Home About Us Governance & Compliance General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

This page contains important information about the collection, handling, and storage of personal data.

There is an outline of Metanoia Institute’s obligations under the UK General Data Protection Regulation, as well as data protection guidelines for practitioners keeping client records

Data Protection at Metanoia

The UK General Data Protection Regulation (UK GDPR) 2021, building on the GDPR 2018, protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully, fairly and in a transparent manner. In order to meet the fairness and transparent manner part of the legislation we need to provide information on how we process personal data.

Metanoia Institute takes its obligations under the UK GDPR very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner. The Institute is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations

The Institute’s Privacy Notice outlines what personal data we collect, how we use it and with whom we share it. It also provides guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office, the regulator for data protection in the UK.

The Institute’s official contact details are:

Data Protection Officer Metanoia Institute

13 North Common Road

Ealing

London

W5 2QB

Tel: +44 (0)20 8579 2505

Email: dataprotection@metanoia.ac.uk

Our privacy and cookies policy can be found at the bottom of this page in the downloads section.

How to make a Subject Access Request

The UK GDPR gives you the right to know what information the Institute holds about you.

If you want to know whether we hold any personal information about you, please note the following:

requests for subject access should be made in writing

you will need to supply proof of your identity e.g. a copy of the identification pages of your current passport or of a current photo driving licence

The request may be received directly from you or another individual on your behalf; in the latter case, they must provide the following:

signed written permission from you

a copy of the identification pages of your current passport, current photo UK driving licence or Institute ID card, and

a copy of the identification pages of their current passport, current photo UK driving licence or Institute ID card

To request access to the personal data we hold about you, please complete a Subject Access Request form here 

The Institute will contact you to verify identity and, where appropriate written consent.

Further details on how the Institute processes personal data can be found in the following documents

Data Protection for Practitioners

The Data Protection Act 1998 was implemented to give individuals a right of access to ‘personal data’. This personal data relates to any information held by a company or a professional that is needed in order to perform their business activities. Much of the information that counsellors and psychotherapists collect would be classified in this way, and, in addition, as ‘sensitive information’. As such, care needs to be taken to ensure that this information is handled and stored carefully. The Data Protection Act has served as a benchmark for this.

In May 2018, the Act was superseded by the General Data Protection Regulation (GDPR) which maintains some of the Act’s core principles while introducing some significant changes. These changes have an impact for counsellors and psychotherapists, including trainees who are in private practice. As under the DPA, the GDPR requires that if you keep any client records other than paper records, such as tape recordings, computer records, or data on smart-phones, you will need to register with the overseeing body: the Information Commissioner’s Office (ICO). If you only keep paper records, you are not legally required to register with the ICO, although it makes sense to do so. You can register at https://ico.org.uk for an annual fee of £40.

The GDPR consists of eight key principles that must be adhered to. The ones most relevant to counsellors and practitioners are:

That Information must be processed fairly and lawfully. This means that all personal data must be stored with the consent of the client. There is a duty to be transparent with the client about why you are collecting it and what will happen to it. Most practitioners cover this in the signed contract they agree with a client.
That information must be kept securely. Most practitioners are already aware of the need to keep client notes in a locked filing cabinet and to keep them separately from identifying data. The GDPR also requires practitioners who use devices such as smart phones, recording devices or computers, to ensure that they use strong passwords, encryption and up-to-date virus protection. If there is a breach in your security (for example, you lose your recording device), you have a duty to report it within 72 hours of the breach occurring.
That Information must not be held for longer than is necessary. There is currently no consensus within the profession as to how long this should be, but a timescale of seven years is usually suggested, as this just exceeds the time limit for bringing actions against breach of contract, and many private insurance policies stipulate this time frame.
That Information must be processed in accordance with the individual’s rights. This means that clients have a right to be informed that you keep notes about them, a right to view that information if they request to do so, and a right to demand that you correct, block, erase or destroy information about them. (Please see the section on taking and storing client notes and recordings below.) For more information, see the ICO’s website.