GDPR Compliance   


What information is gathered by KBG Counselling services and how is it used and stored?


KBG counselling services (The Business) will request personal information from a client on a ‘personal information form’ which will request such information as name, age, address, GP name and contact information and also details of the clients next of kin this information will be used in case of emergencies during our time together and to help the client to receive further support under safeguarding procedures if necessary. A client will have the right to not provide any of this information if they do not wish to. Any personal information will be used only with the consent of the client the information form will be kept in a separate file from the client notes during the therapeutic relationship. It will then be shredded upon completion of our sessions.


KGB counselling services is obliged to keep written notes about each counselling session as set out by the BACP (British Association of Counselling and Psychotherapists) these note will be given a unique code in order for me to identify the relevant client these codes are only known by myself and will not identify the client. The notes will be kept separate from the personal information obtained. Counselling notes will be kept in a secured locked filing cabinet, the key to which is locked in a tin which is locked in a box which is locked in a cupboard the key to which is on my possession at all times this cupboard is in my locked office so this information cannot be obtained easily. (My office is shared by another counsellor who works on different days but they have no access to my filing cabinet and notes or keys). The notes will be kept for a period of 7 years from the end of therapy (or 7 years after the 18th birthday for a young person) as per BACP Guidelines. After these 7 years these notes will be shredded. – All notes written will be about the session and what the client discussed and any interventions I made. The information will be factual and concise no oppinions will be expressed and not identify the clents.


The only documents that are on a computer will be the general contracts and blank personal information forms these will then be printed off the computer as needed for each client. No notes will be stored on my computer. Email addresses will be used if the client first contacts me by email and expresses this is their preferred contact method. Once email communication ceases. Email addresses will be deleted from the email memory. They will never be saved or stored.


I have a separate works telephone on this the client’s number will be stored only for the length of our therapeutic relationship the clients telephone number will be stored under initials only so as not to identify the client. Contact will only be made via phone call/text if permission has be expressed by the client as ok to be contacted and only regarding problems with the sessions i.e if it needs to be cancelled or I am running late (and the reverse from the clients). No other telephone contact will be made outside of session times. Once our time together has ended the telephone number will be immediately deleted from the phone memory.


Hand written receipts will be given to each client for payment of session this will be in a duplicate receipt book. I use this as proof of clients for HMRC tax purposes. The receipt will cotain date and client first name only (and cost of session) no other information will be stored in these books. This receipt book will (Once completed) be kept for the requisite 7 years and stored securely in my locked tin in my locked cupboard. EAP Invoice receipts will also be kept for HMRC tax purposes but kept away from client notes so no matching up of clients can be obtained they will also be given their own reference numbers – different to my own.


As part of BACP guidelines to keep myself and my clients safe I attend regular supervisions where I speak to another counsellor about my client work. I may make brief notes about the clients in order to refresh myself however the client’s details will not be shared with the supervisor (initials or first names may be used for clarity during discussion). My supervisor will be making their own notes of what I discussed the supervisor will like myself have to follow GDPR rules with regard to the keeping of notes. My brief notes will be shredded immediately on returning home/to the office after the supervision so no one else can see what was discussed.


                                                 Data Protection Policy

The Policy

KBG Counselling Service (The Business) is committed to complying with data protection law and to respecting the privacy, rights of individuals. The policy applies to all counselling clients. 

This Data Protection Policy (“Policy ”) sets out the approach to data protection law and the principles that KBG Counselling will apply to their processing of personal data. The aim of this Policy is to ensure that they process personal data in accordance with the law and with the utmost care and respect.


Who is responsible for data protection?

As a sole trader Ken Barker-Graham Director of KBG Counselling Services is responsible for data protection, and to make sure that KBG Counselling Services is compliant with data protection laws.

I am not required to appoint a Data Protection Officer (DPO).


Why have a data protection policy?

KBG Counselling Services recognises that processing of individuals’ personal data in a careful and respectful manner as set out by the BACP and follows their instructions cultivating trusting relationships with individuals and trust in the business. KBG Counselling Services believes that such relationships will enable the business to work more effectively with and to provide a better service to those individuals.


Other consequences

There are a number of serious consequences if KBG Counselling Services does not comply with Data Protection Laws. These include:


  • Criminal sanctions: Serious breaches could potentially result in criminal liability. Non-compliance could involve a criminal offence
  • Investigations and interviews: My actions could be investigated and I could be interviewed in relation to any non-compliance.
  • Civil Fines: These can be up to 4% of turnover.
  • Assessments, investigations and enforcement action: KBG Counselling Services could be assessed or investigated by, and obliged to provide information to, the Information Commissioner on its processes and procedures and/or subject to the Information Commissioner’s powers of entry, inspection and seizure causing disruption and embarrassment.
  • Court orders: These may require the business to implement measures or take steps in relation to, or cease or refrain from, processing personal data.
  • Claims for compensation: Individuals may make claims for damage they have suffered as a result of our non-compliance.
  • Bad publicity: Assessments, investigations and enforcement action by, and complaints to, the Information Commissioner quickly become public knowledge and might damage the business. Court proceedings are public knowledge.
  • Loss of business: Prospective customers, suppliers and EAP contractors might not want to deal with the business if it is viewed as careless with personal data and disregarding legal obligations.
  • Use of time and resources: Dealing with assessments, investigations,

enforcement action, complaints, claims, etc takes time and effort and can involve considerable cost.


Data protection laws

The Data Protection Act 1998 (“ DPA ”) applies to any personal data that KBG Counselling Services processes, and from 25th  May 2018 was replaced by the General Data Protection Regulation ( GDPR ) and the Data Protection Act 2018 (“ DPA 2018 ”) (together “ Data Protection Laws ”) and then after Brexit the UK will adopt laws equivalent to these Data Protection Laws.

This Policy is written as though GDPR and the DPA 2018 are both in force, i.e. it states the position as of 25th May 2018 and should be used alongside the privacy policy of KBG Counselling Services.


The Data Protection Laws require that the personal data is processed in accordance with the Data Protection Principles and gives individuals rights to access, correct and control how I use their personal data.

Key words in relation to data protection

  • Personal data is data that relates to a living individual who can be identified from that data (or from that data and other information in or likely to come into the business possession). That living individual might be a client, prospective client, supplier, EAP contractor, and that personal data might be written, oral or visual (e.g. CCTV).
  • Identifiable means that the individual can be distinguished from a group of individuals (although the name of that individual need not be ascertainable). The data might identify an individual on its own (e.g. if a name or video footage) or might do if taken together with other information available to or obtainable us (e.g. a place of work).
  • Data subject is the living individual to whom the relevant personal data relates.
  • Processing is widely defined under data protection law and generally any action taken by KBG Counselling Services in respect of personal data will fall under the definition, including for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including CCTV images.
  • Data controller is the person who decides how personal data is used, for example how I will be a data controller in respect of personal data relating to my clients.


Personal data

Data will relate to an individual and therefore be their personal data if it:

  • identifies the individual. For instance, names, addresses, telephone numbers and email addresses;
  • its content is about the individual personally. For instance, medical records, credit history, are cording of their actions, or contact details;
  • relates to property of the individual, for example their home, their car or other possessions;
  • it could be processed to learn, record or decide something about the individual (or this is a consequence of processing). For instance, if you are able to link the data to the individual to tell you something about them, this will relate to the individual (e.g. salary details for a post where there is only one named individual in that post, or a telephone bill for the occupier of a property where there is only one occupant);
  • has the individual as its focus, that is the information relates to the individual personally rather than to some other person or a transaction or event he was involved in. For instance, in the counselling notes if use of the persons names or other identifiers are present.
  • is an expression of opinion about the individual; (Counselling notes therefore should be factual about the session only) or
  • is an indication of my (or any other person’s) intentions towards the individual (e.g. how a complaint by that individual will be dealt with).
  • Information about companies or other legal persons who are not living individuals is not personal data. However, information about directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.

Examples of information likely to constitute personal data:

  • Unique names;
  • Names together with email addresses or other contact details;
  • Job title and employer (if there is only one person in the position);
  • Video - and photographic images;
  • Information about individuals obtained as a result of Safeguarding checks;
  • Medical and disability information;
  • CCTV images;
  • Member profile information (e.g. marketing preferences); and
  • Financial information and accounts (e.g. information about expenses and benefits entitlements,

income and expenditure).

Lawful basis for processing

  • For personal data to be processed lawfully, it must be processed it on one of the legal grounds set out in the Data Protection Laws.
  • For the processing of ordinary personal data in the business these may include, among other things:

o the data subject has given their consent to the processing (perhaps on their personal information form)

o the processing is necessary for the performance of a contract with the data subject (for

example, for the counselling relationship in case I need to contact another party due to disclosure from the individual );

o the processing is necessary for compliance with a legal obligation to which the data controller is subject (such as reporting safeguarding issues):


Special category data

Special category data under the Data Protection Laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data. Under Data Protection Laws this type of information is known as special category data

and criminal records history becomes its own special category which is treated for some parts the same as special category data. Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term. To lawfully process special categories of personal data we must also ensure that either the individual has given their explicit consent to the processing or that another of the following conditions has been met:

  • the processing is necessary for the performance of our obligations under employment law;
  • the processing is necessary to protect the vital interests of the data subject. The ICO has

previously indicated that this condition is unlikely to be met other than in a life or death or other extreme situation;

  • the processing relates to information manifestly made public by the data subject;
  • the processing is necessary for the purpose of establishing, exercising or defending legal claims; or
  • To lawfully process personal data relating to criminal records and history there are even more limited reasons, and we must either:
  • ensure that either the individual has given their explicit consent to the processing; or
  • ensure that my processing of those criminal records history is necessary under a legal

requirement imposed upon me.

We would normally only expect to process special category personal data or criminal records history data usually in a Human Resources context

When do I process personal data?

Virtually anything I do with personal data is processing including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just

storage of personal data is a form of processing. I might process personal data using computers or manually by keeping paper records. Examples of processing personal data might include:

  • Using personal data to correspond with client’s family and GPs in case of emergency;



The main themes of the Data Protection Laws are:

  • good practices for handling personal data;
  • rights for individuals in respect of personal data that data controllers hold on them; and
  • being able to demonstrate compliance with these laws.

In summary, data protection law requires each data controller to:

  • only process personal data for certain purposes;
  • process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner);
  • respect the rights of those individuals about whom we process personal data (including providing them with access to the personal data we hold on them); and
  • keep adequate records of how data is processed and, where necessary, notify the ICO and possibly data subjects where there has been a data breach.



Information Commissioner’s Office (“ICO”). The ICO has extensive powers.

Data protection principles

The Data Protection Laws set out 6 principles for maintaining and protecting personal data, which

form the basis of the legislation. All personal data must be:

  • processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met;
  • collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”);
  • adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”);
  • accurate and where necessary kept up to date;
  • kept for no longer than is necessary for the purpose (“storage limitation”);
  • processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).

Data subject rights

Under Data Protection Laws individuals have certain rights (Rights) in relation to their own personal data. In summary these are:

  • The rights to access their personal data, usually referred to as a subject access request
  • The right to have their personal data rectified;
  • The right to have their personal data erased, usually referred to as the right to be forgotten;
  • The right to restrict processing of their personal data;
  • The right to object to receiving direct marketing materials;
  • The right to portability of their personal data;
  • The right to object to processing of their personal data; and
  • The right to not be subject to a decision made solely by automated data processing.

The exercise of these Rights may be made in writing, including email, and also verbally and should be responded to in writing by KBG Counselling Services without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. I must inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, any information is to be provided by electronic means where possible, unless otherwise requested by the individual. If we receive the request from a third party (e.g. a legal advisor), we must take steps to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean contacting the relevant individual directly to verify that the third party is properly authorised to make the request.

There are very specific exemptions or partial exemptions for some of these Rights and not all of them are absolute rights. However the right to not receive marketing material is an absolute right, so this should be complied with immediately.

Where an individual considers that KBG Counselling Services has not complied with their request e.g. exceeded the time period, they can seek a court order and compensation. If the court agrees with the individual, it will issue a Court Order, to make us comply. The Court can also award compensation. They can also complain to the regulator for privacy legislation, which in our case will usually be the ICO.

In addition to the rights discussed in this document, any person may ask the ICO to assess whether it is likely that any processing of personal data has or is being carried out in compliance with the privacy legislation. The ICO must investigate and may serve an “Information Notice” on the business. The result of the investigation may lead to an “Enforcement Notice” being issued by the ICO. Any such assessments, information notices or enforcement notices should be sent directly to the business address from the ICO.


Notification and response procedure


  • I will coordinate the response [which may include written material provided by

external legal advisors. The action taken will depend upon the nature of the request. I will write to the individual and explain the legal situation and whether I will comply with

the request. A standard letter/email from my business email account should suffice in most cases.

I will coordinate any additional activity required to meet the request. Ensuring that

the relevant response is made within the time period required.

KBG Counselling Services main obligations

What this all means for can be summarised as follows:

  • Treat all personal data with respect;
  • Treat all personal data how I would want my own personal data to be treated;
  • Take care with all personal data and items containing personal data I handle or come across so that it stays secure and is only available to or accessed by myself; and
  • Immediately the IOC if I become aware of or suspect the loss of any

personal data or any item containing personal data.


Practical matters

Whilst I should always apply a common sense approach to how I use and safeguard personal

data, and treat personal data with care and respect, set out below are some examples of dos and don’ts:

  • I will not take personal data out of the business premises (unless absolutely necessary).
  • Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café, etc and this would include paper files, mobile phone, laptops, tablets, memory sticks etc
  • I will never leave any items containing personal data in unsecure locations, e.g. in car on your drive overnight and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
  • I will encrypt laptops, mobile devices and removable storage devices containing personal data
  • I will lock laptops, files, mobile devices and removable storage devices containing personal data away and out of sight when not in use.
  • I use passwords to protect documents and databases containing personal data.
  • I will never use removable storage media to store personal data unless the personal data on the media is encrypted.
  • I will shred confidential information in a business cross shredder for any papers containing personal data, once shredded this will be placed them in a bin liner before placing them in the ordinary waste disposal.
  • I will dispose of any materials containing personal data securely, whether the materials are paper based or electronic.
  • I will ensure that my computer screen faces away from prying eyes if I am processing personal data, and only process this information in my own office.
  • When storing numbers on my business phone this will be initials only to preserve confidentiality and only be used for contact about our sessions times or cancellations etc. I will obtain from the client permission about how to contact them and whether it is ok to leave a message. Once our time together has ended numbers will be deleted from my business phone.
  • I will never act on instructions from someone unless I am absolutely sure of their identity and if I am unsure then I will take steps to determine their identity. This is particularly so where the instructions relate to information which may be sensitive or damaging if it got into the hands of a third party or where the instructions involve money, valuable goods or items or cannot easily be reversed.


If you have any queries or concerns about the date usage please write to KBG Counselling services at the registered business address.