loss or theft of data or equipment on which data is stored;
o Inappropriate access controls allowing unauthorised use;
o Equipment failure;
o Human Error;
o Unforeseen circumstances such as a flood or fire;
o A hacking attack;
o Access where information is obtained by deceiving the
organisation that holds it.
iii. A record is defined under the Freedom of Information Acts 1997 and
2003 as “any memorandum, book, plan, map, drawing, diagram, pictorial
or graphic work or other document, any photograph, film or recording
(whether of sound or images or both), any form in which data (within the
meaning of the Data Protection Act, 1988 and 2003) are held, any other
form (including machine-readable form) or device in which information
is held or stored manually, mechanically or electronically and anything
that is a part or a copy, in any form of any of the foregoing or is a
combination of two or more of the foregoing” (Freedom of Information
Act, 1997, 2003
a) Data Security Breach Guidelines
i. As a data controller, Marino Counselling processes personal data and
appropriate measures require to be taken against the unauthorised or
unlawful processing and accidental loss, destruction of or damage to
personal data. It is, therefore, essential that in the event of a data security
breach, appropriate action is taken by Marino Counselling to minimise
any associated risks as soon as possible.
ii. The purpose of these guidelines is to set out the processes that represent
best practice in the event of a data security breach involving personal
data or sensitive personal data. These guidelines are a supplement to
Marino Counselling’s Data Protection Policy which affirms its
commitment to protect the privacy rights of individuals in accordance
with Data Protection legislation.
b) Responding to a Potential Data Security Breach
i. In line with best practice, these guidelines outline five stages to managing a
response to a breach:
Stage 1: Identification and Classification
i. If a data security breach has occurred, this must be reported
immediately to the staff member responsible for data protection
(currently Alan Oates – Director) and to the second Director Alan
Oates.
Stage 2: Containment and Recovery
i. The aim of the Marino Counselling staff member is to limit the scope and
impact of the data security breach. If a breach has occurred, appropriate
action will be taken by the relevant Marino Counselling staff to minimise
any associated risks which may include:
✔ Establishing who within Marino Counselling needs to be made
aware of the breach and ensuring relevant staff/Directors are
informed what is required to assist in the containment exercise;
✔ Establishing whether there are any actions which may recover
losses and limit the damage the breach can cause;
✔ Where appropriate, informing the Gardaí.
Stage 3: Risk Assessment
i. In assessing the risk arising from a data security breach, the relevant
Marino Counselling staff are required to consider the potential
adverse consequences for individuals, i.e. how likely are adverse
consequences to materialise and, if so, how serious or substantial are
they likely to be. The information provided by the individual
reporting the breach can assist with this stage.
Stage 4: Notification of Breaches
i. In accordance with the Office of the Data Protection Commissioner’s
(ODPC) “Personal Data Security Code of Practice“, all incidents in which
personal data has been put at risk must be reported to the ODPC within 2
days of Marino Counselling becoming aware of the incident, however,
incidents do not have to be reported to the ODPC when:
✔ the full extent and consequences of the incident has been
reported without delay directly to the affected data
subject(s) and
✔ it affects no more than 100 data subjects and
✔ it does not include sensitive personal data or personal data of a financial
nature.
Stage 5: Evaluation and Response
i. Subsequent to a data security breach, a review of the incident by the staff
member responsible for data protection and Management will occur to
ensure that the steps taken during the incident were appropriate and to
identify areas that may need to be improved
Appendix 1:
Potential Data Security Breach Report (Taken from IACP)
Please complete the following questions in order to ascertain if a data security breach has
occurred and return the completed form the staff member responsible for data protection.
What type of data is involved? _________________________________________________________
Does it fall under the definitions of personal
data and/or sensitive personal data outlined
above? ________________________________________________________________________________
If so, the following information must be provided
Details of the breach ___________________________________________________________________
Date and time incident occurred (if known) _____________________________________________
Date and time incident detected _______________________________________________________
Name of person reporting incident_____________________________________________________
Details on how the data was held, e.g. laptop,
memory stick, personal digital assistant etc. ___________________________________________
Details of safeguards (e.g. encryption), if any,
that would mitigate the risk if data has been
lost or stolen ___________________________________________________________________________
Are there any reasons to suspect that the
passwords used to protect the data may have
been compromised? (e.g. password stored with
mobile device or weak password used) _________________________________________________
Details of the number of individuals whose
information is at risk, i.e. how many individuals’
personal data are affected by the breach? _______________________________________________
Who are the individuals whose data has been
breached – are they staff, students, suppliers,
third parties etc? ________________________________________________________________________
What could the data tell a third party about the
individual? ______________________________________________________________________________
Any other information ___________________________________________________________________
Appendix 2: Personal Data Request Form
Alan Oates
21 Fairview
Clontarf, Dublin 3, D03 K4H0
Dear Sir/Madam,
I wish to make an access request under the Data Protection Acts 1988 and 2003 for a
copy of any information you keep about me, on computer or in manual form. I am making
this request under section 4 of the Data Protection Acts.
Regards,
Signed: ______________________________________________
Full Name: ___________________________________________
Date: _______________________________________________
Name (please print): ___________________________________________
Address: _____________________________________________________
Date when (if ever) you last made a request of this nature to Marino Counselling:
Please Note:
- Request in writing should be made and signed by the applicant in person.
- Within the terms of the Data Protection Act 1988/2003, Marino Counselling will
respond to your request for personal data within 40 days. - Please donate something to charity
- In order for us to protect the security of personal data, it is necessary for you to provide
proof of your identity. Please contact the Marino Counselling to receive a list of
acceptable documents.
Requests should be submitted to: Alan Oates, 21 Fairview Clontarf, Dublin 3, D03 K4H0
Appendix 3: Glossary of Terms
As with any legislation, certain terms have particular meaning. The following are
some useful definitions:
Data means information in a form which can be processed. It includes both automated
data and manual data.
Automated data means, broadly speaking, any information on computer, or information
recorded with the intention of putting it on computer.
Manual data means information that is kept as part of a relevant filing system, or with the
intention that it should form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is
structured by reference to individuals, or by reference to criteria relating to individuals, so
that specific information is accessible.
Personal data means data relating to a living individual who is or can be identified either
from the data or from the data in conjunction with other information that is in, or is likely to
come into, the possession of the data controller. This can be a very wide definition depending
on the circumstances.
Processing means performing any operation or set of operations on data, including: –
obtaining, recording or keeping data, – collecting, organising, storing, altering or adapting the
data, – retrieving, consulting or using the data, – disclosing the information or data by
transmitting, disseminating or otherwise making it available, – aligning, combining, blocking,
erasing or destroying the data.
Data Subject is an individual who is the subject of personal data. Data Controllers are
those who, either alone or with others, control the contents and use of personal data.
Data Controllers is a body that, either alone or with others, controls the contents and
use of personal data. It can be either legal entities such as companies, Government
Departments or voluntary organisations, or they can be individuals such as G.P.’s,
pharmacists or sole traders.
Data processor is a person who processes personal data on behalf of a data controller, but
does not include an employee of a data controller who processes such data in the course of
his/her employment. Again individuals such as G.P.’s, pharmacists or sole traders are
considered to be legal entities.
Sensitive personal data relates to specific categories of data which are defined as data
relating to a person’s racial origin; political opinions or religious or other beliefs; physical or
mental health; sexual life; criminal convictions or the alleged commission of an offence; trade
union membership. You have additional rights in relation to the processing of any such data.
